| Asset ID: |
1-72-2332984.1 |
| Update Date: | 2018-02-22 |
| Keywords: | |
Solution Type
Problem Resolution Sure
Solution
2332984.1
:
IB Switch Upgrade Failed due to incompatible ciphers
| Related Categories |
- PLA-Support>Sun Systems>SAND>Network>SN-SND: Sun Network Infiniband
|
In this Document
Created from <SR 3-16153048650>
Applies to:
Exadata X3-2 Half Rack - Version All Versions and later
Information in this document applies to any platform.
Symptoms
Patching the Infiniband switch using sftp or scp will fail but you can scp/sftp and everything will be fine IB linux shell.
# patchmgr -ibswiches -upgrade -force
&
-> load -source sftp://root:welcome1@ex01dbadm01/u01/patches/CELL/patch_12.2.1.1.2.170714/sundcs_36p_repository_upgrade_2.1_to_2.2.6_2.pkg
Downloading firmware image. This will take a few minutes.
Error: Failed initialization
Firmware image update failed.
load: Command Failed
->
Changes
Cause
The issue is there is not a supported cipher on the host that is supplying the .pkg file to perform the switch firmware upgrade:
On the host serving the .pkg file for the IB switch firmware upgrade, in the /var/log/secure file check for the following:
Oct 13 19:42:20 ex01dbadm01 sshd[58607]: Connection from 10.10.8.57 port 56610
Oct 13 19:42:20 ex01dbadm01 sshd[58608]: fatal: no matching cipher found: client aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,blowfish-cbc,arcfour,cast128-cbc,3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr
Oct 13 19:42:43 ex01dbadm01 sshd[59031]: Set /proc/self/oom_score_adj to 0
Oct 13 19:42:43 ex01dbadm01 sshd[59031]: Connection from 10.10.8.57 port 56625
Oct 13 19:42:43 ex01dbadm01 sshd[59032]: fatal: no matching cipher found: client aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,blowfish-cbc,arcfour,cast128-cbc,3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr
Oct 13 19:43:16 ex01dbadm01 sshd[62900]: Set /proc/self/oom_score_adj to 0
Oct 13 19:43:16 ex01dbadm01 sshd[62900]: Connection from 10.10.8.57 port 56647
The switch ILOM supports the following ciphers:
aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,blowfish-cbc,arcfour,cast128-cbc,3des-cbc
The server is only supporting the following ciphers:
aes128-ctr,aes192-ctr,aes256-ctr
compatible cipher required
Solution
Temporarily add arcfour to the list of supported ciphers in /etc/ssh/sshd_config on the host of the .pkg file
You can add the ciphers
< Ciphers aes128-ctr,aes192-ctr,aes256-ctr
---
> Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour
Restart sshd service, then test it out. The patchmgr and load will work fine.
# service sshd restart
Once the switch is patched, remove the arcfour cipher from the .pkg host /etc/ssh/sshd_config and restart the sshd service.
# service sshd restart
INTERNAL NOTE:
There is at lease one third party application that can automaticly remove the changes made to the sshd_conf file and restart sshd during the patching process
https://cfengine.com/
Feb 21 14:07:10 db02 [259390]: CFEngine(agent) Executing 'no timeout' ... '/etc/init.d/sshd restart'
Feb 21 14:07:10 db02 sshd[237300]: Received signal 15; terminating.
Feb 21 14:07:10 db02 sshd[261095]: Set /proc/self/oom_score_adj from 0 to -1000
Feb 21 14:07:10 db02 sshd[261095]: Server listening on 192.168.10.4 port 22.
Feb 21 14:07:10 db02 sshd[261095]: Server listening on 192.168.10.3 port 22.
Feb 21 14:07:10 db02 sshd[261095]: Server listening on 10.91.157.71 port 22.
Feb 21 14:07:10 db02 sshd[261095]: Server listening on 127.0.0.1 port 22.
Feb 21 14:07:10 db02 [259390]: CFEngine(agent) Completed execution of '/etc/init.d/sshd restart'
This application will need to be modified or stopped to get past this issue.
Attachments
This solution has no attachment
