No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Backup configuration of S12704 with eSight using SFTP was failing

Publication Date:  2017-10-19 Views:  449 Downloads:  0
Issue Description

Fault sympton: when the customer tried to backup the configuration to eSight they noticed the below error message on the S12704: 

Aug  7 2017 15:29:44+02:00 DST HHS-WLC7001 %%01SNMP/4/SNMP_MIB_SET_FAILED(s)[8]:MIB node set failure. (UserName=eSight, SourceIP=x.x.4.222, Version=v3, RequestId=1722247848, ErrorStatus=12, ErrorIndex=3, hwCfgOperateType.20647=6, hwCfgOperateProtocol.20647=3, hwCfgOperateFileName.20647=[63.6f.6e.66.69.67.66.69.6c.65.2f.53.31.32.37.30.34.2f.31.34.35.2e.35.32.2e.33.32.2e.31.30.2f.32.30.31.37.30.38.30.37.31.35.32.39.34.34.53.2e.63.66.67 (hex)], hwCfgOperateServerAddress.20647=10.211.4.222, hwCfgOperateUserName.20647=[61.64.6d.69.6e (hex)], hwCfgOperateUserPassword.20647=******, hwCfgOperateServerPort.20647=31922, hwCfgOperateRowStatus.20647=4, VPN=VPN-CDI)


Version information: 

-eSight V300R006C00SPC505

-s12700 v200r010sph003


Configuration script:

#

interface Vlanif32

 description VPN-CDI Management Interface 

 ip binding vpn-instance VPN-CDI

 ip address x.x.32.10 255.255.254.0

#

snmp-agent

snmp-agent acl 2001

snmp-agent local-engineid 3134352E35322E33352E3130

snmp-agent sys-info contact name

snmp-agent sys-info location name-WLC7001

snmp-agent sys-info version v3

snmp-agent group v3 km privacy write-view iso-view notify-view iso-view

snmp-agent group v3 admin privacy read-view iso-view write-view iso-view notify-view iso-view

snmp-agent group v3 cacti privacy notify-view iso-view

snmp-agent target-host trap address udp-domain x.x.4.222 vpn-instance VPN-CDI params securityname cipher %^%#/8#8S8%1rTNSbZBV

snmp-agent target-host trap address udp-domain x.x.4.222 params securityname eSight v3 privacy

snmp-agent mib-view included iso-view iso

snmp-agent usm-user v3 eSight

snmp-agent usm-user v3 eSight group admin 

snmp-agent usm-user v3 eSight authentication-mode sha cipher %^%#OO%}%$*Za*M&8)I&4\E1"\=

snmp-agent usm-user v3 eSight privacy-mode aes128 cipher %^%#p865#-Yc)Kp5['*'5i[C;fBx;\WqU7=

snmp-agent trap source Vlanif32

snmp-agent extend error-code enable

snmp-agent trap enable

#

sftp server enable

stelnet server enable

ssh authentication-type default password

ssh user tenict

ssh user tenict authentication-type password

ssh user tenict service-type all

ssh client first-time enable

sftp client-source -a x.x.32.10

ssh server cipher aes256_cbc aes128_cbc

ssh server hmac sha2_256 sha1

ssh server key-exchange dh_group14_sha1

ssh client cipher aes256_ctr

ssh client hmac sha2_256

ssh client key-exchange dh_group14_sha1

#


Alarm Information

The MIB object was set failed.  ErrorStatus 12: Indicates an inconsistent Value.Error index indicates the index of a variable that fails to be set. 

Aug  7 2017 15:29:44+02:00 DST HHS-WLC7001 %%01SNMP/4/SNMP_MIB_SET_FAILED(s)[8]:MIB node set failure. (UserName=eSight, SourceIP=x.x.4.222, Version=v3, RequestId=1722247848, ErrorStatus=12, ErrorIndex=3, hwCfgOperateType.20647=6, hwCfgOperateProtocol.20647=3, hwCfgOperateFileName.20647=[63.6f.6e.66.69.67.66.69.6c.65.2f.53.31.32.37.30.34.2f.31.34.35.2e.35.32.2e.33.32.2e.31.30.2f.32.30.31.37.30.38.30.37.31.35.32.39.34.34.53.2e.63.66.67 (hex)], hwCfgOperateServerAddress.20647=10.211.4.222, hwCfgOperateUserName.20647=[61.64.6d.69.6e (hex)], hwCfgOperateUserPassword.20647=******, hwCfgOperateServerPort.20647=31922, hwCfgOperateRowStatus.20647=4, VPN=VPN-CDI)

Handling Process

1) First of all to send us the output of the below debug to confirm the alarm received on the switch:

On switch:

<HUAWEI> terminal debugging

<HUAWEI> terminal monitor

<HUAWEI>debugging snmp

 Test and collect the information!

 <HUAWEI> undo terminal debugging

<HUAWEI> undo terminal monitor

2) Confirmed if the 'ssh client first-time enable' was applied on the Switch.

3)To backup  the configuration of the S12700 device in eSight , and feedback the backup result. Check whether it backup success.

         Configuration à Configuration File Managementà Config Files


4) Confirmed if the Write, Read, Notify communities were configured on the switch. '

5)Confirmed that the ping is working and that the backup is working through FTP. Both were working properly. Only SFTP didn't work.

6) Confirmed if there was any firewall between eSight and Switch that could block the SFTP port (31922).  The customer tested with the command: 'telnet vpn-instance VPN-CDI x.x.4.222 31922' and the connection was succesful.

7) Debugged the connection between eSight and Switch : 
debugging tcp packet src-port 22 dest-ip x.x.32.10
debugging tcp packet src-ip x.x.32.10 dest-port 22
debugging ssh server all all


Root Cause

After debugging the tcp and ssh packets we generated the below information: 

Aug 17 2017 15:11:34.948.4+02:00 DST HHS-WLC7001 SSH/7/KEX_MATCH:No matching cipher found (client=aes256-ctr, server=aes128-ctr,aes128-cbc,3des-cbc)!

The client(switch) used aes256-ctr and the server(eSight) used aes128-ctr, aes128-cbc and 3des-cbc.  The algorithms of the client and server didn’t match.

 From switch configuration, we can see it clearly

 ssh client cipher aes256_ctr

ssh client hmac sha2_256

ssh client key-exchange dh_group14_sha1

 

For eSight, default algorithms is aes128-ctr. You can see your configuration on eSight.

 


Solution

After applying ‘ssh client cipher aes128_cbc aes128_ctr’ command in system-view on the switch we were able to backup the configuration on eSight using SFTP.

END