Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
659
Views
1
Helpful
6
Replies

CUCM/CUC 14 backup issue to a new Linux SFTP server

jeffshen1215
Level 1
Level 1

‎12-05-2024 11:53 AM

CUCM and CUC both running on version 14.0.1, backup server was Linux rhel9 SFTP on Vmware. We've been asked to test a new SFTP destination. Basically it's a clone of the original one, but on nutanix platform. We were able to add it to CUCM and CUC, however after few days of successful backups, it stopped working with error "Unable to access SFTP server. Please ensure the given path is correct"

We've verified the connection to new SFTP is still accessible

utils network connectivity x.x.x.x 22
Service accessible

The error message on SFTP is "sshd[619291]: error: kex_exchange_identification: Connection closed by remote host"

Does anyone had similar experience, and would you please share your thought for the root cause?

If it's network/firewall related, which part of the logs we can look into it for prove?

 

 

 

Labels:
0 Helpful
6 Replies 6

Brad Magnani
Cisco Employee
Cisco Employee

‎12-05-2024 12:45 PM

If it was previously working then suddenly stopped, something may also have changed on the SFTP server side TLS related.  This is usually cipher/key exchange related.  You'll want to get a network capture from the CLI of CUCM or CUC and reproduce the failure and examine what's breaking within the TLS handshake, specifically as it relates to cipher negotiation and key exchange algorithms.  It's possible some sort of network/firewall issue, but based on the error you're seeing above, it's failing to negotiate the TLS key exchange.

utils network capture file DRSTest count 100000 size all

Grab "Packet Capture Logs" component from RTMT.

0 Helpful

jeffshen1215
Level 1
Level 1
In response to Brad Magnani

‎12-05-2024 01:25 PM

Hi Brad,

Thanks for pointing out this direction. I did another attempt (failed) backing up to the new SFTP, and got the capture attached.

I saw the key exchange requests, and the sessions been reset couple of times. Is there anything you would suggest dig into?

Thanks,

Preview file
368 KB
0 Helpful

Brad Magnani
Cisco Employee
Cisco Employee
In response to jeffshen1215

‎12-05-2024 02:36 PM

Without having the actual packet capture itself, it's impossible to tell just from screen shots.  If you need to, you can open a TAC case and have an engineer review it for you, just for security sake due to the sensitive information contained.

0 Helpful

Elliot Dierksen
VIP
VIP

‎12-05-2024 01:03 PM

Here is my cheat sheet for making a Linux box play nice with DRS

in sshd_config:

KexAlgorithms +diffie-hellman-group1-sha1
KexAlgorithms +diffie-hellman-group-exchange-sha1

Ciphers +aes128-cbc
# 3DES isn't supported on newer version of DRS or in
# newer versions of OpenSSH
Ciphers +3des-cbc

Newer Ubuntu needs this:
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa

jeffshen1215
Level 1
Level 1
In response to Elliot Dierksen

‎12-05-2024 01:27 PM

Thank you Elliot,

I am not familiar with the Linux, but forwarded your comments to the administrator.

0 Helpful

jeffshen1215
Level 1
Level 1

‎12-19-2024 07:53 AM

Just to update the root cause of the issue I posted.

The SFTP ran out of space...I am not a Linux guy, don't know if it make sense. When a Linux SFTP has not enough space left, it even prevent the directory being add to CUCM backup device. However, that's what I experienced.

0 Helpful
Customers Also Viewed These Support Documents