12-05-2024 11:53 AM
CUCM and CUC both running on version 14.0.1, backup server was Linux rhel9 SFTP on Vmware. We've been asked to test a new SFTP destination. Basically it's a clone of the original one, but on nutanix platform. We were able to add it to CUCM and CUC, however after few days of successful backups, it stopped working with error "Unable to access SFTP server. Please ensure the given path is correct"
We've verified the connection to new SFTP is still accessible
utils network connectivity x.x.x.x 22
Service accessible
The error message on SFTP is "sshd[619291]: error: kex_exchange_identification: Connection closed by remote host"
Does anyone had similar experience, and would you please share your thought for the root cause?
If it's network/firewall related, which part of the logs we can look into it for prove?
12-05-2024 12:45 PM
If it was previously working then suddenly stopped, something may also have changed on the SFTP server side TLS related. This is usually cipher/key exchange related. You'll want to get a network capture from the CLI of CUCM or CUC and reproduce the failure and examine what's breaking within the TLS handshake, specifically as it relates to cipher negotiation and key exchange algorithms. It's possible some sort of network/firewall issue, but based on the error you're seeing above, it's failing to negotiate the TLS key exchange.
utils network capture file DRSTest count 100000 size all
Grab "Packet Capture Logs" component from RTMT.
12-05-2024 01:25 PM
12-05-2024 02:36 PM
Without having the actual packet capture itself, it's impossible to tell just from screen shots. If you need to, you can open a TAC case and have an engineer review it for you, just for security sake due to the sensitive information contained.
12-05-2024 01:03 PM
Here is my cheat sheet for making a Linux box play nice with DRS
in sshd_config:
KexAlgorithms +diffie-hellman-group1-sha1
KexAlgorithms +diffie-hellman-group-exchange-sha1
Ciphers +aes128-cbc
# 3DES isn't supported on newer version of DRS or in
# newer versions of OpenSSH
Ciphers +3des-cbc
Newer Ubuntu needs this:
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa
12-05-2024 01:27 PM
Thank you Elliot,
I am not familiar with the Linux, but forwarded your comments to the administrator.
12-19-2024 07:53 AM
Just to update the root cause of the issue I posted.
The SFTP ran out of space...I am not a Linux guy, don't know if it make sense. When a Linux SFTP has not enough space left, it even prevent the directory being add to CUCM backup device. However, that's what I experienced.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide