[rancid] New Cisco ASA Login Failure
Piegorsch, Weylin William
weylin at bu.edu
Mon Mar 5 20:36:27 UTC 2018
An interesting idea, hadn’t thought of that. Unfortunately I’m not able to noenable that device; security policy doesn’t allow direct login to superuser (for those devices that have that ability... eg NX-OS defaults). Here’s my entire .cloginrc, except that I’ve removed lines for individual devices, and obfuscated usernames/passwords; I have no group-specific .cloginrc files..
Weylin
#
# cryptographic cypher support for Nexus 9000 running 7.0(3)I2(1) and later
# http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html
# This also works fine for all other campus devices
#
add cyphertype * {aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc}
add sshcmd * {ssh\ -2}
# Defaults
add user * {xxxxxxx}
add password * {xxxxxxx} {xxxxxxx}
add method * {telnet} {ssh}
From: Bob Brunette <Bob.Brunette at cdw.com>
Date: Monday, March 5, 2018 at 3:21 PM
To: Weylin Piegorsch <weylin at bu.edu>, james machado <hvgeekwtrvl at gmail.com>
Cc: "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
Subject: Re: [rancid] New Cisco ASA Login Failure
William,
Your easiest solution might be to turn on auto-enable on your new ASA with this:
aaa authorization exec authentication-server auto-enable
That doesn't get to the root cause of the problem, but it avoids having to enter the "enable" command and password. Can you share your .cloginrc file lines for this device? The problem may be there.
Bob Brunette
From: Rancid-discuss <rancid-discuss-bounces at shrubbery.net> on behalf of "Piegorsch, Weylin William" <weylin at bu.edu>
Date: Monday, March 5, 2018 at 2:09 PM
To: james machado <hvgeekwtrvl at gmail.com>
Cc: "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
Subject: Re: [rancid] New Cisco ASA Login Failure
Thanks James. Except, I can get the login prompt fine, which means the SSH cyphersuite negotiated well enough; and, I have no problems with any of my other ASAs running various code versions between 8.3 and 9.7. See also below.
Weylin
[rancid at rancid-server ~]$ egrep -B 7 "^add cypher" .cloginrc
#
# cryptographic cypher support for Nexus 9000 running 7.0(3)I2(1) and later
# http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html
# This also works fine for all other campus devices
# 22 Sep 2015
#
add cyphertype * {aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc}
[rancid at rancid-server ~]
From: james machado <hvgeekwtrvl at gmail.com>
Date: Monday, March 5, 2018 at 12:18 PM
To: Weylin Piegorsch <weylin at bu.edu>
Cc: "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
Subject: Re: [rancid] New Cisco ASA Login Failure
This is due to changes in the supported encryption methods in the updated IOS's and ASA softwares. in your .cloginrc you will want to add a line:
add cyphertype <device> {encryption method}
you can find an encryption method your systems are happy with by doing the following:
ssh -vv <device>
[...]
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128ctr hmac-sha1 none
[...]
with my ASA's i use {aes256-ctr}.
james
On Mon, Mar 5, 2018 at 6:48 AM, Piegorsch, Weylin William <weylin at bu.edu<mailto:weylin at bu.edu>> wrote:
Hello,
I have a Cisco ASA 5506X device I just deployed (running 9.8(2)20 version), that rancid’s not logging into properly. Clogincrc is set to method {telnet ssh} because there’s a plethora of really really old devices that hang when I try the other way around (and we haven’t been funded to refresh them nor authorized to remove them).
Here’s what rancid shows:
[rancid at nsgv-prod-59 ~]$ rancid -V
rancid 3.4.1
[rancid at nsgv-prod-59 ~]$
[rancid at nsgv-prod-59 ~]$
[rancid at nsgv-prod-59 ~]$
[rancid at nsgv-prod-59 ~]$ clogin xxxxxxxxxx
xxxxxxxxxx
spawn telnet xxxxxxxxxx
Trying yyyyyyy...
telnet: connect to address yyyyyyy: Connection refused
spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -x -l rancid xxxxxxxxxx
+------------------------------------+
| BOSTON UNIVERSITY |
+------------------------------------+
| !! WARNING !! |
| AUTHORIZED ACCESS ONLY! |
| Access to this system is permitted |
| for authorized persons only. All |
| connections are logged and |
| monitored. By accessing this |
| system, you acknowledge that use |
| of this and any other technology |
| at Boston University is subject to |
| the terms of the Boston University |
| Conditions of Use and Policy on |
| Computing Ethics; please see: |
| http://www.bu.edu/computing/ethics<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bu.edu_computing_ethics&d=DwMGaQ&c=PzM68gSF_5r1R7BCE75oeA&r=gYZeMiDUCUw52JdC5NN6jRS7tkNrkCJCnDUS2Hz0h_k&m=PJpNpfTsb-UJ2eULuUeb6G2pdcg4c3d3NLb0WIm20wQ&s=h5QMqt5VS0dN_nxSvvHqSJaljh5o8muH8ro7j9-quHg&e=> |
| for details. |
+------------------------------------+
rancid at xxxxxxxxxx 's password:
User rancid logged in to xxxxxxxxxx
Logins over the last 2 days: 12. Last login: 08:39:20 EST Mar 5 2018 from zzzzzzz
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
xxxxxxxxxx/pri/act> rancid
^
ERROR: % Invalid input detected at '^' marker.
xxxxxxxxxx/pri/act> en
Error: Unrecognized command, check your enable command
able
Password:
Password:
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net<mailto:Rancid-discuss at shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/rancid-discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.shrubbery.net_mailman_listinfo_rancid-2Ddiscuss&d=DwMGaQ&c=PzM68gSF_5r1R7BCE75oeA&r=gYZeMiDUCUw52JdC5NN6jRS7tkNrkCJCnDUS2Hz0h_k&m=PJpNpfTsb-UJ2eULuUeb6G2pdcg4c3d3NLb0WIm20wQ&s=cudwTPeN4uy63yWcBWbAsaMsFdZlD_iWsDcj1b7xclc&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20180305/c1e3f382/attachment.html>
More information about the Rancid-discuss
mailing list