Re: ssh key exchange

vineeth-46058 · ‎03-07-2016

Hello,

I am trying to abckup my cisco ASA and it's getting failed.

SNMP parameters are ok

SSH test is ok from the web interface

Telnet is ok to

but when i see the logs on the firewall i can see an error called ssh key excahgnes fails.

what can be the couse.

iMC is installed on win 2008 r2 server.

LindsayHill · ‎03-07-2016

Which version of IMC do you have? There was an issue with earlier versions of IMC, where the ASA backup adapter did correctly not handle the prompt to save a new SSH key.

Also, what file transfer type are you using?

You can also look at the imccfgbakdm logs to see what's going on.

__
@northlandboy

vineeth-46058 · ‎03-07-2016

Hello Lindsay,

i am currently using Version:-iMC PLAT 7.2 (E0403) and file transfer type TFTP.

vineeth-46058 · ‎03-08-2016

#####################this is the error which i got in logs##########

.815 [WARNING (0)] [THREAD(6000)] [CQvDBReaderADP::~CQvDBReaderADP] Cancel current SQL when data have not be fetched out.
2016-03-07 07:58:24.818 [INFO (-1)] [THREAD(5924)] [CSnmpOper::iCommitOper] writecommunity is empty for snmpv1/2 set operation.->[194.XX.XX.XX]
2016-03-07 07:58:24.818 [INFO (-1)] [THREAD(5924)] [CSnmpOper::iCommitOper] writecommunity is empty for snmpv1/2 set operation.->[194.XX.XX.XX]
2016-03-07 07:58:24.818 [ERROR (-1)] [THREAD(5924)] [CCiscoMIBFileTransferImp::mibTransferSession] Failed to commit snmp pdu,server = 10.XX.XX.XX,filename = running_1688437152.cfg, protocol = 2(1,ftp;2,tftp)
2016-03-07 07:58:24.818 [INFO (25)] [THREAD(5924)] [CCiscoMIBFileTransferImp::collect()] mibTransferSession() return: 25
2016-03-07 07:58:24.818 [INFO (0)] [THREAD(5924)] [CFileTransferTask::transferFileEx] Do file transfer, device ip: 194.XX.XX.XX, transfer protocol: TRANSFER_PROTOCOL_CISCO_MIB, result code: 25
2016-03-07 07:58:24.818 [ERROR (-1)] [THREAD(5924)] [CFileTransferIf::doFileTransfer] not support,type = 2
2016-03-07 07:58:24.818 [INFO (0)] [THREAD(5924)] [CFileTransferTask::transferFileEx] Do file transfer, device ip: 194.XX.XX.XX, telnet transfer protocol: 1,result code: 12
2016-03-07 07:58:24.818 [ERROR (-1)] [THREAD(5924)] [CFileTransferIf::doFileTransfer] not support,type = 2
2016-03-07 07:58:24.818 [INFO (0)] [THREAD(5924)] [CFileTransferTask::transferFileEx] Do file transfer, device ip: 194.XX.XX.XX, telnet transfer protocol: 2,result code: 12
2016-03-07 07:58:24.818 [ERROR (-1)] [THREAD(5924)] [CFileTransferIf::doFileTransfer] not support,type = 2
2016-03-07 07:58:24.818 [INFO (0)] [THREAD(5924)] [CFileTransferTask::transferFileEx] Do file transfer, device ip: 194.XX.XX.XX, telnet transfer protocol: 3,result code: 12
2016-03-07 07:58:24.818 [ERROR (-1)] [THREAD(5924)] [CFileTransferIf::doFileTransfer] not support,type = 2
2016-03-07 07:58:24.818 [INFO (0)] [THREAD(5924)] [CFileTransferTask::transferFileEx] Do file transfer, device ip: 194.XX.XX.XX, telnet transfer protocol: 7,result code: 12
2016-03-07 07:58:25.008 [INFO (0)] [THREAD(5924)] [CTelnetService::receiveRespond] This is username, return RT_USER
2016-03-07 07:58:25.030 [WARNING (0)] [THREAD(5932)] [CTelnetService::executeCmd] strRespond is empty.
2016-03-07 07:58:25.030 [INFO (0)] [THREAD(5932)] [CFileTransferTask::transferFileEx] Do file transfer, device ip: 10.XX.XX.XXX, telnet transfer protocol: 2,result code: 11

LindsayHill · ‎03-08-2016

Looks like you're using Telnet + TFTP, not SSH?

You should really change that something secure.

There should be a few more related logs in imccfgbakdm, showing the output of the Expect session. But my first guess is that you don't have the right Telnet credentials defined. Note that the Telnet & SSH credentials defined on the device details page are different. So if you had defined SSH credentials, then changed the Login Type to Telnet, it would have nothing defined for Telnet.

__
@northlandboy

vineeth-46058 · ‎03-10-2016

we prefer to user ssh while backup

yes the telnet superpassword is incorrect

this is the log which i found on ASA

6|Mar 10 2016|10:08:47|315011|10.XX.XX.XX1||||SSH session from 10.XX.XX.XX on interface LAN for user XX.XX.XX" disconnected by SSH server reason: "Time-out activated" (0x3c)

LindsayHill · ‎03-10-2016

Set your login type to SSH, and your file transfer mode to SCP.

Then get all the logs from imccfgbakdm. There should be more logs than your earlier snippets. Sometimes the logs will be a bit spread out, or appear slightly out of order.

__
@northlandboy

vineeth-46058 · ‎03-10-2016

Well i tried an alernative way i got the superpassword for telnet on ASA and allowed telnet access it's seeams to be working and there is was issue with the adapter.xml file to.

but now the only issue is there is not startup backup it's getting failed can see only running config.

LindsayHill · ‎03-11-2016

Using Telnet for managing your firewalls is a bad idea, but it's your network.

What problem did you have with adapter.xml? That's a very simple file, and I would not expect to see any problems with it.

What do your logs say about the failed startup config backup?

__
@northlandboy

vineeth-46058 · ‎03-12-2016

Even i fell the same there is nothing wrong with SSH it works perfect when i do a test.

but i have no idea why it's getting failed. evrey thing is perfect i can ssh from IMC server from application SNMP is perfect,

but still we are the same issue, it leaves me no chocie to use telnet to backup my firewall.

there was some OID missing in the file after updating it few firewalls started working via telnet.

i need to check the logs again what there is failure in startup config.

LindsayHill · ‎03-12-2016

@vineeth-46058 wrote:
but i have no idea why it's getting failed.

The logs will tell you. But I'm working in the dark here. If you provided more information - e.g. the logs, and the exact changes you made - I could help more. But I only know as much about your environment as you tell me, nothing more.

__
@northlandboy