05-12-2016 01:22 PM - edited 03-10-2019 11:46 PM
Hi,
We have ISE 1.2 with primary and secondary setup. I am having an issue completing a file backup through sftp. I created the repository on the GUI of the Primary Admin node by going to Administration>Maintenance>Repository>Add and filled out the necessary information. After saving the repository, a message popped-up that exec command crypto host_key add host <sftp server ip address/name> has to be issued and I did that but kept getting the message %host-key add failed. Also, when I issued the command sh repository <backup name>, I get the output below.
sh repository <backup name>
% Error : Operation failed due to one of the following reasons
1. host key is not configured
2. host key is removed because of re-image
3. host key is removed from some other repository having same ip/hostname
% Please add the host key using the crypto host_key exec command
% SSH connect error
I also tried with our stand-alone ISE 2.0 that we will be eventually using and got the same results.
Thanks!
05-12-2016 06:11 PM
Hi,
Are you able to ping the SFTP server from ISE ?
Can you check deleting the crypto key for this server ?
crypto host_key delete <SFTP rep. name / IP>
Re-add the key again:
crypto host_key add host <IP>
You can also check this enhancement if it matches your issue:
https://tools.cisco.com/bugsearch/bug/CSCuw34150/?reffering_site=dumpcr
Regards,
Aditya
Please rate helpful posts and mark correct answers.
05-12-2016 07:23 PM
Aditya,
Yes, I can ping the sftp server from ISE
I deleted the crypto key for the sftp server: host key fingerprint for sftp.x.x.x.x removed
Add the key again: %host-key add failed
Does the host key have something to do with the rsa key that is generated for ssh connection? I am thinking if I re-generate the rsa key on ISE.
Does it matter if it's a ISE-VM-K9(ISE 1.2)? The way it was setup, the vm is the primary and SNS-3495-K9 is secondary.
Do you know what will happen if the commands above were issued on the secondary/SNS-3495-K9 ISE, will it break something?
The ISE 2.0 that's having the same issue is a vm too.
Thanks.
05-13-2016 09:07 AM
I have setup an sftp server on my computer for testing, got no problem adding crypto host_key using the ip address of my computer, and made successful sftp backups for both ISE 1.2 and 2.0.
At least I know that there may be something on the server/sftp software settings(whatever our server team uses, which I will find out) that ISE doesn't like regardless of the versions we have.
I'll update this post when the sftp backup issue on the server is resolved.
05-13-2016 03:04 PM
The sftp software I installed on my computer for testing was set for RSA and that's why it worked. As soon as the sftp server was set to DSA and RSA, it started to work too.
I want to test with the DSA, do you know the command to manually add or import the dsa key in ISE?
Thanks!
05-18-2016 06:39 AM
Just in case some of you might encounter this, below is what I did in ISE when sftp server is only set for DSA key.
NWPUHISTISE1/admin# ssh <sftp server name/ip> sftpThe authenticity of host '<sftp server name/ip> (sftp server name/ip)' can't be established
DSA key fingerprint is <key>
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '<sftp server>' (DSA) to the list of known hosts.
Successful key exchange/rekey from <sftp server name/ip>
05-18-2016 05:03 PM
Hi,
Great the issue has been resolved.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
05-18-2016 06:40 AM
Just in case some of you might encounter this, below is what I did when sftp server is only set for DSA key.
NWPUHISTISE1/admin# ssh <sftp server name/ip> sftpThe authenticity of host '<sftp server name/ip>(sftp server name/ip)' can't be established
DSA key fingerprint is <key>
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '<sftp server>' (DSA) to the list of known hosts.
Successful key exchange/rekey from <sftp server name/ip>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide