Guest

Preview Tool

Cisco Bug: CSCvu30830 - NGIPS sensor SSH broken due to bad CiscoSSH keywork in sshd_config file

Last Modified

Jun 18, 2020

Products (1)

  • Cisco Firepower Management Center

Known Affected Releases

6.2.3.15 6.3.0.5 6.4.0.4

Description (partial)

Symptom:
SSH access to NGIPS Sensors may be blocked after upgrading to 6.3.0 or 6.4.0 releases from 6.2.3.15+ or 6.3.0.5+.  The NGIPS sensors including types FP7000, FP7100, FP8100, FP8200, FP8300 and NGIPSv.  This only happens for customers using AC Policies that have updated the SSH configuration profile.

On the console messages similar to the following will be displayed:
System is booting up ...
Command [/etc/init.d/sshd restart] failed:
/etc/ssh/sshd_config: line 23: Bad configuration option: CiscoSSHCommonCriteriaMode
/etc/ssh/sshd_config: line 37: Bad configuration option: CiscoSSHFipsMode
/etc/ssh/sshd_config: terminating, 2 bad configuration options

Conditions:
The SSH access is only blocked for NGIPS Sensors that have been upgrading to 6.3.0 or 6.4.0 releases from 6.2.3.15+ or 6.3.0.5+ and use an AC Policy that updates the SSH configuration profile.  The NGIPS sensors types include the FP7000, FP7100, FP8100, FP8200, FP8300, and NGIPSv sensors.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.