Thanks James. Except, I can get the login prompt fine, which means the SSH cyphersuite negotiated well enough; and, I have no problems with any of my other ASAs running various code versions between 8.3 and 9.7. See also below. Weylin
[rancid@rancid-server ~]$ egrep -B 7 "^add cypher" .cloginrc # # cryptographic cypher support for Nexus 9000 running 7.0(3)I2(1) and later # http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html # This also works fine for all other campus devices # 22 Sep 2015 # add cyphertype * {aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc} [rancid@rancid-server ~] From: james machado <hvgeekwt...@gmail.com> Date: Monday, March 5, 2018 at 12:18 PM To: Weylin Piegorsch <wey...@bu.edu> Cc: "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net> Subject: Re: [rancid] New Cisco ASA Login Failure This is due to changes in the supported encryption methods in the updated IOS's and ASA softwares. in your .cloginrc you will want to add a line: add cyphertype <device> {encryption method} you can find an encryption method your systems are happy with by doing the following: ssh -vv <device> [...] debug2: mac_setup: found hmac-sha1 debug1: kex: server->client aes128-ctr hmac-sha1 none debug2: mac_setup: found hmac-sha1 debug1: kex: client->server aes128ctr hmac-sha1 none [...] with my ASA's i use {aes256-ctr}. james On Mon, Mar 5, 2018 at 6:48 AM, Piegorsch, Weylin William <wey...@bu.edu<mailto:wey...@bu.edu>> wrote: Hello, I have a Cisco ASA 5506X device I just deployed (running 9.8(2)20 version), that rancid’s not logging into properly. Clogincrc is set to method {telnet ssh} because there’s a plethora of really really old devices that hang when I try the other way around (and we haven’t been funded to refresh them nor authorized to remove them). Here’s what rancid shows: [rancid@nsgv-prod-59 ~]$ rancid -V rancid 3.4.1 [rancid@nsgv-prod-59 ~]$ [rancid@nsgv-prod-59 ~]$ [rancid@nsgv-prod-59 ~]$ [rancid@nsgv-prod-59 ~]$ clogin xxxxxxxxxx xxxxxxxxxx spawn telnet xxxxxxxxxx Trying yyyyyyy... telnet: connect to address yyyyyyy: Connection refused spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -x -l rancid xxxxxxxxxx +------------------------------------+ | BOSTON UNIVERSITY | +------------------------------------+ | !! WARNING !! | | AUTHORIZED ACCESS ONLY! | | Access to this system is permitted | | for authorized persons only. All | | connections are logged and | | monitored. By accessing this | | system, you acknowledge that use | | of this and any other technology | | at Boston University is subject to | | the terms of the Boston University | | Conditions of Use and Policy on | | Computing Ethics; please see: | | http://www.bu.edu/computing/ethics | | for details. | +------------------------------------+ rancid@xxxxxxxxxx 's password: User rancid logged in to xxxxxxxxxx Logins over the last 2 days: 12. Last login: 08:39:20 EST Mar 5 2018 from zzzzzzz Failed logins since the last login: 0. Type help or '?' for a list of available commands. xxxxxxxxxx/pri/act> rancid ^ ERROR: % Invalid input detected at '^' marker. xxxxxxxxxx/pri/act> en Error: Unrecognized command, check your enable command able Password: Password: _______________________________________________ Rancid-discuss mailing list Rancid-discuss@shrubbery.net<mailto:Rancid-discuss@shrubbery.net> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
_______________________________________________ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
