[rancid] New Cisco ASA Login Failure

doug.hughes at keystonenap.com doug.hughes at keystonenap.com
Tue Mar 6 00:03:03 UTC 2018


I use add cyphertype <device> aes256-cbc for all of our ASA-5*-X models, and it works.


Sent from my android device.

-----Original Message-----
From: james machado <hvgeekwtrvl at gmail.com>
To: "Piegorsch, Weylin William" <weylin at bu.edu>
Cc: "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
Sent: Mon, 05 Mar 2018 18:31
Subject: Re: [rancid] New Cisco ASA Login Failure

This is due to changes in the supported encryption methods in the updated
IOS's and ASA softwares.  in your .cloginrc you will want to add a line:

add cyphertype <device> {encryption method}

you can find an encryption method your systems are happy with by doing the
following:

ssh -vv <device>
[...]
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128ctr hmac-sha1 none
[...]

with my ASA's i use {aes256-ctr}.

james


On Mon, Mar 5, 2018 at 6:48 AM, Piegorsch, Weylin William <weylin at bu.edu>
wrote:

> Hello,
>
>
>
> I have a Cisco ASA 5506X device I just deployed (running 9.8(2)20
> version), that rancid’s not logging into properly.  Clogincrc is set to
> method {telnet ssh} because there’s a plethora of really really old devices
> that hang when I try the other way around (and we haven’t been funded to
> refresh them nor authorized to remove them).
>
>
>
> Here’s what rancid shows:
>
>
>
> [rancid at nsgv-prod-59 ~]$ rancid -V
>
> rancid 3.4.1
>
> [rancid at nsgv-prod-59 ~]$
>
> [rancid at nsgv-prod-59 ~]$
>
> [rancid at nsgv-prod-59 ~]$
>
> [rancid at nsgv-prod-59 ~]$ clogin xxxxxxxxxx
>
> xxxxxxxxxx
>
> spawn telnet xxxxxxxxxx
>
> Trying yyyyyyy...
>
> telnet: connect to address yyyyyyy: Connection refused
>
> spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
> -x -l rancid xxxxxxxxxx
>
>
>
> +------------------------------------+
>
> |         BOSTON UNIVERSITY          |
>
> +------------------------------------+
>
> |         !!   WARNING   !!          |
>
> |       AUTHORIZED ACCESS ONLY!      |
>
> | Access to this system is permitted |
>
> | for authorized  persons only.  All |
>
> | connections    are    logged   and |
>
> | monitored.    By   accessing  this |
>
> | system,  you  acknowledge that use |
>
> | of  this and  any other technology |
>
> | at Boston University is subject to |
>
> | the terms of the Boston University |
>
> | Conditions  of  Use and  Policy on |
>
> | Computing  Ethics;   please   see: |
>
> | http://www.bu.edu/computing/ethics |
>
> | for details.                       |
>
> +------------------------------------+
>
>
>
> rancid at xxxxxxxxxx 's password:
>
> User rancid logged in to xxxxxxxxxx
>
> Logins over the last 2 days: 12.  Last login: 08:39:20 EST Mar 5 2018
> from zzzzzzz
>
> Failed logins since the last login: 0.
>
> Type help or '?' for a list of available commands.
>
> xxxxxxxxxx/pri/act> rancid
>
>                            ^
>
> ERROR: % Invalid input detected at '^' marker.
>
> xxxxxxxxxx/pri/act> en
>
> Error: Unrecognized command, check your enable command
>
> able
>
> Password:
>
> Password:
>
>
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20180305/67426152/attachment-0001.html>


More information about the Rancid-discuss mailing list