04-01-2016 06:33 AM
Hello all,
we have recently installed N5K on our network and we are trying to archive the configuration on Prime Infrastructure 3.0.2
The N5K devices are synched and managed, the credentials are verified, but every time PI tries to ssh to the device and get the configuration, it fails.
On N5K logs we get the message:
2016 Apr 1 15:39:01 MK-N5K-1 %DAEMON-2-SYSTEM_MSG: fatal: no matching cipher found: client 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc server aes128-ctr,aes192-ctr,aes256-ctr - dcos_sshd[29961]
Any help will be highly appreciated!
Thank you in advance,
Katerina
04-02-2016 06:34 AM
What version is your NX-OS?
There's a bug with the newest NX-OS versions that's been reported for DCNM - it may also affect PI.
https://quickview.cloudapps.cisco.com/quickview/bug/CSCuu49270
I'd recommend opening a TAC case to confirm your issue.
For what it's worth, I have version 7.0(7)N1(1) on my Nexus 5548UPs and PI is archiving their configurations just fine.
04-04-2016 12:28 AM
Hello Marvin,
We are running version 7.3(0)N1(1).
I will open a TAC case and see where it leads.
Thank you for the info.
Katerina
05-19-2016 05:41 AM
Hello,
the issue was resolved by enabling older ciphers to the nexus linux prompt. The solution was provided by TAC and everything is working now!
Updating the post, just in case somebody has the same problem.
05-19-2016 07:46 PM
Thanks for the update.
I wonder if upgrading PI to 3.1 might also fix it without having to revert to weak ciphers on the devices.
PI 3.1 did fix an issue with not being able to negotiate TLS 1.2 with ISE.
05-19-2016 09:45 PM
TAC did not propose an upgrade, but when we do proceed with the upgrade, I will remove the old ciphers and see what happens.
05-23-2016 11:45 PM
Upgrading to 3.1 did not help. I upgraded the Prime to 3.1 and the Messages are still there. what was the command you issued to enable the older ciphers?
05-24-2016 02:26 AM
TAC provided us with a debug_plugin, but I suppose it is preferable if you open a case, so that they point you towards the correct direction.
Unfortunately after rebooting the device the ciphers are lost and the correction steps need to be reperformed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide