ISE 1.2 File Backup issue - %host-key add failed

agapitca19 · ‎05-12-2016

Hi,

We have ISE 1.2 with primary and secondary setup. I am having an issue completing a file backup through sftp. I created the repository on the GUI of the Primary Admin node by going to Administration>Maintenance>Repository>Add and filled out the necessary information. After saving the repository, a message popped-up that exec command crypto host_key add host <sftp server ip address/name> has to be issued and I did that but kept getting the message %host-key add failed. Also, when I issued the command sh repository <backup name>, I get the output below.

sh repository <backup name>

% Error : Operation failed due to one of the following reasons
1. host key is not configured
2. host key is removed because of re-image
3. host key is removed from some other repository having same ip/hostname
% Please add the host key using the crypto host_key exec command
% SSH connect error

I also tried with our stand-alone ISE 2.0 that we will be eventually using and got the same results.

Thanks!

Aditya Ganjoo · ‎05-12-2016

Hi,

Are you able to ping the SFTP server from ISE ?

Can you check deleting the crypto key for this server ?

crypto host_key delete <SFTP rep. name / IP>

Re-add the key again:

crypto host_key add host <IP>

You can also check this enhancement if it matches your issue:

https://tools.cisco.com/bugsearch/bug/CSCuw34150/?reffering_site=dumpcr

Regards,

Aditya

Please rate helpful posts and mark correct answers.

agapitca19 · ‎05-12-2016

Aditya,

Yes, I can ping the sftp server from ISE

I deleted the crypto key for the sftp server: host key fingerprint for sftp.x.x.x.x removed

Add the key again: %host-key add failed

Does the host key have something to do with the rsa key that is generated for ssh connection? I am thinking if I re-generate the rsa key on ISE.

Does it matter if it's a ISE-VM-K9(ISE 1.2)? The way it was setup, the vm is the primary and SNS-3495-K9 is secondary.

Do you know what will happen if the commands above were issued on the secondary/SNS-3495-K9 ISE, will it break something?

The ISE 2.0 that's having the same issue is a vm too.

Thanks.

agapitca19 · ‎05-13-2016

I have setup an sftp server on my computer for testing, got no problem adding crypto host_key using the ip address of my computer, and made successful sftp backups for both ISE 1.2 and 2.0.

At least I know that there may be something on the server/sftp software settings(whatever our server team uses, which I will find out) that ISE doesn't like regardless of the versions we have.

I'll update this post when the sftp backup issue on the server is resolved.

agapitca19 · ‎05-13-2016

The sftp software I installed on my computer for testing was set for RSA and that's why it worked. As soon as the sftp server was set to DSA and RSA, it started to work too.

I want to test with the DSA, do you know the command to manually add or import the dsa key in ISE?

Thanks!

agapitca19 · ‎05-18-2016

Just in case some of you might encounter this, below is what I did in ISE when sftp server is only set for DSA key.

NWPUHISTISE1/admin# ssh <sftp server name/ip> sftpThe authenticity of host '<sftp server name/ip> (sftp server name/ip)' can't be established

DSA key fingerprint is <key>

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '<sftp server>' (DSA) to the list of known hosts.

Successful key exchange/rekey from <sftp server name/ip>

Aditya Ganjoo · ‎05-18-2016

Hi,

Great the issue has been resolved.