Secure FX 7.3 beta xfer issue

[jgolden73]

Hello, hopefully I am posting to the right spot.

I just installed the latest Secure FX 7.3 beta 2 and attempting to use SCP to upload a new .bin file to my Cisco 1861 router. Logging in worked, see the flash worked, deleting the existing bin file worked. However uploading I get an error. Can someone assist?

Here is the some of the log:

i Transfer(00000001): Using protocol SSH2
i Transfer(00000001): RECV : Remote Identifier = 'SSH-2.0-Cisco-1.25'
i Transfer(00000001): CAP : Remote can re-key
i Transfer(00000001): CAP : Remote sends language in password change requests
i Transfer(00000001): CAP : Remote sends algorithm name in PK_OK packets
i Transfer(00000001): CAP : Remote sends algorithm name in public key packets
i Transfer(00000001): CAP : Remote sends algorithm name in signatures
i Transfer(00000001): CAP : Remote sends error text in open failure packets
i Transfer(00000001): CAP : Remote sends name in service accept packets
i Transfer(00000001): CAP : Remote includes port number in x11 open packets
i Transfer(00000001): CAP : Remote uses 160 bit keys for SHA1 MAC
i Transfer(00000001): CAP : Remote supports new diffie-hellman group exchange messages
i Transfer(00000001): CAP : Remote correctly handles unknown SFTP extensions
i Transfer(00000001): CAP : Remote correctly encodes OID for gssapi
i Transfer(00000001): CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
i Transfer(00000001): CAP : Remote can do SFTP version 4
i Transfer(00000001): CAP : Remote uses SHA1 hash in RSA signatures for x.509v3
i Transfer(00000001): CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures
i Transfer(00000001): CAP : Remote correctly handles zlib@openssh.com
i Transfer(00000001): SSPI : Requesting full delegation
i Transfer(00000001): SSPI : [Kerberos] SPN : host@
i Transfer(00000001): SSPI : [Kerberos] InitializeSecurityContext() failed.
i Transfer(00000001): SSPI : [Kerberos] The specified target is unknown or unreachable
i Transfer(00000001): SSPI : [Kerberos] Disabling gss mechanism
i Transfer(00000001): GSS : Requesting full delegation
i Transfer(00000001): GSS : [Kerberos] SPN : host@
i Transfer(00000001): GSS : [Kerberos] InitializeSecurityContext() failed.
i Transfer(00000001): GSS : [Kerberos] Could not load library 'gssapi64.dll': The specified module could not be found.
i Transfer(00000001): GSS : [Kerberos] Disabling gss mechanism
i Transfer(00000001): GSS : [Kerberos] Disabling gss mechanism
i Transfer(00000001): The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==
i Transfer(00000001): SSPI : Requesting full delegation
i Transfer(00000001): SSPI : [Kerberos (Group Exchange)] SPN : host@
i Transfer(00000001): SSPI : [Kerberos (Group Exchange)] InitializeSecurityContext() failed.
i Transfer(00000001): SSPI : [Kerberos (Group Exchange)] The specified target is unknown or unreachable
i Transfer(00000001): SSPI : [Kerberos (Group Exchange)] Disabling gss mechanism
i Transfer(00000001): GSS : Requesting full delegation
i Transfer(00000001): GSS : [Kerberos (Group Exchange)] SPN : host@
i Transfer(00000001): GSS : [Kerberos (Group Exchange)] InitializeSecurityContext() failed.
i Transfer(00000001): GSS : [Kerberos (Group Exchange)] Could not load library 'gssapi64.dll': The specified module could not be found.
i Transfer(00000001): GSS : [Kerberos (Group Exchange)] Disabling gss mechanism
i Transfer(00000001): GSS : [Kerberos (Group Exchange)] Disabling gss mechanism
i Transfer(00000001): The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==
i Transfer(00000001): SEND : KEXINIT
i Transfer(00000001): RECV : Read kexinit
i Transfer(00000001): Available Remote Kex Methods = diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
i Transfer(00000001): Selected Kex Method = diffie-hellman-group14-sha1
i Transfer(00000001): Available Remote Host Key Algos = ssh-rsa
i Transfer(00000001): Selected Host Key Algo = ssh-rsa
i Transfer(00000001): Available Remote Send Ciphers = aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
i Transfer(00000001): Selected Send Cipher = aes256-cbc
i Transfer(00000001): Available Remote Recv Ciphers = aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
i Transfer(00000001): Selected Recv Cipher = aes256-cbc
i Transfer(00000001): Available Remote Send Macs = hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
i Transfer(00000001): Selected Send Mac = hmac-sha1
i Transfer(00000001): Available Remote Recv Macs = hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
i Transfer(00000001): Selected Recv Mac = hmac-sha1
i Transfer(00000001): Available Remote Compressors = none
i Transfer(00000001): Selected Compressor = none
i Transfer(00000001): Available Remote Decompressors = none
i Transfer(00000001): Selected Decompressor = none
i Transfer(00000001): Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
i Transfer(00000001): SEND : KEXDH_INIT
i Transfer(00000001): RECV : KEXDH_REPLY
i Transfer(00000001): Changing state from STATE_KEY_EXCHANGE to STATE_READY_FOR_NEW_KEYS
i Transfer(00000001): RECV: Remote Hostkey (SHA-1 hash):

i Transfer(00000001): RECV: Remote Hostkey (MD5 hash):

i Transfer(00000001): SEND : NEWKEYS
i Transfer(00000001): Changing state from STATE_READY_FOR_NEW_KEYS to STATE_EXPECT_NEWKEYS
i Transfer(00000001): RECV : NEWKEYS
i Transfer(00000001): Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION
i Transfer(00000001): SEND: SERVICE_REQUEST[ssh-userauth]
i Transfer(00000001): RECV: SERVICE_ACCEPT[ssh-userauth] -- OK
i Transfer(00000001): SENT : USERAUTH_REQUEST [none]
i Transfer(00000001): RECV : USERAUTH_FAILURE, continuations [keyboard-interactive,password]
i Transfer(00000001): SENT : USERAUTH_REQUEST [password]
i Transfer(00000001): RECV : AUTH_SUCCESS
i Transfer(00000001): SEND[0]: SSH_MSG_CHANNEL_OPEN('session')
i Transfer(00000001): SEND[0]: exec request: scp -t flash:/c1861-advipservicesk9-mz.124-24.GC5.bin
i Transfer(00000001): RECV[0]: exec request succeeded
i Transfer(00000001): File c1861-advipservicesk9-mz.124-24.GC5.bin could not be opened by server: Administratively disabled.//
i Transfer(00000001): SUMMARY: Attempted to transfer 1 files.
i Transfer(00000001): SUMMARY: Transferred 0 files successfully.
i Transfer(00000001): SUMMARY: c1861-advipservicesk9-mz.124-24.GC5.bin: Unable to open destination file.
i SEND[0]: cd flash:/
i RECV[0]: sgcc-dallas-vg#cd flash:/
i SEND[0]: pwd
i RECV[0]: remote process exit-status: 0
i RECV[0]: channel eof
i SEND[0]: SSH_MSG_CHANNEL_EOF
i RECV: TCP/IP close
i Changing state from STATE_CONNECTION to STATE_CLOSED
i Connected for 0 seconds, 1464 bytes sent, 1407 bytes received
i Resolved RealPath: flash:/
i RECV[0]: sgcc-dallas-vg#pwd
i RECV[0]: flash:/


I had to resort to TFTP which is crawling along right now. I look forward to making this work as I have 6 other routers, and this is much easier than using TFTP.

Thanks!

[rtb]

Hi jgolden73,

The log file line below seems to indicate that the SCP server on the Cisco device is not allowing file uploads.

i Transfer(00000001): File c1861-advipservicesk9-mz.124-24.GC5.bin could not be opened by server: Administratively disabled.//

Are you able to successfully transfer a file to this device using different SCP client?

I don't see that enable mode is being entered. Perhaps the permissions are not sufficient.

Have you configured the Cisco device to automatically elevate permissions?

[jgolden73]

Thanks Todd!

Nope, I can't say I have made any configuration for SCP on the router itself. This type of transfer is new for me. maybe I need to specify it on the VTY line?

I also do not have auto elevation. I thought I would be prompted. When I initially connect I get prompted, and I did click to save it thinking that would work. But during the transfer it also looked to me that the server is asking for auth, but not getting anything, and I never get prompted.

[rtb]

Hi jgolden73,

You are welcome. I think you may be on the right track. It is important to note that a remote execute operation can't be elevated like a shell connection. You would need to make the configuration changes necessary to the Cisco device to allow the SCP operation to be automatically enabled.

I have been told that you do need to modify the vty line and possibly other options as well. Since I am not familiar with the settings or your organization's security policy, I would suggest researching the settings to see how it might be configured to meet your needs.

[jgolden73]

I am still running into trouble. I have enabled Priv 15 on login. So logging in via ssh autmatically put you in privilege mode. I have also enabled the scp server on the router. However I still get the same error when I attempt to transfer a file.

Log:
i Transfer(00000002): SEND[0]: cd flash:/
i Transfer(00000002): RECV[0]: sgcc-dallas-vg#cd flash:/
i Transfer(00000002): SEND[0]: pwd
i Transfer(00000002): RECV[0]: sgcc-dallas-vg#pwd
i Transfer(00000002): Resolved RealPath: flash:/
i Transfer(00000002): RECV[0]: flash:/
i Transfer(00000002): SEND[0]: dir flash:/test.txt
i Transfer(00000002): RECV[0]: sgcc-dallas-vg#dir flash:/test.txt
i Transfer(00000002): RECV[0]: %Error opening flash:/test.txt (File not found)
i Transfer(00000002): Opening file 'test.txt' for upload as 'test.txt'. (ASCII)
i Transfer(00000002): SSH2Core version 7.3.0.611
i Transfer(00000002): Connecting to 63.151.232.2:22 ...
i Transfer(00000002): Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
i Transfer(00000002): Using protocol SSH2
i Transfer(00000002): RECV : Remote Identifier = 'SSH-2.0-Cisco-1.25'
i Transfer(00000002): CAP : Remote can re-key
i Transfer(00000002): CAP : Remote sends language in password change requests
i Transfer(00000002): CAP : Remote sends algorithm name in PK_OK packets
i Transfer(00000002): CAP : Remote sends algorithm name in public key packets
i Transfer(00000002): CAP : Remote sends algorithm name in signatures
i Transfer(00000002): CAP : Remote sends error text in open failure packets
i Transfer(00000002): CAP : Remote sends name in service accept packets
i Transfer(00000002): CAP : Remote includes port number in x11 open packets
i Transfer(00000002): CAP : Remote uses 160 bit keys for SHA1 MAC
i Transfer(00000002): CAP : Remote supports new diffie-hellman group exchange messages
i Transfer(00000002): CAP : Remote correctly handles unknown SFTP extensions
i Transfer(00000002): CAP : Remote correctly encodes OID for gssapi
i Transfer(00000002): CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
i Transfer(00000002): CAP : Remote can do SFTP version 4
i Transfer(00000002): CAP : Remote uses SHA1 hash in RSA signatures for x.509v3
i Transfer(00000002): CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures
i Transfer(00000002): CAP : Remote correctly handles zlib@openssh.com
i Transfer(00000002): SSPI : Requesting full delegation
i Transfer(00000002): SSPI : [Kerberos] SPN : host@63.151.232.2
i Transfer(00000002): SSPI : [Kerberos] InitializeSecurityContext() failed.
i Transfer(00000002): SSPI : [Kerberos] The specified target is unknown or unreachable
i Transfer(00000002): SSPI : [Kerberos] Disabling gss mechanism
i Transfer(00000002): GSS : Requesting full delegation
i Transfer(00000002): GSS : [Kerberos] SPN : host@63.151.232.2
i Transfer(00000002): GSS : [Kerberos] InitializeSecurityContext() failed.
i Transfer(00000002): GSS : [Kerberos] Could not load library 'gssapi64.dll': The specified module could not be found.
i Transfer(00000002): GSS : [Kerberos] Disabling gss mechanism
i Transfer(00000002): GSS : [Kerberos] Disabling gss mechanism
i Transfer(00000002): The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==
i Transfer(00000002): SSPI : Requesting full delegation
i Transfer(00000002): SSPI : [Kerberos (Group Exchange)] SPN : host@63.151.232.2
i Transfer(00000002): SSPI : [Kerberos (Group Exchange)] InitializeSecurityContext() failed.
i Transfer(00000002): SSPI : [Kerberos (Group Exchange)] The specified target is unknown or unreachable
i Transfer(00000002): SSPI : [Kerberos (Group Exchange)] Disabling gss mechanism
i Transfer(00000002): GSS : Requesting full delegation
i Transfer(00000002): GSS : [Kerberos (Group Exchange)] SPN : host@63.151.232.2
i Transfer(00000002): GSS : [Kerberos (Group Exchange)] InitializeSecurityContext() failed.
i Transfer(00000002): GSS : [Kerberos (Group Exchange)] Could not load library 'gssapi64.dll': The specified module could not be found.
i Transfer(00000002): GSS : [Kerberos (Group Exchange)] Disabling gss mechanism
i Transfer(00000002): GSS : [Kerberos (Group Exchange)] Disabling gss mechanism
i Transfer(00000002): The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==
i Transfer(00000002): SEND : KEXINIT
i Transfer(00000002): RECV : Read kexinit
i Transfer(00000002): Available Remote Kex Methods = diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
i Transfer(00000002): Selected Kex Method = diffie-hellman-group14-sha1
i Transfer(00000002): Available Remote Host Key Algos = ssh-rsa
i Transfer(00000002): Selected Host Key Algo = ssh-rsa
i Transfer(00000002): Available Remote Send Ciphers = aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
i Transfer(00000002): Selected Send Cipher = aes256-cbc
i Transfer(00000002): Available Remote Recv Ciphers = aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
i Transfer(00000002): Selected Recv Cipher = aes256-cbc
i Transfer(00000002): Available Remote Send Macs = hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
i Transfer(00000002): Selected Send Mac = hmac-sha1
i Transfer(00000002): Available Remote Recv Macs = hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
i Transfer(00000002): Selected Recv Mac = hmac-sha1
i Transfer(00000002): Available Remote Compressors = none
i Transfer(00000002): Selected Compressor = none
i Transfer(00000002): Available Remote Decompressors = none
i Transfer(00000002): Selected Decompressor = none
i Transfer(00000002): Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
i Transfer(00000002): SEND : KEXDH_INIT
i Transfer(00000002): RECV : KEXDH_REPLY
i Transfer(00000002): Changing state from STATE_KEY_EXCHANGE to STATE_READY_FOR_NEW_KEYS
i Transfer(00000002): RECV: Remote Hostkey (SHA-1 hash): e6:45:aa:49:7b:e9:c6:3d:21:fb:f7:69:10:99:ca:23:17:45:c7:94
i Transfer(00000002): RECV: Remote Hostkey (MD5 hash): e3:c0:04:fe:7a:00:24:a2:e8:8d:d2:28:b3:49:61:ac
i Transfer(00000002): SEND : NEWKEYS
i Transfer(00000002): Changing state from STATE_READY_FOR_NEW_KEYS to STATE_EXPECT_NEWKEYS
i Transfer(00000002): RECV : NEWKEYS
i Transfer(00000002): Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION
i Transfer(00000002): SEND: SERVICE_REQUEST[ssh-userauth]
i Transfer(00000002): RECV: SERVICE_ACCEPT[ssh-userauth] -- OK
i Transfer(00000002): SENT : USERAUTH_REQUEST [none]
i Transfer(00000002): RECV : USERAUTH_FAILURE, continuations [keyboard-interactive,password]
i Transfer(00000002): SENT : USERAUTH_REQUEST [password]
i Transfer(00000002): RECV : AUTH_SUCCESS
i Transfer(00000002): SEND[0]: SSH_MSG_CHANNEL_OPEN('session')
i Transfer(00000002): SEND[0]: exec request: scp -t flash:/test.txt
i Transfer(00000002): RECV[0]: exec request succeeded
i Transfer(00000002): File test.txt could not be opened by server: Privilege denied.//
i Transfer(00000002): SUMMARY: Attempted to transfer 1 files.
i Transfer(00000002): SUMMARY: Transferred 0 files successfully.
i Transfer(00000002): SUMMARY: test.txt: Unable to open destination file.
i SEND[0]: cd flash:/
i RECV[0]: sgcc-dallas-vg#cd flash:/
i SEND[0]: pwd
i RECV[0]: remote process exit-status: 0
i RECV[0]: channel eof
i SEND[0]: SSH_MSG_CHANNEL_EOF
i RECV: TCP/IP close
i Changing state from STATE_CONNECTION to STATE_CLOSED
i Connected for 0 seconds, 1448 bytes sent, 1407 bytes received
i RECV[0]: sgcc-dallas-vg#pwd
i Resolved RealPath: flash:/
i RECV[0]: flash:/
i SEND[0]: cd flash:/
i RECV[0]: sgcc-dallas-vg#cd flash:/
i Opened directory: flash:/
i SEND[0]: cd flash:/
i RECV[0]: sgcc-dallas-vg#cd flash:/
i SEND[0]: dir flash:/
i RECV[0]: sgcc-dallas-vg#dir flash:/
< ---------- 40731728 Wed 27-Aug-2014 16:07:28 c1861-advipservicesk9-mz.124-24.GC5.bin (S)
< ---------- 720 Wed 09-Dec-2009 10:08:12 vlan.dat (S)
< ---------- 269388 Mon 27-May-2013 12:08:48 crashinfo_20130527-170848 (S)
i RECV[0]: Directory of flash:/
i RECV[0]: 1 -rw- 40731728 Aug 27 2014 16:07:28 -05:00 c1861-advipservicesk9-mz.124-24.GC5.bin
i RECV[0]: 2 -rw- 720 Dec 9 2009 10:08:12 -06:00 vlan.dat
i RECV[0]: 3 -rw- 269388 May 27 2013 12:08:48 -05:00 crashinfo_20130527-170848

Thanks for any help you can lend.

[jgolden73]

I thought I would pass on what I discovered. I don't know if everything I have done so far is needed (i.e. giving level 15 priv on login), but SSH was correctly configured, but you also need to setup a different login mechanism. See here for the Cisco Guide. I followed the section on setup for local authentication and it worked like a charm. We already used local authentication but were not using the "aaa" loign/accesss control mechanism. That was the key. It also explains all this in more depth in the article.

http://www.cisco.com/en/US/docs/ios-...cure-copy.html

Hope this is helpful to others.

Thanks!

[rtb]

Hi jgolden73,

Thanks for posting the location of the Cisco documentation that outlines what needs to be configured.

I suspect that this will help others in the future, and it helped me have a better understanding of the process.