Network Management

 View Only
Expand all | Collapse all

ssh key exchange

This thread has been viewed 2 times
  • 1.  ssh key exchange

    Posted Mar 07, 2016 05:56 AM

    Hello,

    I am trying to abckup my cisco ASA and it's getting failed.

    SNMP parameters are ok 

    SSH test is ok from the web interface 

    Telnet is ok to

    but when i see the logs on the firewall i can see an error called ssh key excahgnes fails.

    what can be the couse.

     

    iMC is installed on win 2008 r2 server.


    #ssh


  • 2.  RE: ssh key exchange

    Posted Mar 07, 2016 02:59 PM

    Which version of IMC do you have? There was an issue with earlier versions of IMC, where the ASA backup adapter did correctly not handle the prompt to save a new SSH key.

    Also, what file transfer type are you using?

    You can also look at the imccfgbakdm logs to see what's going on.



  • 3.  RE: ssh key exchange

    Posted Mar 08, 2016 02:54 AM

    Hello Lindsay,

    i am currently using Version:-iMC PLAT 7.2 (E0403) and file transfer type TFTP.



  • 4.  RE: ssh key exchange

    Posted Mar 08, 2016 03:28 AM

    #####################this is the error which i got in logs##########

    .815 [WARNING (0)] [THREAD(6000)] [CQvDBReaderADP::~CQvDBReaderADP] Cancel current SQL when data have not be fetched out.
    2016-03-07 07:58:24.818 [INFO (-1)] [THREAD(5924)] [CSnmpOper::iCommitOper] writecommunity is empty for snmpv1/2 set operation.->[194.XX.XX.XX]
    2016-03-07 07:58:24.818 [INFO (-1)] [THREAD(5924)] [CSnmpOper::iCommitOper] writecommunity is empty for snmpv1/2 set operation.->[194.XX.XX.XX]
    2016-03-07 07:58:24.818 [ERROR (-1)] [THREAD(5924)] [CCiscoMIBFileTransferImp::mibTransferSession] Failed to commit snmp pdu,server = 10.XX.XX.XX,filename = running_1688437152.cfg, protocol = 2(1,ftp;2,tftp)
    2016-03-07 07:58:24.818 [INFO (25)] [THREAD(5924)] [CCiscoMIBFileTransferImp::collect()] mibTransferSession() return: 25
    2016-03-07 07:58:24.818 [INFO (0)] [THREAD(5924)] [CFileTransferTask::transferFileEx] Do file transfer, device ip: 194.XX.XX.XX, transfer protocol: TRANSFER_PROTOCOL_CISCO_MIB, result code: 25
    2016-03-07 07:58:24.818 [ERROR (-1)] [THREAD(5924)] [CFileTransferIf::doFileTransfer] not support,type = 2
    2016-03-07 07:58:24.818 [INFO (0)] [THREAD(5924)] [CFileTransferTask::transferFileEx] Do file transfer, device ip: 194.XX.XX.XX, telnet transfer protocol: 1,result code: 12
    2016-03-07 07:58:24.818 [ERROR (-1)] [THREAD(5924)] [CFileTransferIf::doFileTransfer] not support,type = 2
    2016-03-07 07:58:24.818 [INFO (0)] [THREAD(5924)] [CFileTransferTask::transferFileEx] Do file transfer, device ip: 194.XX.XX.XX, telnet transfer protocol: 2,result code: 12
    2016-03-07 07:58:24.818 [ERROR (-1)] [THREAD(5924)] [CFileTransferIf::doFileTransfer] not support,type = 2
    2016-03-07 07:58:24.818 [INFO (0)] [THREAD(5924)] [CFileTransferTask::transferFileEx] Do file transfer, device ip: 194.XX.XX.XX, telnet transfer protocol: 3,result code: 12
    2016-03-07 07:58:24.818 [ERROR (-1)] [THREAD(5924)] [CFileTransferIf::doFileTransfer] not support,type = 2
    2016-03-07 07:58:24.818 [INFO (0)] [THREAD(5924)] [CFileTransferTask::transferFileEx] Do file transfer, device ip: 194.XX.XX.XX, telnet transfer protocol: 7,result code: 12
    2016-03-07 07:58:25.008 [INFO (0)] [THREAD(5924)] [CTelnetService::receiveRespond] This is username, return RT_USER
    2016-03-07 07:58:25.030 [WARNING (0)] [THREAD(5932)] [CTelnetService::executeCmd] strRespond is empty.
    2016-03-07 07:58:25.030 [INFO (0)] [THREAD(5932)] [CFileTransferTask::transferFileEx] Do file transfer, device ip: 10.XX.XX.XXX, telnet transfer protocol: 2,result code: 11



  • 5.  RE: ssh key exchange

    Posted Mar 08, 2016 03:58 PM

    Looks like you're using Telnet + TFTP, not SSH?

    You should really change that something secure.

    There should be a few more related logs in imccfgbakdm, showing the output of the Expect session. But my first guess is that you don't have the right Telnet credentials defined. Note that the Telnet & SSH credentials defined on the device details page are different. So if you had defined SSH credentials, then changed the Login Type to Telnet, it would have nothing defined for Telnet.



  • 6.  RE: ssh key exchange

    Posted Mar 10, 2016 06:32 AM

    we prefer to user ssh while backup 

    yes the telnet superpassword is incorrect 

     

    this is the log which i found on ASA

    6|Mar 10 2016|10:08:47|315011|10.XX.XX.XX1||||SSH session from 10.XX.XX.XX on interface LAN for user XX.XX.XX" disconnected by SSH server reason: "Time-out activated" (0x3c)



  • 7.  RE: ssh key exchange

    Posted Mar 10, 2016 03:33 PM

    Set your login type to SSH, and your file transfer mode to SCP.

    Then get all the logs from imccfgbakdm. There should be more logs than your earlier snippets. Sometimes the logs will be a bit spread out, or appear slightly out of order.



  • 8.  RE: ssh key exchange

    Posted Mar 11, 2016 02:55 AM

    Well i tried an alernative way i got the superpassword for telnet  on ASA and allowed telnet access it's seeams to be working and there is was issue with the adapter.xml file to.

    but now the only issue is there is not startup backup it's getting failed can see only running config.



  • 9.  RE: ssh key exchange

    Posted Mar 11, 2016 05:45 PM

    Using Telnet for managing your firewalls is a bad idea, but it's your network.

    What problem did you have with adapter.xml? That's a very simple file, and I would not expect to see any problems with it.

    What do your logs say about the failed startup config backup?



  • 10.  RE: ssh key exchange

    Posted Mar 12, 2016 10:51 AM

    Even i fell the same there is nothing wrong with SSH it works perfect when i do a test.

    but i have no idea why it's getting failed. evrey thing is perfect i can ssh from IMC server from application SNMP is perfect,

    but still we are the same issue, it leaves me no chocie to use telnet to backup my firewall.

    there was some OID missing in the file after updating it few firewalls started working via telnet.

    i need to check the logs again what there is failure in startup config.



  • 11.  RE: ssh key exchange

    Posted Mar 13, 2016 01:40 AM

    @vineeth-46058 wrote:

    but i have no idea why it's getting failed.


    The logs will tell you. But I'm working in the dark here. If you provided more information - e.g. the logs, and the exact changes you made - I could help more. But I only know as much about your environment as you tell me, nothing more.