[rancid] New Cisco ASA Login Failure

james machado hvgeekwtrvl at gmail.com
Tue Mar 6 00:17:29 UTC 2018 

That's what i get for replying too soon.  It looks like your getting hit
with the "last login" item that came up on the list in January.
http://www.shrubbery.net/pipermail/rancid-discuss/2018-January/010020.html

James

On Mon, Mar 5, 2018 at 12:09 PM, Piegorsch, Weylin William <weylin at bu.edu>
wrote:

> Thanks James.  Except, I can get the login prompt fine, which means the
> SSH cyphersuite negotiated well enough; and, I have no problems with any of
> my other ASAs running various code versions between 8.3 and 9.7.  See also
> below.
>
> Weylin
>
>
>
> [rancid at rancid-server ~]$ egrep -B 7 "^add cypher" .cloginrc
>
>
>
> #
>
> # cryptographic cypher support for Nexus 9000 running 7.0(3)I2(1) and later
>
> # http://www.cisco.com/c/en/us/support/docs/switches/nexus-
> 9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html
>
> # This also works fine for all other campus devices
>
> # 22 Sep 2015
>
> #
>
> add cyphertype * {aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,
> aes192-cbc,aes256-cbc}
>
> [rancid at rancid-server ~]
>
>
>
>
>
> *From: *james machado <hvgeekwtrvl at gmail.com>
> *Date: *Monday, March 5, 2018 at 12:18 PM
> *To: *Weylin Piegorsch <weylin at bu.edu>
> *Cc: *"rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
> *Subject: *Re: [rancid] New Cisco ASA Login Failure
>
>
>
> This is due to changes in the supported encryption methods in the updated
> IOS's and ASA softwares.  in your .cloginrc you will want to add a line:
>
>
>
> add cyphertype <device> {encryption method}
>
>
>
> you can find an encryption method your systems are happy with by doing the
> following:
>
>
>
> ssh -vv <device>
>
> [...]
>
> debug2: mac_setup: found hmac-sha1
>
> debug1: kex: server->client aes128-ctr hmac-sha1 none
>
> debug2: mac_setup: found hmac-sha1
>
> debug1: kex: client->server aes128ctr hmac-sha1 none
>
> [...]
>
>
>
> with my ASA's i use {aes256-ctr}.
>
>
>
> james
>
>
>
>
>
> On Mon, Mar 5, 2018 at 6:48 AM, Piegorsch, Weylin William <weylin at bu.edu>
> wrote:
>
> Hello,
>
>
>
> I have a Cisco ASA 5506X device I just deployed (running 9.8(2)20
> version), that rancid’s not logging into properly.  Clogincrc is set to
> method {telnet ssh} because there’s a plethora of really really old devices
> that hang when I try the other way around (and we haven’t been funded to
> refresh them nor authorized to remove them).
>
>
>
> Here’s what rancid shows:
>
>
>
> [rancid at nsgv-prod-59 ~]$ rancid -V
>
> rancid 3.4.1
>
> [rancid at nsgv-prod-59 ~]$
>
> [rancid at nsgv-prod-59 ~]$
>
> [rancid at nsgv-prod-59 ~]$
>
> [rancid at nsgv-prod-59 ~]$ clogin xxxxxxxxxx
>
> xxxxxxxxxx
>
> spawn telnet xxxxxxxxxx
>
> Trying yyyyyyy...
>
> telnet: connect to address yyyyyyy: Connection refused
>
> spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
> -x -l rancid xxxxxxxxxx
>
>
>
> +------------------------------------+
>
> |         BOSTON UNIVERSITY          |
>
> +------------------------------------+
>
> |         !!   WARNING   !!          |
>
> |       AUTHORIZED ACCESS ONLY!      |
>
> | Access to this system is permitted |
>
> | for authorized  persons only.  All |
>
> | connections    are    logged   and |
>
> | monitored.    By   accessing  this |
>
> | system,  you  acknowledge that use |
>
> | of  this and  any other technology |
>
> | at Boston University is subject to |
>
> | the terms of the Boston University |
>
> | Conditions  of  Use and  Policy on |
>
> | Computing  Ethics;   please   see: |
>
> | http://www.bu.edu/computing/ethics |
>
> | for details.                       |
>
> +------------------------------------+
>
>
>
> rancid at xxxxxxxxxx 's password:
>
> User rancid logged in to xxxxxxxxxx
>
> Logins over the last 2 days: 12.  Last login: 08:39:20 EST Mar 5 2018
> from zzzzzzz
>
> Failed logins since the last login: 0.
>
> Type help or '?' for a list of available commands.
>
> xxxxxxxxxx/pri/act> rancid
>
>                            ^
>
> ERROR: % Invalid input detected at '^' marker.
>
> xxxxxxxxxx/pri/act> en
>
> Error: Unrecognized command, check your enable command
>
> able
>
> Password:
>
> Password:
>
>
>
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20180305/9839e596/attachment.html>

More information about the Rancid-discuss mailing list