Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1198
Views
15
Helpful
7
Replies

PI 3.0.2 archive mgmt for Nexus 5K

katerina.dardoufa
Level 4
Level 4

‎04-01-2016 06:33 AM

Hello all,

we have recently installed N5K on our network and we are trying to archive the configuration on Prime Infrastructure 3.0.2

The N5K devices are synched and managed, the credentials are verified, but every time PI tries to ssh to the device and get the configuration, it fails.

On N5K logs we get the message:

2016 Apr  1 15:39:01 MK-N5K-1 %DAEMON-2-SYSTEM_MSG: fatal: no matching cipher found: client 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc server aes128-ctr,aes192-ctr,aes256-ctr - dcos_sshd[29961]

Any help will be highly appreciated!

Thank you in advance,

Katerina

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-02-2016 06:34 AM

What version is your NX-OS?

There's a bug with the newest NX-OS versions that's been reported for DCNM - it may also affect PI.

https://quickview.cloudapps.cisco.com/quickview/bug/CSCuu49270

I'd recommend opening a TAC case to confirm your issue.

For what it's worth, I have version 7.0(7)N1(1) on my Nexus 5548UPs and PI is archiving their configurations just fine.

katerina.dardoufa
Level 4
Level 4
In response to Marvin Rhoads

‎04-04-2016 12:28 AM

Hello Marvin,

We are running  version 7.3(0)N1(1).

I will open a TAC case and see where it leads.

Thank you for the info.

Katerina

0 Helpful

katerina.dardoufa
Level 4
Level 4
In response to katerina.dardoufa

‎05-19-2016 05:41 AM

Hello,

the issue was resolved by enabling older ciphers to the nexus linux prompt. The solution was provided by TAC and everything is working now!

Updating the post, just in case somebody has the same problem.

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to katerina.dardoufa

‎05-19-2016 07:46 PM

Thanks for the update.

I wonder if upgrading PI to 3.1 might also fix it without having to revert to weak ciphers on the devices.

PI 3.1 did fix an issue with not being able to negotiate TLS 1.2 with ISE.

0 Helpful

katerina.dardoufa
Level 4
Level 4
In response to Marvin Rhoads

‎05-19-2016 09:45 PM

TAC did not propose an upgrade, but when we do proceed with the upgrade, I will remove the old ciphers and see what happens.

0 Helpful

Mathias Bartz
Level 1
Level 1
In response to katerina.dardoufa

‎05-23-2016 11:45 PM

Upgrading to 3.1 did not help. I upgraded the Prime to 3.1 and the Messages are still there. what was the command you issued to enable the older ciphers?

0 Helpful

katerina.dardoufa
Level 4
Level 4
In response to Mathias Bartz

‎05-24-2016 02:26 AM

TAC provided us with a debug_plugin, but I suppose it is preferable if you open a case, so that they point you towards the correct direction.

Unfortunately after rebooting the device the ciphers are lost and the correction steps need to be reperformed.

0 Helpful
Customers Also Viewed These Support Documents