IMC
cancel
Showing results for 
Search instead for 
Did you mean: 

ssh key exchange

 
vineeth-46058
Frequent Advisor

ssh key exchange

Hello,

I am trying to abckup my cisco ASA and it's getting failed.

SNMP parameters are ok 

SSH test is ok from the web interface 

Telnet is ok to

but when i see the logs on the firewall i can see an error called ssh key excahgnes fails.

what can be the couse.

 

iMC is installed on win 2008 r2 server.

10 REPLIES
LindsayHill
Honored Contributor

Re: ssh key exchange

Which version of IMC do you have? There was an issue with earlier versions of IMC, where the ASA backup adapter did correctly not handle the prompt to save a new SSH key.

Also, what file transfer type are you using?

You can also look at the imccfgbakdm logs to see what's going on.

vineeth-46058
Frequent Advisor

Re: ssh key exchange

Hello Lindsay,

i am currently using Version:-iMC PLAT 7.2 (E0403) and file transfer type TFTP.

vineeth-46058
Frequent Advisor

Re: ssh key exchange

#####################this is the error which i got in logs##########

.815 [WARNING (0)] [THREAD(6000)] [CQvDBReaderADP::~CQvDBReaderADP] Cancel current SQL when data have not be fetched out.
2016-03-07 07:58:24.818 [INFO (-1)] [THREAD(5924)] [CSnmpOper::iCommitOper] writecommunity is empty for snmpv1/2 set operation.->[194.XX.XX.XX]
2016-03-07 07:58:24.818 [INFO (-1)] [THREAD(5924)] [CSnmpOper::iCommitOper] writecommunity is empty for snmpv1/2 set operation.->[194.XX.XX.XX]
2016-03-07 07:58:24.818 [ERROR (-1)] [THREAD(5924)] [CCiscoMIBFileTransferImp::mibTransferSession] Failed to commit snmp pdu,server = 10.XX.XX.XX,filename = running_1688437152.cfg, protocol = 2(1,ftp;2,tftp)
2016-03-07 07:58:24.818 [INFO (25)] [THREAD(5924)] [CCiscoMIBFileTransferImp::collect()] mibTransferSession() return: 25
2016-03-07 07:58:24.818 [INFO (0)] [THREAD(5924)] [CFileTransferTask::transferFileEx] Do file transfer, device ip: 194.XX.XX.XX, transfer protocol: TRANSFER_PROTOCOL_CISCO_MIB, result code: 25
2016-03-07 07:58:24.818 [ERROR (-1)] [THREAD(5924)] [CFileTransferIf::doFileTransfer] not support,type = 2
2016-03-07 07:58:24.818 [INFO (0)] [THREAD(5924)] [CFileTransferTask::transferFileEx] Do file transfer, device ip: 194.XX.XX.XX, telnet transfer protocol: 1,result code: 12
2016-03-07 07:58:24.818 [ERROR (-1)] [THREAD(5924)] [CFileTransferIf::doFileTransfer] not support,type = 2
2016-03-07 07:58:24.818 [INFO (0)] [THREAD(5924)] [CFileTransferTask::transferFileEx] Do file transfer, device ip: 194.XX.XX.XX, telnet transfer protocol: 2,result code: 12
2016-03-07 07:58:24.818 [ERROR (-1)] [THREAD(5924)] [CFileTransferIf::doFileTransfer] not support,type = 2
2016-03-07 07:58:24.818 [INFO (0)] [THREAD(5924)] [CFileTransferTask::transferFileEx] Do file transfer, device ip: 194.XX.XX.XX, telnet transfer protocol: 3,result code: 12
2016-03-07 07:58:24.818 [ERROR (-1)] [THREAD(5924)] [CFileTransferIf::doFileTransfer] not support,type = 2
2016-03-07 07:58:24.818 [INFO (0)] [THREAD(5924)] [CFileTransferTask::transferFileEx] Do file transfer, device ip: 194.XX.XX.XX, telnet transfer protocol: 7,result code: 12
2016-03-07 07:58:25.008 [INFO (0)] [THREAD(5924)] [CTelnetService::receiveRespond] This is username, return RT_USER
2016-03-07 07:58:25.030 [WARNING (0)] [THREAD(5932)] [CTelnetService::executeCmd] strRespond is empty.
2016-03-07 07:58:25.030 [INFO (0)] [THREAD(5932)] [CFileTransferTask::transferFileEx] Do file transfer, device ip: 10.XX.XX.XXX, telnet transfer protocol: 2,result code: 11

LindsayHill
Honored Contributor

Re: ssh key exchange

Looks like you're using Telnet + TFTP, not SSH?

You should really change that something secure.

There should be a few more related logs in imccfgbakdm, showing the output of the Expect session. But my first guess is that you don't have the right Telnet credentials defined. Note that the Telnet & SSH credentials defined on the device details page are different. So if you had defined SSH credentials, then changed the Login Type to Telnet, it would have nothing defined for Telnet.

vineeth-46058
Frequent Advisor

Re: ssh key exchange

we prefer to user ssh while backup 

yes the telnet superpassword is incorrect 

 

this is the log which i found on ASA

6|Mar 10 2016|10:08:47|315011|10.XX.XX.XX1||||SSH session from 10.XX.XX.XX on interface LAN for user XX.XX.XX" disconnected by SSH server reason: "Time-out activated" (0x3c)

LindsayHill
Honored Contributor

Re: ssh key exchange

Set your login type to SSH, and your file transfer mode to SCP.

Then get all the logs from imccfgbakdm. There should be more logs than your earlier snippets. Sometimes the logs will be a bit spread out, or appear slightly out of order.

vineeth-46058
Frequent Advisor

Re: ssh key exchange

Well i tried an alernative way i got the superpassword for telnet  on ASA and allowed telnet access it's seeams to be working and there is was issue with the adapter.xml file to.

but now the only issue is there is not startup backup it's getting failed can see only running config.

LindsayHill
Honored Contributor

Re: ssh key exchange

Using Telnet for managing your firewalls is a bad idea, but it's your network.

What problem did you have with adapter.xml? That's a very simple file, and I would not expect to see any problems with it.

What do your logs say about the failed startup config backup?

vineeth-46058
Frequent Advisor

Re: ssh key exchange

Even i fell the same there is nothing wrong with SSH it works perfect when i do a test.

but i have no idea why it's getting failed. evrey thing is perfect i can ssh from IMC server from application SNMP is perfect,

but still we are the same issue, it leaves me no chocie to use telnet to backup my firewall.

there was some OID missing in the file after updating it few firewalls started working via telnet.

i need to check the logs again what there is failure in startup config.

LindsayHill
Honored Contributor

Re: ssh key exchange


vineeth-46058 wrote:

but i have no idea why it's getting failed.


The logs will tell you. But I'm working in the dark here. If you provided more information - e.g. the logs, and the exact changes you made - I could help more. But I only know as much about your environment as you tell me, nothing more.