[rancid] New Cisco ASA Login Failure

on at LEFerguson.com on at LEFerguson.com
Tue Mar 6 14:36:37 UTC 2018


I just got hit by this also on a 5506-x.  I turned off the login history for now, but I saw back in January a proposed patch, did that work out?   (I guess I could try it, but it's always nice to know if it worked, and if it might be destined for incorporation?)

Linwood


From: Rancid-discuss [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Piegorsch, Weylin William
Sent: Tuesday, March 6, 2018 7:59 AM
To: james machado <hvgeekwtrvl at gmail.com>
Cc: rancid-discuss at shrubbery.net
Subject: Re: [rancid] New Cisco ASA Login Failure

Aw snap!  I even replied to that thread :-(
http://www.shrubbery.net/pipermail/rancid-discuss/2018-January/010021.html

Thanks for pointing this out.

weylin

From: james machado <hvgeekwtrvl at gmail.com<mailto:hvgeekwtrvl at gmail.com>>
Date: Monday, March 5, 2018 at 7:18 PM
To: Weylin Piegorsch <weylin at bu.edu<mailto:weylin at bu.edu>>
Cc: "rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>" <rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>>
Subject: Re: [rancid] New Cisco ASA Login Failure

That's what i get for replying too soon.  It looks like your getting hit with the "last login" item that came up on the list in January. http://www.shrubbery.net/pipermail/rancid-discuss/2018-January/010020.html

James

On Mon, Mar 5, 2018 at 12:09 PM, Piegorsch, Weylin William <weylin at bu.edu<mailto:weylin at bu.edu>> wrote:
Thanks James.  Except, I can get the login prompt fine, which means the SSH cyphersuite negotiated well enough; and, I have no problems with any of my other ASAs running various code versions between 8.3 and 9.7.  See also below.
Weylin


[rancid at rancid-server ~]$ egrep -B 7 "^add cypher" .cloginrc



#

# cryptographic cypher support for Nexus 9000 running 7.0(3)I2(1) and later

# http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html

# This also works fine for all other campus devices

# 22 Sep 2015

#

add cyphertype * {aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc}

[rancid at rancid-server ~]


From: james machado <hvgeekwtrvl at gmail.com<mailto:hvgeekwtrvl at gmail.com>>
Date: Monday, March 5, 2018 at 12:18 PM
To: Weylin Piegorsch <weylin at bu.edu<mailto:weylin at bu.edu>>
Cc: "rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>" <rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>>
Subject: Re: [rancid] New Cisco ASA Login Failure

This is due to changes in the supported encryption methods in the updated IOS's and ASA softwares.  in your .cloginrc you will want to add a line:

add cyphertype <device> {encryption method}

you can find an encryption method your systems are happy with by doing the following:

ssh -vv <device>
[...]
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128ctr hmac-sha1 none
[...]

with my ASA's i use {aes256-ctr}.

james


On Mon, Mar 5, 2018 at 6:48 AM, Piegorsch, Weylin William <weylin at bu.edu<mailto:weylin at bu.edu>> wrote:
Hello,

I have a Cisco ASA 5506X device I just deployed (running 9.8(2)20 version), that rancid’s not logging into properly.  Clogincrc is set to method {telnet ssh} because there’s a plethora of really really old devices that hang when I try the other way around (and we haven’t been funded to refresh them nor authorized to remove them).

Here’s what rancid shows:



[rancid at nsgv-prod-59 ~]$ rancid -V

rancid 3.4.1

[rancid at nsgv-prod-59 ~]$

[rancid at nsgv-prod-59 ~]$

[rancid at nsgv-prod-59 ~]$

[rancid at nsgv-prod-59 ~]$ clogin xxxxxxxxxx

xxxxxxxxxx

spawn telnet xxxxxxxxxx

Trying yyyyyyy...

telnet: connect to address yyyyyyy: Connection refused

spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -x -l rancid xxxxxxxxxx



+------------------------------------+

|         BOSTON UNIVERSITY          |

+------------------------------------+

|         !!   WARNING   !!          |

|       AUTHORIZED ACCESS ONLY!      |

| Access to this system is permitted |

| for authorized  persons only.  All |

| connections    are    logged   and |

| monitored.    By   accessing  this |

| system,  you  acknowledge that use |

| of  this and  any other technology |

| at Boston University is subject to |

| the terms of the Boston University |

| Conditions  of  Use and  Policy on |

| Computing  Ethics;   please   see: |

| http://www.bu.edu/computing/ethics |

| for details.                       |

+------------------------------------+



rancid at xxxxxxxxxx 's password:

User rancid logged in to xxxxxxxxxx

Logins over the last 2 days: 12.  Last login: 08:39:20 EST Mar 5 2018 from zzzzzzz

Failed logins since the last login: 0.

Type help or '?' for a list of available commands.

xxxxxxxxxx/pri/act> rancid

                           ^

ERROR: % Invalid input detected at '^' marker.

xxxxxxxxxx/pri/act> en

Error: Unrecognized command, check your enable command

able

Password:

Password:


_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net<mailto:Rancid-discuss at shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/rancid-discuss


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20180306/483f5fcd/attachment.html>


More information about the Rancid-discuss mailing list