[Knowledge sharing] Backup configuration using eSight is failing in SFTP mode

492 0 0 0

Hello everyone,

Most of customers backup their configuration using eSight, but in some cases this is failing. I'll explain here how to troubleshoot this issue and share with you a possible solution.

Fault sympton: when you try to backup the configuration to eSight you notice the below error message on the S12704: 

Aug  7 2017 15:29:44+02:00 DST HHS-WLC7001 %SNMP/4/SNMP_MIB_SET_FAILED(s)[8]:MIB node set failure. (UserName=eSight, SourceIP=x.x.4.222, Version=v3, RequestId=1722247848, ErrorStatus=12, ErrorIndex=3, hwCfgOperateType.20647=6, hwCfgOperateProtocol.20647=3, hwCfgOperateFileName.20647=[63.6f.6e.66.69.67.66.69.6c.65.2f.53.31.32.37.30.34.2f.31.34.35.2e.35.32.2e.33.32.2e.31.30.2f.32.30.31.37.30.38.30.37.31.35.32.39.34.34.53.2e.63.66.67 (hex)], hwCfgOperateServerAddress.20647=10.211.4.222, hwCfgOperateUserName.20647=[61.64.6d.69.6e (hex)], hwCfgOperateUserPassword.20647=******, hwCfgOperateServerPort.20647=31922, hwCfgOperateRowStatus.20647=4, VPN=VPN-CDI)


Version information: 

-eSight V300R006C00SPC505

-s12700 v200r010sph003


Configuration script:

#

interface Vlanif32

 description VPN-CDI Management Interface 

 ip binding vpn-instance VPN-CDI

 ip address x.x.32.10 255.255.254.0

#

snmp-agent

snmp-agent acl 2001

snmp-agent local-engineid 3134352E35322

snmp-agent sys-info contact name

snmp-agent sys-info location name-WLC

snmp-agent sys-info version v3

snmp-agent group v3 km privacy write-view iso-view notify-view iso-view

snmp-agent group v3 admin privacy read-view iso-view write-view iso-view notify-view iso-view

snmp-agent group v3 cacti privacy notify-view iso-view

snmp-agent target-host trap address udp-domain x.x.4.222 vpn-instance VPN-CDI params securityname cipher %^%#/8#8S8%1rTNSbZBV

snmp-agent target-host trap address udp-domain x.x.4.222 params securityname eSight v3 privacy

snmp-agent mib-view included iso-view iso

snmp-agent usm-user v3 eSight

snmp-agent usm-user v3 eSight group admin 

snmp-agent usm-user v3 eSight authentication-mode sha cipher %^%#OO%}%$*Za*M&8)I&4\E1"\=

snmp-agent usm-user v3 eSight privacy-mode aes128 cipher %^%#p865#-Yc)Kp5['*'5i[C;fBx;\WqU7=

snmp-agent trap source Vlanif32

snmp-agent extend error-code enable

snmp-agent trap enable

#

sftp server enable

stelnet server enable

ssh authentication-type default password

ssh user tenict

ssh user tenict authentication-type password

ssh user tenict service-type all

ssh client first-time enable

sftp client-source -a x.x.32.10

ssh server cipher aes256_cbc aes128_cbc

ssh server hmac sha2_256 sha1

ssh server key-exchange dh_group14_sha1

ssh client cipher aes256_ctr

ssh client hmac sha2_256

ssh client key-exchange dh_group14_sha1

#


transparent.gifAlarm Information:

The MIB object was set failed.  ErrorStatus 12: Indicates an inconsistent Value.Error index indicates the index of a variable that fails to be set. 

Aug  7 2017 15:29:44+02:00 DST HHS-WLC7001 %SNMP/4/SNMP_MIB_SET_FAILED(s)[8]:MIB node set failure. (UserName=eSight, SourceIP=x.x.4.222, Version=v3, RequestId=1722247848, ErrorStatus=12, ErrorIndex=3, hwCfgOperateType.20647=6, hwCfgOperateProtocol.20647=3, hwCfgOperateFileName.20647=[63.6f.6e.66.69.67.66.69.6c.65.2f.53.31.32.37.30.34.2f.31.34.35.2e.35.32.2e.33.32.2e.31.30.2f.32.30.31.37.30.38.30.37.31.35.32.39.34.34.53.2e.63.66.67 (hex)], hwCfgOperateServerAddress.20647=10.211.4.222, hwCfgOperateUserName.20647=[61.64.6d.69.6e (hex)], hwCfgOperateUserPassword.20647=******, hwCfgOperateServerPort.20647=31922, hwCfgOperateRowStatus.20647=4, VPN=VPN-CDI)

transparent.gifHandling Process:

1) First of all you need to check the output of the below debug to confirm the alarm received on the switch:

On switch:

<HUAWEI> terminal debugging

<HUAWEI> terminal monitor

<HUAWEI>debugging snmp

 Test and collect the information!

 <HUAWEI> undo terminal debugging

<HUAWEI> undo terminal monitor

2) Confirmed if the 'ssh client first-time enable' was applied on the Switch.

3)To backup  the configuration of the S12700 device in eSight , and check the backup result. Check whether it backup success.

         Configuration - Configuration File Management - Config Files

859cb963459043a99502c1b101216acc

4) Confirm if the Write, Read, Notify communities are configured on the switch.

5)Confirm that the ping is working and that the backup is working through FTP. Both are working properly. Only SFTP didn't work.

6) Confirm if there is any firewall between eSight and Switch that could block the SFTP port (31922). You can test with the command: 'telnet vpn-instance VPN-CDI x.x.4.222 31922' and the connection was succesful.

7) Debug the connection between eSight and Switch : 
debugging tcp packet src-port 22 dest-ip x.x.32.10
debugging tcp packet src-ip x.x.32.10 dest-port 22
debugging ssh server all all


Root Cause:

After debugging the tcp and ssh packets we generated the below information: 

Aug 17 2017 15:11:34.948.4+02:00 DST HHS-WLC7001 SSH/7/KEX_MATCH:No matching cipher found (client=aes256-ctr, server=aes128-ctr,aes128-cbc,3des-cbc)!

The client(switch) used aes256-ctr and the server(eSight) used aes128-ctr, aes128-cbc and 3des-cbc.  The algorithms of the client and server didn’t match.

 From switch configuration, you can see it clearly:

 ssh client cipher aes256_ctr

ssh client hmac sha2_256

ssh client key-exchange dh_group14_sha1

 

For eSight, default algorithms is aes128-ctr. You can see your configuration on eSight.

 a5a1cd4f03294dffbf8378c50a180b98


transparent.gif Solution:

After applying ‘ssh client cipher aes128_cbc aes128_ctr’ command in system-view on the switch you can backup the configuration on eSight using SFTP.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login