[rancid] New Cisco ASA Login Failure
on at LEFerguson.com
on at LEFerguson.com
Tue Mar 6 14:36:37 UTC 2018
I just got hit by this also on a 5506-x. I turned off the login history for now, but I saw back in January a proposed patch, did that work out? (I guess I could try it, but it's always nice to know if it worked, and if it might be destined for incorporation?)
Linwood
From: Rancid-discuss [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Piegorsch, Weylin William
Sent: Tuesday, March 6, 2018 7:59 AM
To: james machado <hvgeekwtrvl at gmail.com>
Cc: rancid-discuss at shrubbery.net
Subject: Re: [rancid] New Cisco ASA Login Failure
Aw snap! I even replied to that thread :-(
http://www.shrubbery.net/pipermail/rancid-discuss/2018-January/010021.html
Thanks for pointing this out.
weylin
From: james machado <hvgeekwtrvl at gmail.com<mailto:hvgeekwtrvl at gmail.com>>
Date: Monday, March 5, 2018 at 7:18 PM
To: Weylin Piegorsch <weylin at bu.edu<mailto:weylin at bu.edu>>
Cc: "rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>" <rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>>
Subject: Re: [rancid] New Cisco ASA Login Failure
That's what i get for replying too soon. It looks like your getting hit with the "last login" item that came up on the list in January. http://www.shrubbery.net/pipermail/rancid-discuss/2018-January/010020.html
James
On Mon, Mar 5, 2018 at 12:09 PM, Piegorsch, Weylin William <weylin at bu.edu<mailto:weylin at bu.edu>> wrote:
Thanks James. Except, I can get the login prompt fine, which means the SSH cyphersuite negotiated well enough; and, I have no problems with any of my other ASAs running various code versions between 8.3 and 9.7. See also below.
Weylin
[rancid at rancid-server ~]$ egrep -B 7 "^add cypher" .cloginrc
#
# cryptographic cypher support for Nexus 9000 running 7.0(3)I2(1) and later
# http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html
# This also works fine for all other campus devices
# 22 Sep 2015
#
add cyphertype * {aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc}
[rancid at rancid-server ~]
From: james machado <hvgeekwtrvl at gmail.com<mailto:hvgeekwtrvl at gmail.com>>
Date: Monday, March 5, 2018 at 12:18 PM
To: Weylin Piegorsch <weylin at bu.edu<mailto:weylin at bu.edu>>
Cc: "rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>" <rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>>
Subject: Re: [rancid] New Cisco ASA Login Failure
This is due to changes in the supported encryption methods in the updated IOS's and ASA softwares. in your .cloginrc you will want to add a line:
add cyphertype <device> {encryption method}
you can find an encryption method your systems are happy with by doing the following:
ssh -vv <device>
[...]
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128ctr hmac-sha1 none
[...]
with my ASA's i use {aes256-ctr}.
james
On Mon, Mar 5, 2018 at 6:48 AM, Piegorsch, Weylin William <weylin at bu.edu<mailto:weylin at bu.edu>> wrote:
Hello,
I have a Cisco ASA 5506X device I just deployed (running 9.8(2)20 version), that rancid’s not logging into properly. Clogincrc is set to method {telnet ssh} because there’s a plethora of really really old devices that hang when I try the other way around (and we haven’t been funded to refresh them nor authorized to remove them).
Here’s what rancid shows:
[rancid at nsgv-prod-59 ~]$ rancid -V
rancid 3.4.1
[rancid at nsgv-prod-59 ~]$
[rancid at nsgv-prod-59 ~]$
[rancid at nsgv-prod-59 ~]$
[rancid at nsgv-prod-59 ~]$ clogin xxxxxxxxxx
xxxxxxxxxx
spawn telnet xxxxxxxxxx
Trying yyyyyyy...
telnet: connect to address yyyyyyy: Connection refused
spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -x -l rancid xxxxxxxxxx
+------------------------------------+
| BOSTON UNIVERSITY |
+------------------------------------+
| !! WARNING !! |
| AUTHORIZED ACCESS ONLY! |
| Access to this system is permitted |
| for authorized persons only. All |
| connections are logged and |
| monitored. By accessing this |
| system, you acknowledge that use |
| of this and any other technology |
| at Boston University is subject to |
| the terms of the Boston University |
| Conditions of Use and Policy on |
| Computing Ethics; please see: |
| http://www.bu.edu/computing/ethics |
| for details. |
+------------------------------------+
rancid at xxxxxxxxxx 's password:
User rancid logged in to xxxxxxxxxx
Logins over the last 2 days: 12. Last login: 08:39:20 EST Mar 5 2018 from zzzzzzz
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
xxxxxxxxxx/pri/act> rancid
^
ERROR: % Invalid input detected at '^' marker.
xxxxxxxxxx/pri/act> en
Error: Unrecognized command, check your enable command
able
Password:
Password:
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net<mailto:Rancid-discuss at shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20180306/483f5fcd/attachment.html>
More information about the Rancid-discuss
mailing list