[rancid] New Cisco ASA Login Failure

Piegorsch, Weylin William weylin at bu.edu
Mon Mar 5 20:09:15 UTC 2018


Thanks James.  Except, I can get the login prompt fine, which means the SSH cyphersuite negotiated well enough; and, I have no problems with any of my other ASAs running various code versions between 8.3 and 9.7.  See also below.
Weylin


[rancid at rancid-server ~]$ egrep -B 7 "^add cypher" .cloginrc



#

# cryptographic cypher support for Nexus 9000 running 7.0(3)I2(1) and later

# http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html

# This also works fine for all other campus devices

# 22 Sep 2015

#

add cyphertype * {aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc}

[rancid at rancid-server ~]


From: james machado <hvgeekwtrvl at gmail.com>
Date: Monday, March 5, 2018 at 12:18 PM
To: Weylin Piegorsch <weylin at bu.edu>
Cc: "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
Subject: Re: [rancid] New Cisco ASA Login Failure

This is due to changes in the supported encryption methods in the updated IOS's and ASA softwares.  in your .cloginrc you will want to add a line:

add cyphertype <device> {encryption method}

you can find an encryption method your systems are happy with by doing the following:

ssh -vv <device>
[...]
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128ctr hmac-sha1 none
[...]

with my ASA's i use {aes256-ctr}.

james


On Mon, Mar 5, 2018 at 6:48 AM, Piegorsch, Weylin William <weylin at bu.edu<mailto:weylin at bu.edu>> wrote:
Hello,

I have a Cisco ASA 5506X device I just deployed (running 9.8(2)20 version), that rancid’s not logging into properly.  Clogincrc is set to method {telnet ssh} because there’s a plethora of really really old devices that hang when I try the other way around (and we haven’t been funded to refresh them nor authorized to remove them).

Here’s what rancid shows:



[rancid at nsgv-prod-59 ~]$ rancid -V

rancid 3.4.1

[rancid at nsgv-prod-59 ~]$

[rancid at nsgv-prod-59 ~]$

[rancid at nsgv-prod-59 ~]$

[rancid at nsgv-prod-59 ~]$ clogin xxxxxxxxxx

xxxxxxxxxx

spawn telnet xxxxxxxxxx

Trying yyyyyyy...

telnet: connect to address yyyyyyy: Connection refused

spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -x -l rancid xxxxxxxxxx



+------------------------------------+

|         BOSTON UNIVERSITY          |

+------------------------------------+

|         !!   WARNING   !!          |

|       AUTHORIZED ACCESS ONLY!      |

| Access to this system is permitted |

| for authorized  persons only.  All |

| connections    are    logged   and |

| monitored.    By   accessing  this |

| system,  you  acknowledge that use |

| of  this and  any other technology |

| at Boston University is subject to |

| the terms of the Boston University |

| Conditions  of  Use and  Policy on |

| Computing  Ethics;   please   see: |

| http://www.bu.edu/computing/ethics |

| for details.                       |

+------------------------------------+



rancid at xxxxxxxxxx 's password:

User rancid logged in to xxxxxxxxxx

Logins over the last 2 days: 12.  Last login: 08:39:20 EST Mar 5 2018 from zzzzzzz

Failed logins since the last login: 0.

Type help or '?' for a list of available commands.

xxxxxxxxxx/pri/act> rancid

                           ^

ERROR: % Invalid input detected at '^' marker.

xxxxxxxxxx/pri/act> en

Error: Unrecognized command, check your enable command

able

Password:

Password:


_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net<mailto:Rancid-discuss at shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20180305/c3c3fdc3/attachment.html>


More information about the Rancid-discuss mailing list