Discussion:
[rancid] New Cisco ASA Login Failure
Piegorsch, Weylin William
2018-03-05 14:48:56 UTC
Permalink
Hello,

I have a Cisco ASA 5506X device I just deployed (running 9.8(2)20 version), that rancid’s not logging into properly. Clogincrc is set to method {telnet ssh} because there’s a plethora of really really old devices that hang when I try the other way around (and we haven’t been funded to refresh them nor authorized to remove them).

Here’s what rancid shows:



[***@nsgv-prod-59 ~]$ rancid -V

rancid 3.4.1

[***@nsgv-prod-59 ~]$

[***@nsgv-prod-59 ~]$

[***@nsgv-prod-59 ~]$

[***@nsgv-prod-59 ~]$ clogin xxxxxxxxxx

xxxxxxxxxx

spawn telnet xxxxxxxxxx

Trying yyyyyyy...

telnet: connect to address yyyyyyy: Connection refused

spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -x -l rancid xxxxxxxxxx



+------------------------------------+

| BOSTON UNIVERSITY |

+------------------------------------+

| !! WARNING !! |

| AUTHORIZED ACCESS ONLY! |

| Access to this system is permitted |

| for authorized persons only. All |

| connections are logged and |

| monitored. By accessing this |

| system, you acknowledge that use |

| of this and any other technology |

| at Boston University is subject to |

| the terms of the Boston University |

| Conditions of Use and Policy on |

| Computing Ethics; please see: |

| http://www.bu.edu/computing/ethics |

| for details. |

+------------------------------------+



***@xxxxxxxxxx 's password:

User rancid logged in to xxxxxxxxxx

Logins over the last 2 days: 12. Last login: 08:39:20 EST Mar 5 2018 from zzzzzzz

Failed logins since the last login: 0.

Type help or '?' for a list of available commands.

xxxxxxxxxx/pri/act> rancid

^

ERROR: % Invalid input detected at '^' marker.

xxxxxxxxxx/pri/act> en

Error: Unrecognized command, check your enable command

able

Password:

Password:
heasley
2018-03-05 17:40:54 UTC
Permalink
Post by Piegorsch, Weylin William
Hello,
I have a Cisco ASA 5506X device I just deployed (running 9.8(2)20 version), that rancid’s not logging into properly. Clogincrc is set to method {telnet ssh} because there’s a plethora of really really old devices that hang when I try the other way around (and we haven’t been funded to refresh them nor authorized to remove them).
A fix for this will be in the next version. you can grab clogin from
http://rancid.shrubbery.net/rancid/svn/rancid/trunk/rancid/ or the alpha
from ftp://ftp.shrubbery.net/pub/rancid/alpha/
Piegorsch, Weylin William
2018-03-05 20:09:48 UTC
Permalink
Got it; thanks Heasley. I'll poke around on it.
weylin
Post by Piegorsch, Weylin William
Hello,
I have a Cisco ASA 5506X device I just deployed (running 9.8(2)20 version), that rancid’s not logging into properly. Clogincrc is set to method {telnet ssh} because there’s a plethora of really really old devices that hang when I try the other way around (and we haven’t been funded to refresh them nor authorized to remove them).
A fix for this will be in the next version. you can grab clogin from
http://rancid.shrubbery.net/rancid/svn/rancid/trunk/rancid/ or the alpha
from ftp://ftp.shrubbery.net/pub/rancid/alpha/
Piegorsch, Weylin William
2018-03-05 20:09:15 UTC
Permalink
Thanks James. Except, I can get the login prompt fine, which means the SSH cyphersuite negotiated well enough; and, I have no problems with any of my other ASAs running various code versions between 8.3 and 9.7. See also below.
Weylin


[***@rancid-server ~]$ egrep -B 7 "^add cypher" .cloginrc



#

# cryptographic cypher support for Nexus 9000 running 7.0(3)I2(1) and later

# http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html

# This also works fine for all other campus devices

# 22 Sep 2015

#

add cyphertype * {aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc}

[***@rancid-server ~]


From: james machado <***@gmail.com>
Date: Monday, March 5, 2018 at 12:18 PM
To: Weylin Piegorsch <***@bu.edu>
Cc: "rancid-***@shrubbery.net" <rancid-***@shrubbery.net>
Subject: Re: [rancid] New Cisco ASA Login Failure

This is due to changes in the supported encryption methods in the updated IOS's and ASA softwares. in your .cloginrc you will want to add a line:

add cyphertype <device> {encryption method}

you can find an encryption method your systems are happy with by doing the following:

ssh -vv <device>
[...]
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128ctr hmac-sha1 none
[...]

with my ASA's i use {aes256-ctr}.

james


On Mon, Mar 5, 2018 at 6:48 AM, Piegorsch, Weylin William <***@bu.edu<mailto:***@bu.edu>> wrote:
Hello,

I have a Cisco ASA 5506X device I just deployed (running 9.8(2)20 version), that rancid’s not logging into properly. Clogincrc is set to method {telnet ssh} because there’s a plethora of really really old devices that hang when I try the other way around (and we haven’t been funded to refresh them nor authorized to remove them).

Here’s what rancid shows:



[***@nsgv-prod-59 ~]$ rancid -V

rancid 3.4.1

[***@nsgv-prod-59 ~]$

[***@nsgv-prod-59 ~]$

[***@nsgv-prod-59 ~]$

[***@nsgv-prod-59 ~]$ clogin xxxxxxxxxx

xxxxxxxxxx

spawn telnet xxxxxxxxxx

Trying yyyyyyy...

telnet: connect to address yyyyyyy: Connection refused

spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -x -l rancid xxxxxxxxxx



+------------------------------------+

| BOSTON UNIVERSITY |

+------------------------------------+

| !! WARNING !! |

| AUTHORIZED ACCESS ONLY! |

| Access to this system is permitted |

| for authorized persons only. All |

| connections are logged and |

| monitored. By accessing this |

| system, you acknowledge that use |

| of this and any other technology |

| at Boston University is subject to |

| the terms of the Boston University |

| Conditions of Use and Policy on |

| Computing Ethics; please see: |

| http://www.bu.edu/computing/ethics |

| for details. |

+------------------------------------+



***@xxxxxxxxxx 's password:

User rancid logged in to xxxxxxxxxx

Logins over the last 2 days: 12. Last login: 08:39:20 EST Mar 5 2018 from zzzzzzz

Failed logins since the last login: 0.

Type help or '?' for a list of available commands.

xxxxxxxxxx/pri/act> rancid

^

ERROR: % Invalid input detected at '^' marker.

xxxxxxxxxx/pri/act> en

Error: Unrecognized command, check your enable command

able

Password:

Password:


_______________________________________________
Rancid-discuss mailing list
Rancid-***@shrubbery.net<mailto:Rancid-***@shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Bob Brunette
2018-03-05 20:20:28 UTC
Permalink
William,
Your easiest solution might be to turn on auto-enable on your new ASA with this:
aaa authorization exec authentication-server auto-enable

That doesn't get to the root cause of the problem, but it avoids having to enter the "enable" command and password. Can you share your .cloginrc file lines for this device? The problem may be there.

Bob Brunette

From: Rancid-discuss <rancid-discuss-***@shrubbery.net> on behalf of "Piegorsch, Weylin William" <***@bu.edu>
Date: Monday, March 5, 2018 at 2:09 PM
To: james machado <***@gmail.com>
Cc: "rancid-***@shrubbery.net" <rancid-***@shrubbery.net>
Subject: Re: [rancid] New Cisco ASA Login Failure

Thanks James. Except, I can get the login prompt fine, which means the SSH cyphersuite negotiated well enough; and, I have no problems with any of my other ASAs running various code versions between 8.3 and 9.7. See also below.
Weylin


[***@rancid-server ~]$ egrep -B 7 "^add cypher" .cloginrc



#

# cryptographic cypher support for Nexus 9000 running 7.0(3)I2(1) and later

# http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html

# This also works fine for all other campus devices

# 22 Sep 2015

#

add cyphertype * {aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc}

[***@rancid-server ~]


From: james machado <***@gmail.com>
Date: Monday, March 5, 2018 at 12:18 PM
To: Weylin Piegorsch <***@bu.edu>
Cc: "rancid-***@shrubbery.net" <rancid-***@shrubbery.net>
Subject: Re: [rancid] New Cisco ASA Login Failure

This is due to changes in the supported encryption methods in the updated IOS's and ASA softwares. in your .cloginrc you will want to add a line:

add cyphertype <device> {encryption method}

you can find an encryption method your systems are happy with by doing the following:

ssh -vv <device>
[...]
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128ctr hmac-sha1 none
[...]

with my ASA's i use {aes256-ctr}.

james


On Mon, Mar 5, 2018 at 6:48 AM, Piegorsch, Weylin William <***@bu.edu<mailto:***@bu.edu>> wrote:
Hello,

I have a Cisco ASA 5506X device I just deployed (running 9.8(2)20 version), that rancid’s not logging into properly. Clogincrc is set to method {telnet ssh} because there’s a plethora of really really old devices that hang when I try the other way around (and we haven’t been funded to refresh them nor authorized to remove them).

Here’s what rancid shows:



[***@nsgv-prod-59 ~]$ rancid -V

rancid 3.4.1

[***@nsgv-prod-59 ~]$

[***@nsgv-prod-59 ~]$

[***@nsgv-prod-59 ~]$

[***@nsgv-prod-59 ~]$ clogin xxxxxxxxxx

xxxxxxxxxx

spawn telnet xxxxxxxxxx

Trying yyyyyyy...

telnet: connect to address yyyyyyy: Connection refused

spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -x -l rancid xxxxxxxxxx



+------------------------------------+

| BOSTON UNIVERSITY |

+------------------------------------+

| !! WARNING !! |

| AUTHORIZED ACCESS ONLY! |

| Access to this system is permitted |

| for authorized persons only. All |

| connections are logged and |

| monitored. By accessing this |

| system, you acknowledge that use |

| of this and any other technology |

| at Boston University is subject to |

| the terms of the Boston University |

| Conditions of Use and Policy on |

| Computing Ethics; please see: |

| http://www.bu.edu/computing/ethics<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bu.edu_computing_ethics&d=DwMGaQ&c=PzM68gSF_5r1R7BCE75oeA&r=gYZeMiDUCUw52JdC5NN6jRS7tkNrkCJCnDUS2Hz0h_k&m=PJpNpfTsb-UJ2eULuUeb6G2pdcg4c3d3NLb0WIm20wQ&s=h5QMqt5VS0dN_nxSvvHqSJaljh5o8muH8ro7j9-quHg&e=> |

| for details. |

+------------------------------------+



***@xxxxxxxxxx 's password:

User rancid logged in to xxxxxxxxxx

Logins over the last 2 days: 12. Last login: 08:39:20 EST Mar 5 2018 from zzzzzzz

Failed logins since the last login: 0.

Type help or '?' for a list of available commands.

xxxxxxxxxx/pri/act> rancid

^

ERROR: % Invalid input detected at '^' marker.

xxxxxxxxxx/pri/act> en

Error: Unrecognized command, check your enable command

able

Password:

Password:


_______________________________________________
Rancid-discuss mailing list
Rancid-***@shrubbery.net<mailto:Rancid-***@shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/rancid-discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.shrubbery.net_mailman_listinfo_rancid-2Ddiscuss&d=DwMGaQ&c=PzM68gSF_5r1R7BCE75oeA&r=gYZeMiDUCUw52JdC5NN6jRS7tkNrkCJCnDUS2Hz0h_k&m=PJpNpfTsb-UJ2eULuUeb6G2pdcg4c3d3NLb0WIm20wQ&s=cudwTPeN4uy63yWcBWbAsaMsFdZlD_iWsDcj1b7xclc&e=>
Piegorsch, Weylin William
2018-03-05 20:36:27 UTC
Permalink
An interesting idea, hadn’t thought of that. Unfortunately I’m not able to noenable that device; security policy doesn’t allow direct login to superuser (for those devices that have that ability... eg NX-OS defaults). Here’s my entire .cloginrc, except that I’ve removed lines for individual devices, and obfuscated usernames/passwords; I have no group-specific .cloginrc files..
Weylin

#
# cryptographic cypher support for Nexus 9000 running 7.0(3)I2(1) and later
# http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html
# This also works fine for all other campus devices
#
add cyphertype * {aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc}
add sshcmd * {ssh\ -2}

# Defaults
add user * {xxxxxxx}
add password * {xxxxxxx} {xxxxxxx}
add method * {telnet} {ssh}


From: Bob Brunette <***@cdw.com>
Date: Monday, March 5, 2018 at 3:21 PM
To: Weylin Piegorsch <***@bu.edu>, james machado <***@gmail.com>
Cc: "rancid-***@shrubbery.net" <rancid-***@shrubbery.net>
Subject: Re: [rancid] New Cisco ASA Login Failure

William,
Your easiest solution might be to turn on auto-enable on your new ASA with this:
aaa authorization exec authentication-server auto-enable

That doesn't get to the root cause of the problem, but it avoids having to enter the "enable" command and password. Can you share your .cloginrc file lines for this device? The problem may be there.

Bob Brunette

From: Rancid-discuss <rancid-discuss-***@shrubbery.net> on behalf of "Piegorsch, Weylin William" <***@bu.edu>
Date: Monday, March 5, 2018 at 2:09 PM
To: james machado <***@gmail.com>
Cc: "rancid-***@shrubbery.net" <rancid-***@shrubbery.net>
Subject: Re: [rancid] New Cisco ASA Login Failure

Thanks James. Except, I can get the login prompt fine, which means the SSH cyphersuite negotiated well enough; and, I have no problems with any of my other ASAs running various code versions between 8.3 and 9.7. See also below.
Weylin


[***@rancid-server ~]$ egrep -B 7 "^add cypher" .cloginrc



#

# cryptographic cypher support for Nexus 9000 running 7.0(3)I2(1) and later

# http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html

# This also works fine for all other campus devices

# 22 Sep 2015

#

add cyphertype * {aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc}

[***@rancid-server ~]


From: james machado <***@gmail.com>
Date: Monday, March 5, 2018 at 12:18 PM
To: Weylin Piegorsch <***@bu.edu>
Cc: "rancid-***@shrubbery.net" <rancid-***@shrubbery.net>
Subject: Re: [rancid] New Cisco ASA Login Failure

This is due to changes in the supported encryption methods in the updated IOS's and ASA softwares. in your .cloginrc you will want to add a line:

add cyphertype <device> {encryption method}

you can find an encryption method your systems are happy with by doing the following:

ssh -vv <device>
[...]
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128ctr hmac-sha1 none
[...]

with my ASA's i use {aes256-ctr}.

james


On Mon, Mar 5, 2018 at 6:48 AM, Piegorsch, Weylin William <***@bu.edu<mailto:***@bu.edu>> wrote:
Hello,

I have a Cisco ASA 5506X device I just deployed (running 9.8(2)20 version), that rancid’s not logging into properly. Clogincrc is set to method {telnet ssh} because there’s a plethora of really really old devices that hang when I try the other way around (and we haven’t been funded to refresh them nor authorized to remove them).

Here’s what rancid shows:



[***@nsgv-prod-59 ~]$ rancid -V

rancid 3.4.1

[***@nsgv-prod-59 ~]$

[***@nsgv-prod-59 ~]$

[***@nsgv-prod-59 ~]$

[***@nsgv-prod-59 ~]$ clogin xxxxxxxxxx

xxxxxxxxxx

spawn telnet xxxxxxxxxx

Trying yyyyyyy...

telnet: connect to address yyyyyyy: Connection refused

spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -x -l rancid xxxxxxxxxx



+------------------------------------+

| BOSTON UNIVERSITY |

+------------------------------------+

| !! WARNING !! |

| AUTHORIZED ACCESS ONLY! |

| Access to this system is permitted |

| for authorized persons only. All |

| connections are logged and |

| monitored. By accessing this |

| system, you acknowledge that use |

| of this and any other technology |

| at Boston University is subject to |

| the terms of the Boston University |

| Conditions of Use and Policy on |

| Computing Ethics; please see: |

| http://www.bu.edu/computing/ethics<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bu.edu_computing_ethics&d=DwMGaQ&c=PzM68gSF_5r1R7BCE75oeA&r=gYZeMiDUCUw52JdC5NN6jRS7tkNrkCJCnDUS2Hz0h_k&m=PJpNpfTsb-UJ2eULuUeb6G2pdcg4c3d3NLb0WIm20wQ&s=h5QMqt5VS0dN_nxSvvHqSJaljh5o8muH8ro7j9-quHg&e=> |

| for details. |

+------------------------------------+



***@xxxxxxxxxx 's password:

User rancid logged in to xxxxxxxxxx

Logins over the last 2 days: 12. Last login: 08:39:20 EST Mar 5 2018 from zzzzzzz

Failed logins since the last login: 0.

Type help or '?' for a list of available commands.

xxxxxxxxxx/pri/act> rancid

^

ERROR: % Invalid input detected at '^' marker.

xxxxxxxxxx/pri/act> en

Error: Unrecognized command, check your enable command

able

Password:

Password:


_______________________________________________
Rancid-discuss mailing list
Rancid-***@shrubbery.net<mailto:Rancid-***@shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/rancid-discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.shrubbery.net_mailman_listinfo_rancid-2Ddiscuss&d=DwMGaQ&c=PzM68gSF_5r1R7BCE75oeA&r=gYZeMiDUCUw52JdC5NN6jRS7tkNrkCJCnDUS2Hz0h_k&m=PJpNpfTsb-UJ2eULuUeb6G2pdcg4c3d3NLb0WIm20wQ&s=cudwTPeN4uy63yWcBWbAsaMsFdZlD_iWsDcj1b7xclc&e=>
james machado
2018-03-06 00:17:29 UTC
Permalink
That's what i get for replying too soon. It looks like your getting hit
with the "last login" item that came up on the list in January.
http://www.shrubbery.net/pipermail/rancid-discuss/2018-January/010020.html

James
Post by Piegorsch, Weylin William
Thanks James. Except, I can get the login prompt fine, which means the
SSH cyphersuite negotiated well enough; and, I have no problems with any of
my other ASAs running various code versions between 8.3 and 9.7. See also
below.
Weylin
#
# cryptographic cypher support for Nexus 9000 running 7.0(3)I2(1) and later
# http://www.cisco.com/c/en/us/support/docs/switches/nexus-
9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html
# This also works fine for all other campus devices
# 22 Sep 2015
#
add cyphertype * {aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,
aes192-cbc,aes256-cbc}
*Date: *Monday, March 5, 2018 at 12:18 PM
*Subject: *Re: [rancid] New Cisco ASA Login Failure
This is due to changes in the supported encryption methods in the updated
add cyphertype <device> {encryption method}
ssh -vv <device>
[...]
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128ctr hmac-sha1 none
[...]
with my ASA's i use {aes256-ctr}.
james
Hello,
I have a Cisco ASA 5506X device I just deployed (running 9.8(2)20
version), that rancid’s not logging into properly. Clogincrc is set to
method {telnet ssh} because there’s a plethora of really really old devices
that hang when I try the other way around (and we haven’t been funded to
refresh them nor authorized to remove them).
rancid 3.4.1
xxxxxxxxxx
spawn telnet xxxxxxxxxx
Trying yyyyyyy...
telnet: connect to address yyyyyyy: Connection refused
spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
-x -l rancid xxxxxxxxxx
+------------------------------------+
| BOSTON UNIVERSITY |
+------------------------------------+
| !! WARNING !! |
| AUTHORIZED ACCESS ONLY! |
| Access to this system is permitted |
| for authorized persons only. All |
| connections are logged and |
| monitored. By accessing this |
| system, you acknowledge that use |
| of this and any other technology |
| at Boston University is subject to |
| the terms of the Boston University |
| Conditions of Use and Policy on |
| Computing Ethics; please see: |
| http://www.bu.edu/computing/ethics |
| for details. |
+------------------------------------+
User rancid logged in to xxxxxxxxxx
Logins over the last 2 days: 12. Last login: 08:39:20 EST Mar 5 2018 from zzzzzzz
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
xxxxxxxxxx/pri/act> rancid
^
ERROR: % Invalid input detected at '^' marker.
xxxxxxxxxx/pri/act> en
Error: Unrecognized command, check your enable command
able
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Piegorsch, Weylin William
2018-03-06 12:58:37 UTC
Permalink
Aw snap! I even replied to that thread :-(
http://www.shrubbery.net/pipermail/rancid-discuss/2018-January/010021.html

Thanks for pointing this out.

weylin

From: james machado <***@gmail.com>
Date: Monday, March 5, 2018 at 7:18 PM
To: Weylin Piegorsch <***@bu.edu>
Cc: "rancid-***@shrubbery.net" <rancid-***@shrubbery.net>
Subject: Re: [rancid] New Cisco ASA Login Failure

That's what i get for replying too soon. It looks like your getting hit with the "last login" item that came up on the list in January. http://www.shrubbery.net/pipermail/rancid-discuss/2018-January/010020.html

James

On Mon, Mar 5, 2018 at 12:09 PM, Piegorsch, Weylin William <***@bu.edu<mailto:***@bu.edu>> wrote:
Thanks James. Except, I can get the login prompt fine, which means the SSH cyphersuite negotiated well enough; and, I have no problems with any of my other ASAs running various code versions between 8.3 and 9.7. See also below.
Weylin


[***@rancid-server ~]$ egrep -B 7 "^add cypher" .cloginrc



#

# cryptographic cypher support for Nexus 9000 running 7.0(3)I2(1) and later

# http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html

# This also works fine for all other campus devices

# 22 Sep 2015

#

add cyphertype * {aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc}

[***@rancid-server ~]


From: james machado <***@gmail.com<mailto:***@gmail.com>>
Date: Monday, March 5, 2018 at 12:18 PM
To: Weylin Piegorsch <***@bu.edu<mailto:***@bu.edu>>
Cc: "rancid-***@shrubbery.net<mailto:rancid-***@shrubbery.net>" <rancid-***@shrubbery.net<mailto:rancid-***@shrubbery.net>>
Subject: Re: [rancid] New Cisco ASA Login Failure

This is due to changes in the supported encryption methods in the updated IOS's and ASA softwares. in your .cloginrc you will want to add a line:

add cyphertype <device> {encryption method}

you can find an encryption method your systems are happy with by doing the following:

ssh -vv <device>
[...]
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128ctr hmac-sha1 none
[...]

with my ASA's i use {aes256-ctr}.

james


On Mon, Mar 5, 2018 at 6:48 AM, Piegorsch, Weylin William <***@bu.edu<mailto:***@bu.edu>> wrote:
Hello,

I have a Cisco ASA 5506X device I just deployed (running 9.8(2)20 version), that rancid’s not logging into properly. Clogincrc is set to method {telnet ssh} because there’s a plethora of really really old devices that hang when I try the other way around (and we haven’t been funded to refresh them nor authorized to remove them).

Here’s what rancid shows:



[***@nsgv-prod-59 ~]$ rancid -V

rancid 3.4.1

[***@nsgv-prod-59 ~]$

[***@nsgv-prod-59 ~]$

[***@nsgv-prod-59 ~]$

[***@nsgv-prod-59 ~]$ clogin xxxxxxxxxx

xxxxxxxxxx

spawn telnet xxxxxxxxxx

Trying yyyyyyy...

telnet: connect to address yyyyyyy: Connection refused

spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -x -l rancid xxxxxxxxxx



+------------------------------------+

| BOSTON UNIVERSITY |

+------------------------------------+

| !! WARNING !! |

| AUTHORIZED ACCESS ONLY! |

| Access to this system is permitted |

| for authorized persons only. All |

| connections are logged and |

| monitored. By accessing this |

| system, you acknowledge that use |

| of this and any other technology |

| at Boston University is subject to |

| the terms of the Boston University |

| Conditions of Use and Policy on |

| Computing Ethics; please see: |

| http://www.bu.edu/computing/ethics |

| for details. |

+------------------------------------+



***@xxxxxxxxxx 's password:

User rancid logged in to xxxxxxxxxx

Logins over the last 2 days: 12. Last login: 08:39:20 EST Mar 5 2018 from zzzzzzz

Failed logins since the last login: 0.

Type help or '?' for a list of available commands.

xxxxxxxxxx/pri/act> rancid

^

ERROR: % Invalid input detected at '^' marker.

xxxxxxxxxx/pri/act> en

Error: Unrecognized command, check your enable command

able

Password:

Password:


_______________________________________________
Rancid-discuss mailing list
Rancid-***@shrubbery.net<mailto:Rancid-***@shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
o***@LEFerguson.com
2018-03-06 14:36:37 UTC
Permalink
I just got hit by this also on a 5506-x. I turned off the login history for now, but I saw back in January a proposed patch, did that work out? (I guess I could try it, but it's always nice to know if it worked, and if it might be destined for incorporation?)

Linwood


From: Rancid-discuss [mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Piegorsch, Weylin William
Sent: Tuesday, March 6, 2018 7:59 AM
To: james machado <***@gmail.com>
Cc: rancid-***@shrubbery.net
Subject: Re: [rancid] New Cisco ASA Login Failure

Aw snap! I even replied to that thread :-(
http://www.shrubbery.net/pipermail/rancid-discuss/2018-January/010021.html

Thanks for pointing this out.

weylin

From: james machado <***@gmail.com<mailto:***@gmail.com>>
Date: Monday, March 5, 2018 at 7:18 PM
To: Weylin Piegorsch <***@bu.edu<mailto:***@bu.edu>>
Cc: "rancid-***@shrubbery.net<mailto:rancid-***@shrubbery.net>" <rancid-***@shrubbery.net<mailto:rancid-***@shrubbery.net>>
Subject: Re: [rancid] New Cisco ASA Login Failure

That's what i get for replying too soon. It looks like your getting hit with the "last login" item that came up on the list in January. http://www.shrubbery.net/pipermail/rancid-discuss/2018-January/010020.html

James

On Mon, Mar 5, 2018 at 12:09 PM, Piegorsch, Weylin William <***@bu.edu<mailto:***@bu.edu>> wrote:
Thanks James. Except, I can get the login prompt fine, which means the SSH cyphersuite negotiated well enough; and, I have no problems with any of my other ASAs running various code versions between 8.3 and 9.7. See also below.
Weylin


[***@rancid-server ~]$ egrep -B 7 "^add cypher" .cloginrc



#

# cryptographic cypher support for Nexus 9000 running 7.0(3)I2(1) and later

# http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html

# This also works fine for all other campus devices

# 22 Sep 2015

#

add cyphertype * {aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc}

[***@rancid-server ~]


From: james machado <***@gmail.com<mailto:***@gmail.com>>
Date: Monday, March 5, 2018 at 12:18 PM
To: Weylin Piegorsch <***@bu.edu<mailto:***@bu.edu>>
Cc: "rancid-***@shrubbery.net<mailto:rancid-***@shrubbery.net>" <rancid-***@shrubbery.net<mailto:rancid-***@shrubbery.net>>
Subject: Re: [rancid] New Cisco ASA Login Failure

This is due to changes in the supported encryption methods in the updated IOS's and ASA softwares. in your .cloginrc you will want to add a line:

add cyphertype <device> {encryption method}

you can find an encryption method your systems are happy with by doing the following:

ssh -vv <device>
[...]
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128ctr hmac-sha1 none
[...]

with my ASA's i use {aes256-ctr}.

james


On Mon, Mar 5, 2018 at 6:48 AM, Piegorsch, Weylin William <***@bu.edu<mailto:***@bu.edu>> wrote:
Hello,

I have a Cisco ASA 5506X device I just deployed (running 9.8(2)20 version), that rancid’s not logging into properly. Clogincrc is set to method {telnet ssh} because there’s a plethora of really really old devices that hang when I try the other way around (and we haven’t been funded to refresh them nor authorized to remove them).

Here’s what rancid shows:



[***@nsgv-prod-59 ~]$ rancid -V

rancid 3.4.1

[***@nsgv-prod-59 ~]$

[***@nsgv-prod-59 ~]$

[***@nsgv-prod-59 ~]$

[***@nsgv-prod-59 ~]$ clogin xxxxxxxxxx

xxxxxxxxxx

spawn telnet xxxxxxxxxx

Trying yyyyyyy...

telnet: connect to address yyyyyyy: Connection refused

spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -x -l rancid xxxxxxxxxx



+------------------------------------+

| BOSTON UNIVERSITY |

+------------------------------------+

| !! WARNING !! |

| AUTHORIZED ACCESS ONLY! |

| Access to this system is permitted |

| for authorized persons only. All |

| connections are logged and |

| monitored. By accessing this |

| system, you acknowledge that use |

| of this and any other technology |

| at Boston University is subject to |

| the terms of the Boston University |

| Conditions of Use and Policy on |

| Computing Ethics; please see: |

| http://www.bu.edu/computing/ethics |

| for details. |

+------------------------------------+



***@xxxxxxxxxx 's password:

User rancid logged in to xxxxxxxxxx

Logins over the last 2 days: 12. Last login: 08:39:20 EST Mar 5 2018 from zzzzzzz

Failed logins since the last login: 0.

Type help or '?' for a list of available commands.

xxxxxxxxxx/pri/act> rancid

^

ERROR: % Invalid input detected at '^' marker.

xxxxxxxxxx/pri/act> en

Error: Unrecognized command, check your enable command

able

Password:

Password:


_______________________________________________
Rancid-discuss mailing list
Rancid-***@shrubbery.net<mailto:Rancid-***@shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
heasley
2018-03-06 17:16:31 UTC
Permalink
Post by o***@LEFerguson.com
I just got hit by this also on a 5506-x. I turned off the login history for now, but I saw back in January a proposed patch, did that work out? (I guess I could try it, but it's always nice to know if it worked, and if it might be destined for incorporation?)
Linwood
I've already replied to this thread pointing to source w/ the patch. i
have nothing to test it against, but its broken nothing that I do have.
o***@LEFerguson.com
2018-03-06 22:12:22 UTC
Permalink
(Sorry, I replied to this initially with a different account, if that's sitting in a moderation queue it can be deleted)
Post by heasley
Post by o***@LEFerguson.com
I just got hit by this also on a 5506-x. I turned off the login history for now, but I saw back in January a proposed patch, did that work out? (I guess I could try it, but it's always nice to know if it worked, and if it might be destined for incorporation?)
I've already replied to this thread pointing to source w/ the patch. i
have nothing to test it against, but its broken nothing that I do have.
OK, was just being lazy to see if someone had test. I just patched mine, reset my ASA (the setting if anyone doesn't have is [no] aaa authentication login-history), and did a rancid-run, and it worked fine.

So yes, that seems to work, and did not break anything else (though this system only has about 4 types of late model cisco's, so it is hardly a comprehensive test).

Thank you for the patch.

Linwood
Linwood Ferguson
2018-03-06 17:35:39 UTC
Permalink
Post by o***@LEFerguson.com
I just got hit by this also on a 5506-x. I turned off the login history for now, but I saw back in January a proposed patch, did that work out? (I guess I could try it, but it's always nice to know if it worked, and if it might be destined for incorporation?)
I've already replied to this thread pointing to source w/ the patch. i have nothing to test it
against, but its broken nothing that I do have.
OK, was just being lazy to see if someone had test. I just patched mine, reset my ASA (the setting if anyone doesn't have is [no] aaa authentication login-history), and did a rancid-run, and it worked fine.

So yes, that seems to work, and did not break anything else (though this system only has about 4 types of late model cisco's, so it is hardly a comprehensive test).

Thank you for the patch.

Linwood

d***@keystonenap.com
2018-03-06 00:03:03 UTC
Permalink
I use add cyphertype <device> aes256-cbc for all of our ASA-5*-X models, and it works.


Sent from my android device.

-----Original Message-----
From: james machado <***@gmail.com>
To: "Piegorsch, Weylin William" <***@bu.edu>
Cc: "rancid-***@shrubbery.net" <rancid-***@shrubbery.net>
Sent: Mon, 05 Mar 2018 18:31
Subject: Re: [rancid] New Cisco ASA Login Failure

This is due to changes in the supported encryption methods in the updated
IOS's and ASA softwares. in your .cloginrc you will want to add a line:

add cyphertype <device> {encryption method}

you can find an encryption method your systems are happy with by doing the
following:

ssh -vv <device>
[...]
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128ctr hmac-sha1 none
[...]

with my ASA's i use {aes256-ctr}.

james
Post by Piegorsch, Weylin William
Hello,
I have a Cisco ASA 5506X device I just deployed (running 9.8(2)20
version), that rancid’s not logging into properly. Clogincrc is set to
method {telnet ssh} because there’s a plethora of really really old devices
that hang when I try the other way around (and we haven’t been funded to
refresh them nor authorized to remove them).
rancid 3.4.1
xxxxxxxxxx
spawn telnet xxxxxxxxxx
Trying yyyyyyy...
telnet: connect to address yyyyyyy: Connection refused
spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
-x -l rancid xxxxxxxxxx
+------------------------------------+
| BOSTON UNIVERSITY |
+------------------------------------+
| !! WARNING !! |
| AUTHORIZED ACCESS ONLY! |
| Access to this system is permitted |
| for authorized persons only. All |
| connections are logged and |
| monitored. By accessing this |
| system, you acknowledge that use |
| of this and any other technology |
| at Boston University is subject to |
| the terms of the Boston University |
| Conditions of Use and Policy on |
| Computing Ethics; please see: |
| http://www.bu.edu/computing/ethics |
| for details. |
+------------------------------------+
User rancid logged in to xxxxxxxxxx
Logins over the last 2 days: 12. Last login: 08:39:20 EST Mar 5 2018 from zzzzzzz
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
xxxxxxxxxx/pri/act> rancid
^
ERROR: % Invalid input detected at '^' marker.
xxxxxxxxxx/pri/act> en
Error: Unrecognized command, check your enable command
able
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Loading...