[rancid] New Cisco ASA Login Failure
Piegorsch, Weylin William
weylin at bu.edu
Mon Mar 5 20:09:15 UTC 2018
Thanks James. Except, I can get the login prompt fine, which means the SSH cyphersuite negotiated well enough; and, I have no problems with any of my other ASAs running various code versions between 8.3 and 9.7. See also below.
Weylin
[rancid at rancid-server ~]$ egrep -B 7 "^add cypher" .cloginrc
#
# cryptographic cypher support for Nexus 9000 running 7.0(3)I2(1) and later
# http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html
# This also works fine for all other campus devices
# 22 Sep 2015
#
add cyphertype * {aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc}
[rancid at rancid-server ~]
From: james machado <hvgeekwtrvl at gmail.com>
Date: Monday, March 5, 2018 at 12:18 PM
To: Weylin Piegorsch <weylin at bu.edu>
Cc: "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
Subject: Re: [rancid] New Cisco ASA Login Failure
This is due to changes in the supported encryption methods in the updated IOS's and ASA softwares. in your .cloginrc you will want to add a line:
add cyphertype <device> {encryption method}
you can find an encryption method your systems are happy with by doing the following:
ssh -vv <device>
[...]
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128ctr hmac-sha1 none
[...]
with my ASA's i use {aes256-ctr}.
james
On Mon, Mar 5, 2018 at 6:48 AM, Piegorsch, Weylin William <weylin at bu.edu<mailto:weylin at bu.edu>> wrote:
Hello,
I have a Cisco ASA 5506X device I just deployed (running 9.8(2)20 version), that rancid’s not logging into properly. Clogincrc is set to method {telnet ssh} because there’s a plethora of really really old devices that hang when I try the other way around (and we haven’t been funded to refresh them nor authorized to remove them).
Here’s what rancid shows:
[rancid at nsgv-prod-59 ~]$ rancid -V
rancid 3.4.1
[rancid at nsgv-prod-59 ~]$
[rancid at nsgv-prod-59 ~]$
[rancid at nsgv-prod-59 ~]$
[rancid at nsgv-prod-59 ~]$ clogin xxxxxxxxxx
xxxxxxxxxx
spawn telnet xxxxxxxxxx
Trying yyyyyyy...
telnet: connect to address yyyyyyy: Connection refused
spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -x -l rancid xxxxxxxxxx
+------------------------------------+
| BOSTON UNIVERSITY |
+------------------------------------+
| !! WARNING !! |
| AUTHORIZED ACCESS ONLY! |
| Access to this system is permitted |
| for authorized persons only. All |
| connections are logged and |
| monitored. By accessing this |
| system, you acknowledge that use |
| of this and any other technology |
| at Boston University is subject to |
| the terms of the Boston University |
| Conditions of Use and Policy on |
| Computing Ethics; please see: |
| http://www.bu.edu/computing/ethics |
| for details. |
+------------------------------------+
rancid at xxxxxxxxxx 's password:
User rancid logged in to xxxxxxxxxx
Logins over the last 2 days: 12. Last login: 08:39:20 EST Mar 5 2018 from zzzzzzz
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
xxxxxxxxxx/pri/act> rancid
^
ERROR: % Invalid input detected at '^' marker.
xxxxxxxxxx/pri/act> en
Error: Unrecognized command, check your enable command
able
Password:
Password:
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net<mailto:Rancid-discuss at shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20180305/c3c3fdc3/attachment.html>
More information about the Rancid-discuss
mailing list