Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

M670: Replacing SSH Fingerprints for Appliances

We have recently gone through and replaced a number of our aging C650 Ironports with new X1070 security appliances. As these replaced in-production devices, they were configured with the same IP addresses and hostnames of the older one. When we have gone back to our M670 Managmenet Appliance, we are no longer retrieving reporting on the new devices. When we try to test connectivity to the devices in the security appliances feature, the M670 returns:

Error: The host key for X.X.X.X appears to have changed.

We have gone through the process of deleting the devices, commiting the configs, then re-adding. We have also issued new SSH keys for the admin user on both the M670 and the X1070's, as well as new keys for the logconfig. Neither removed the error. Normally in other SSH deployments, we would remove the older keys from the .ssh\known_hosts, but I have not found that option.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

M670: Replacing SSH Fingerprints for Appliances

Try this...

From the SMA (Security Managment Appliance), log in, and visit the following from the GUI: Centralized Services -> Security Appliances

You will need to select the Appliance Name that has been updated.

You will need to "Establish Connection" again for this host.  You will get the following error:

Error —   The host key for <<>> appears to have changed.

    It is possible that someone is trying to hijack the encrypted connection to the remote host. Please use the logconfig->hostkeyconfig command to verify (and possibly update) the SSH host key for <<>>.

This requires CLI access to the SMA appliance, and running the following:

> logconfig -> hostkeyconfig

Remove ALL keys associated with the IP address in question.  Exit to the main CLI prompt, and COMMIT.

Return to the GUI: Centralized Services -> Security Appliances

Select the Appliance Name that has been updated.

Select "Establish Connection", you should now be able to enter in the user and password; prompting "Success —   Authentication successful." to the screen. 

Then also select "Test Connection".

You should see "Success   — Testing...", allow this to run and complete (you will see the browser showing acitivty while this is running).

Once complete, you will see:

Success —   All services are correctly configured on the remote appliance:

    Reporting capability check: OK

    Tracking capability check: OK

    Reporting service check: OK

    Tracking service check: OK

Based on what is selected to be transferred from the appliance to the managment host.

Hope this helps!

-Robert

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

1 REPLY
Cisco Employee

M670: Replacing SSH Fingerprints for Appliances

Try this...

From the SMA (Security Managment Appliance), log in, and visit the following from the GUI: Centralized Services -> Security Appliances

You will need to select the Appliance Name that has been updated.

You will need to "Establish Connection" again for this host.  You will get the following error:

Error —   The host key for <<>> appears to have changed.

    It is possible that someone is trying to hijack the encrypted connection to the remote host. Please use the logconfig->hostkeyconfig command to verify (and possibly update) the SSH host key for <<>>.

This requires CLI access to the SMA appliance, and running the following:

> logconfig -> hostkeyconfig

Remove ALL keys associated with the IP address in question.  Exit to the main CLI prompt, and COMMIT.

Return to the GUI: Centralized Services -> Security Appliances

Select the Appliance Name that has been updated.

Select "Establish Connection", you should now be able to enter in the user and password; prompting "Success —   Authentication successful." to the screen. 

Then also select "Test Connection".

You should see "Success   — Testing...", allow this to run and complete (you will see the browser showing acitivty while this is running).

Once complete, you will see:

Success —   All services are correctly configured on the remote appliance:

    Reporting capability check: OK

    Tracking capability check: OK

    Reporting service check: OK

    Tracking service check: OK

Based on what is selected to be transferred from the appliance to the managment host.

Hope this helps!

-Robert

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

975
Views
0
Helpful
1
Replies