cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
659
Views
1
Helpful
6
Replies

CUCM/CUC 14 backup issue to a new Linux SFTP server

jeffshen1215
Level 1
Level 1

CUCM and CUC both running on version 14.0.1, backup server was Linux rhel9 SFTP on Vmware. We've been asked to test a new SFTP destination. Basically it's a clone of the original one, but on nutanix platform. We were able to add it to CUCM and CUC, however after few days of successful backups, it stopped working with error "Unable to access SFTP server. Please ensure the given path is correct"

We've verified the connection to new SFTP is still accessible

utils network connectivity x.x.x.x 22
Service accessible

The error message on SFTP is "sshd[619291]: error: kex_exchange_identification: Connection closed by remote host"

Does anyone had similar experience, and would you please share your thought for the root cause?

If it's network/firewall related, which part of the logs we can look into it for prove?

 

 

 

6 Replies 6

Brad Magnani
Cisco Employee
Cisco Employee

If it was previously working then suddenly stopped, something may also have changed on the SFTP server side TLS related.  This is usually cipher/key exchange related.  You'll want to get a network capture from the CLI of CUCM or CUC and reproduce the failure and examine what's breaking within the TLS handshake, specifically as it relates to cipher negotiation and key exchange algorithms.  It's possible some sort of network/firewall issue, but based on the error you're seeing above, it's failing to negotiate the TLS key exchange.

utils network capture file DRSTest count 100000 size all

Grab "Packet Capture Logs" component from RTMT.

Hi Brad,

Thanks for pointing out this direction. I did another attempt (failed) backing up to the new SFTP, and got the capture attached.

I saw the key exchange requests, and the sessions been reset couple of times. Is there anything you would suggest dig into?

Thanks,

Without having the actual packet capture itself, it's impossible to tell just from screen shots.  If you need to, you can open a TAC case and have an engineer review it for you, just for security sake due to the sensitive information contained.

Here is my cheat sheet for making a Linux box play nice with DRS

in sshd_config:

KexAlgorithms +diffie-hellman-group1-sha1
KexAlgorithms +diffie-hellman-group-exchange-sha1

Ciphers +aes128-cbc
# 3DES isn't supported on newer version of DRS or in
# newer versions of OpenSSH
Ciphers +3des-cbc

Newer Ubuntu needs this:
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa

Thank you Elliot,

I am not familiar with the Linux, but forwarded your comments to the administrator.

jeffshen1215
Level 1
Level 1

Just to update the root cause of the issue I posted.

The SFTP ran out of space...I am not a Linux guy, don't know if it make sense. When a Linux SFTP has not enough space left, it even prevent the directory being add to CUCM backup device. However, that's what I experienced.