[rancid] New Cisco ASA Login Failure

Piegorsch, Weylin William weylin at bu.edu
Tue Mar 6 12:58:37 UTC 2018

Aw snap!  I even replied to that thread :-(

Thanks for pointing this out.


From: james machado <hvgeekwtrvl at gmail.com>
Date: Monday, March 5, 2018 at 7:18 PM
To: Weylin Piegorsch <weylin at bu.edu>
Cc: "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
Subject: Re: [rancid] New Cisco ASA Login Failure

That's what i get for replying too soon.  It looks like your getting hit with the "last login" item that came up on the list in January. http://www.shrubbery.net/pipermail/rancid-discuss/2018-January/010020.html


On Mon, Mar 5, 2018 at 12:09 PM, Piegorsch, Weylin William <weylin at bu.edu<mailto:weylin at bu.edu>> wrote:
Thanks James.  Except, I can get the login prompt fine, which means the SSH cyphersuite negotiated well enough; and, I have no problems with any of my other ASAs running various code versions between 8.3 and 9.7.  See also below.

[rancid at rancid-server ~]$ egrep -B 7 "^add cypher" .cloginrc


# cryptographic cypher support for Nexus 9000 running 7.0(3)I2(1) and later

# http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html

# This also works fine for all other campus devices

# 22 Sep 2015


add cyphertype * {aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc}

[rancid at rancid-server ~]

From: james machado <hvgeekwtrvl at gmail.com<mailto:hvgeekwtrvl at gmail.com>>
Date: Monday, March 5, 2018 at 12:18 PM
To: Weylin Piegorsch <weylin at bu.edu<mailto:weylin at bu.edu>>
Cc: "rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>" <rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>>
Subject: Re: [rancid] New Cisco ASA Login Failure

This is due to changes in the supported encryption methods in the updated IOS's and ASA softwares.  in your .cloginrc you will want to add a line:

add cyphertype <device> {encryption method}

you can find an encryption method your systems are happy with by doing the following:

ssh -vv <device>
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128ctr hmac-sha1 none

with my ASA's i use {aes256-ctr}.


On Mon, Mar 5, 2018 at 6:48 AM, Piegorsch, Weylin William <weylin at bu.edu<mailto:weylin at bu.edu>> wrote:

I have a Cisco ASA 5506X device I just deployed (running 9.8(2)20 version), that rancid’s not logging into properly.  Clogincrc is set to method {telnet ssh} because there’s a plethora of really really old devices that hang when I try the other way around (and we haven’t been funded to refresh them nor authorized to remove them).

Here’s what rancid shows:

[rancid at nsgv-prod-59 ~]$ rancid -V

rancid 3.4.1

[rancid at nsgv-prod-59 ~]$

[rancid at nsgv-prod-59 ~]$

[rancid at nsgv-prod-59 ~]$

[rancid at nsgv-prod-59 ~]$ clogin xxxxxxxxxx


spawn telnet xxxxxxxxxx

Trying yyyyyyy...

telnet: connect to address yyyyyyy: Connection refused

spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -x -l rancid xxxxxxxxxx


|         BOSTON UNIVERSITY          |


|         !!   WARNING   !!          |


| Access to this system is permitted |

| for authorized  persons only.  All |

| connections    are    logged   and |

| monitored.    By   accessing  this |

| system,  you  acknowledge that use |

| of  this and  any other technology |

| at Boston University is subject to |

| the terms of the Boston University |

| Conditions  of  Use and  Policy on |

| Computing  Ethics;   please   see: |

| http://www.bu.edu/computing/ethics |

| for details.                       |


rancid at xxxxxxxxxx 's password:

User rancid logged in to xxxxxxxxxx

Logins over the last 2 days: 12.  Last login: 08:39:20 EST Mar 5 2018 from zzzzzzz

Failed logins since the last login: 0.

Type help or '?' for a list of available commands.

xxxxxxxxxx/pri/act> rancid


ERROR: % Invalid input detected at '^' marker.

xxxxxxxxxx/pri/act> en

Error: Unrecognized command, check your enable command




Rancid-discuss mailing list
Rancid-discuss at shrubbery.net<mailto:Rancid-discuss at shrubbery.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20180306/d8c7271d/attachment.html>

More information about the Rancid-discuss mailing list