-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stat pulling issues from US-8-150W #45
Comments
I think the root of the issue is Preprocessing failed for: {"mcaDumpError":"Error", "reason":"kex_exchange_identification: read: Connection reset by peer." } What happens if you run directly from the zabbixServer: /usr/lib/zabbix/externalscripts/mca-dump-short.sh '-d' '100.99.252.11' '-u' 'admin' '-i' '/.ssh/zabbix/zb_id_rsa' '-t' 'SWITCH_FEATURE_DISCOVERY' '-o' '20' ? |
I ran this command nearly a dozen+ times against both switches and the JSON string was returned every time. sudo -u zabbix /usr/lib/zabbix/externalscripts/mca-dump-short.sh '-d' '100.99.252.11' '-u' 'admin' '-i' '/.ssh/zabbix/zb_id_rsa' '-t' 'SWITCH_FEATURE_DISCOVERY' '-o' '20' |
.. and you are running this straight from the zabbix server, no zabbix proxy involved? |
and you said this was not a containerized zabbix, but just double checking.. |
Yes, correct no zabbix proxy involved. Directly from zabbix-server. I
have also ran this from a container (k3s cluster) as well which yielded the
same results when I ran the zabbix-server docker image.
One of your very early releases works with no issues. That was back when
you had all the macro variables in the template before moving them to the
General section for global definitions. It was also back when had the
singular shell script for the mca dump.
…On Sat, Jun 4, 2022, 3:03 PM Patrice ***@***.***> wrote:
and you said this was not a containerized zabbix, but just double
checking..
—
Reply to this email directly, view it on GitHub
<#45 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AZPBTVBP4QPQLBTDBYVCXLDVNOSAXANCNFSM5XZSHIMA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
So the mca-dump-short invocation you are issuing from the command line is I think exactly the same that the zabbix server issues when monitoring a device.. yet one fails. I don't think it's the switch model, I have a US-8-150W and it works fine. What's the exact value in {$UNIFI_CHECK_TIMEOUT} ? |
also what's the platform that the zabbix server is running on? |
NAME="Ubuntu" Zabbix version: 6.0.4 Running a virtual machine sitting on top of vCenter/ESXi 7.0.3e 1266:20220604:150801.736 Failed to execute command "/usr/lib/zabbix/externalscripts/mca-dump-short.sh '-d' '100.99.252.11' '-u' 'admin' '-i' '/.ssh/zabbix/zb_id_rsa' '-t' 'SWITCH' '-p' '{$UNIFI_SSHPASS_PASSWORD_PATH}' '-o' '20'": Timeout while executing a shell script. |
So I did some more investigations into the templates themselves and for some reason these specific switches are not able to read the JSON Preprocessing: Preprocessing failed for: {"mcaDumpError":"Error", "reason":"kex_exchange_identification: Connection closed by remote host." }
Preprocessing failed for: {"mcaDumpError":"Error", "reason":"kex_exchange_identification: Connection closed by remote host." }
If I remove the JSON Preprocessing from the discovery rule in the template I can pull the data: POE Discovery: The previous version of your templates did not have this JSON Preprocessing check. It's strange because all of the other switches with temperature and POE can read the JSON data. For the switches that do not have POE I disable that discovery and for the switches that do not have a FAN I disable that discovery rule. |
Please try the latest commit - it changes mca-dump-short to the initial code path when -o is not explicitly specified and changes the switch templates to not use -o. Let's see if that unblocks it |
Ok one more try.. please update to the latest and set the {$UNIFI_VERBOSE_SSH} to "-vvv" it should cause SSH to output a whole lot of debug info in /tmp/ Let's see if we can get a clue.. |
Seems to be some type of key exchange issue? It's very strange because the Unifi controller has one SSH Fingerprint for all of my devices and it works on every other Unifi AP and switch (except the ones) from the automated interval shell script. I can manually invoke the switch discovery and switch feature discovery without issue: OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020 OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020 |
Just in the past few days, a new version of open SSH was released that removes default support for RSA keys (they are trying to deprecate them)
I wonder if this has something to do with it..
Maybe try to generate a new ‘modern’ key pair with say EDCSA and try to use it for that switch?
It’s probably a good thing anyway since RSA/SHA1 is now considered dangerous..
-P
… On Jun 6, 2022, at 6:09 PM, UntestedEngineer ***@***.***> wrote:
Seems to be some type of key exchange issue? It's very strange because the Unifi controller has one SSH Fingerprint for all of my devices and it works on every other Unifi AP and switch (except the ones) from the automated interval shell script. I can manually invoke the switch discovery and switch feature discovery without issue:
OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 100.99.252.10 is address
debug2: ssh_connect_direct
debug1: Connecting to 100.99.252.10 [100.99.252.10] port 22.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 4999 ms remain after connect
debug1: identity file /.ssh/zabbix/zb_id_rsa type 0
debug1: identity file /.ssh/zabbix/zb_id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
debug1: Remote protocol version 2.0, remote software version dropbear_2020.81
debug1: no match: dropbear_2020.81
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 100.99.252.10:22 as 'admin'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: ***@***.*** ***@***.***>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ***@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.***>,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: ***@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.***>
debug2: ciphers stoc: ***@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.***>
debug2: MACs ctos: ***@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.***>,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: ***@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.***>,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: ***@***.*** ***@***.***>,zlib
debug2: compression stoc: ***@***.*** ***@***.***>,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: ***@***.*** ***@***.******@***.*** ***@***.***>
debug2: host key algorithms: rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: ***@***.*** ***@***.***>,aes128-ctr,aes256-ctr
debug2: ciphers stoc: ***@***.*** ***@***.***>,aes128-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha1,hmac-sha2-256
debug2: MACs stoc: hmac-sha1,hmac-sha2-256
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-256
debug1: kex: server->client cipher: ***@***.*** ***@***.***> MAC: compression: none
debug1: kex: client->server cipher: ***@***.*** ***@***.***> MAC: compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 100.99.252.11 is address
debug2: ssh_connect_direct
debug1: Connecting to 100.99.252.11 [100.99.252.11] port 22.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 4999 ms remain after connect
debug1: identity file /.ssh/zabbix/zb_id_rsa type 0
debug1: identity file /.ssh/zabbix/zb_id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
debug1: Remote protocol version 2.0, remote software version dropbear_2020.81
debug1: no match: dropbear_2020.81
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 100.99.252.11:22 as 'admin'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: ***@***.*** ***@***.***>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ***@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.***>,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: ***@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.***>
debug2: ciphers stoc: ***@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.***>
debug2: MACs ctos: ***@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.***>,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: ***@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.*** ***@***.***>,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: ***@***.*** ***@***.***>,zlib
debug2: compression stoc: ***@***.*** ***@***.***>,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: ***@***.*** ***@***.******@***.*** ***@***.***>
debug2: host key algorithms: rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: ***@***.*** ***@***.***>,aes128-ctr,aes256-ctr
debug2: ciphers stoc: ***@***.*** ***@***.***>,aes128-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha1,hmac-sha2-256
debug2: MACs stoc: hmac-sha1,hmac-sha2-256
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-256
debug1: kex: server->client cipher: ***@***.*** ***@***.***> MAC: compression: none
debug1: kex: client->server cipher: ***@***.*** ***@***.***> MAC: compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
—
Reply to this email directly, view it on GitHub <#45 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJFHTJ5SIS3G4MCU4KIMBSLVN2OOHANCNFSM5XZSHIMA>.
You are receiving this because you commented.
|
That may sound great but unifi runs an older version of dropbear and only
supports rsa.
…On Tue, Jun 7, 2022, 2:06 PM Patrice ***@***.***> wrote:
Just in the past few days, a new version of open SSH was released that
removes default support for RSA keys (they are trying to deprecate them)
I wonder if this has something to do with it..
Maybe try to generate a new ‘modern’ key pair with say EDCSA and try to
use it for that switch?
It’s probably a good thing anyway since RSA/SHA1 is now considered
dangerous..
-P
> On Jun 6, 2022, at 6:09 PM, UntestedEngineer ***@***.***> wrote:
>
>
> Seems to be some type of key exchange issue? It's very strange because
the Unifi controller has one SSH Fingerprint for all of my devices and it
works on every other Unifi AP and switch (except the ones) from the
automated interval shell script. I can manually invoke the switch discovery
and switch feature discovery without issue:
>
> OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 19: include
/etc/ssh/ssh_config.d/*.conf matched no files
> debug1: /etc/ssh/ssh_config line 21: Applying options for *
> debug2: resolve_canonicalize: hostname 100.99.252.10 is address
> debug2: ssh_connect_direct
> debug1: Connecting to 100.99.252.10 [100.99.252.10] port 22.
> debug2: fd 3 setting O_NONBLOCK
> debug1: fd 3 clearing O_NONBLOCK
> debug1: Connection established.
> debug3: timeout: 4999 ms remain after connect
> debug1: identity file /.ssh/zabbix/zb_id_rsa type 0
> debug1: identity file /.ssh/zabbix/zb_id_rsa-cert type -1
> debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
> debug1: Remote protocol version 2.0, remote software version
dropbear_2020.81
> debug1: no match: dropbear_2020.81
> debug2: fd 3 setting O_NONBLOCK
> debug1: Authenticating to 100.99.252.10:22 as 'admin'
> debug3: send packet: type 20
> debug1: SSH2_MSG_KEXINIT sent
> debug3: receive packet: type 20
> debug1: SSH2_MSG_KEXINIT received
> debug2: local client KEXINIT proposal
> debug2: KEX algorithms: ***@***.***
***@***.***>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
> debug2: host key algorithms: ***@***.*** ***@***.******@***.***
***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
***@***.***>,rsa-sha2-512,rsa-sha2-256,ssh-rsa
> debug2: ciphers ctos: ***@***.*** ***@***.******@***.***
***@***.******@***.*** ***@***.***>
> debug2: ciphers stoc: ***@***.*** ***@***.******@***.***
***@***.******@***.*** ***@***.***>
> debug2: MACs ctos: ***@***.*** ***@***.******@***.***
***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
***@***.******@***.*** ***@***.******@***.***
***@***.***>,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc: ***@***.*** ***@***.******@***.***
***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
***@***.******@***.*** ***@***.******@***.***
***@***.***>,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: ***@***.*** ***@***.***>,zlib
> debug2: compression stoc: ***@***.*** ***@***.***>,zlib
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug2: peer server KEXINIT proposal
> debug2: KEX algorithms: ***@***.*** ***@***.******@***.*** ***@***.***>
> debug2: host key algorithms: rsa-sha2-256,ssh-rsa
> debug2: ciphers ctos: ***@***.*** ***@***.***>,aes128-ctr,aes256-ctr
> debug2: ciphers stoc: ***@***.*** ***@***.***>,aes128-ctr,aes256-ctr
> debug2: MACs ctos: hmac-sha1,hmac-sha2-256
> debug2: MACs stoc: hmac-sha1,hmac-sha2-256
> debug2: compression ctos: none
> debug2: compression stoc: none
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug1: kex: algorithm: curve25519-sha256
> debug1: kex: host key algorithm: rsa-sha2-256
> debug1: kex: server->client cipher: ***@***.*** ***@***.***> MAC:
compression: none
> debug1: kex: client->server cipher: ***@***.*** ***@***.***> MAC:
compression: none
> debug3: send packet: type 30
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>
> OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 19: include
/etc/ssh/ssh_config.d/*.conf matched no files
> debug1: /etc/ssh/ssh_config line 21: Applying options for *
> debug2: resolve_canonicalize: hostname 100.99.252.11 is address
> debug2: ssh_connect_direct
> debug1: Connecting to 100.99.252.11 [100.99.252.11] port 22.
> debug2: fd 3 setting O_NONBLOCK
> debug1: fd 3 clearing O_NONBLOCK
> debug1: Connection established.
> debug3: timeout: 4999 ms remain after connect
> debug1: identity file /.ssh/zabbix/zb_id_rsa type 0
> debug1: identity file /.ssh/zabbix/zb_id_rsa-cert type -1
> debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
> debug1: Remote protocol version 2.0, remote software version
dropbear_2020.81
> debug1: no match: dropbear_2020.81
> debug2: fd 3 setting O_NONBLOCK
> debug1: Authenticating to 100.99.252.11:22 as 'admin'
> debug3: send packet: type 20
> debug1: SSH2_MSG_KEXINIT sent
> debug3: receive packet: type 20
> debug1: SSH2_MSG_KEXINIT received
> debug2: local client KEXINIT proposal
> debug2: KEX algorithms: ***@***.***
***@***.***>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
> debug2: host key algorithms: ***@***.*** ***@***.******@***.***
***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
***@***.***>,rsa-sha2-512,rsa-sha2-256,ssh-rsa
> debug2: ciphers ctos: ***@***.*** ***@***.******@***.***
***@***.******@***.*** ***@***.***>
> debug2: ciphers stoc: ***@***.*** ***@***.******@***.***
***@***.******@***.*** ***@***.***>
> debug2: MACs ctos: ***@***.*** ***@***.******@***.***
***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
***@***.******@***.*** ***@***.******@***.***
***@***.***>,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc: ***@***.*** ***@***.******@***.***
***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
***@***.******@***.*** ***@***.******@***.***
***@***.***>,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: ***@***.*** ***@***.***>,zlib
> debug2: compression stoc: ***@***.*** ***@***.***>,zlib
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug2: peer server KEXINIT proposal
> debug2: KEX algorithms: ***@***.*** ***@***.******@***.*** ***@***.***>
> debug2: host key algorithms: rsa-sha2-256,ssh-rsa
> debug2: ciphers ctos: ***@***.*** ***@***.***>,aes128-ctr,aes256-ctr
> debug2: ciphers stoc: ***@***.*** ***@***.***>,aes128-ctr,aes256-ctr
> debug2: MACs ctos: hmac-sha1,hmac-sha2-256
> debug2: MACs stoc: hmac-sha1,hmac-sha2-256
> debug2: compression ctos: none
> debug2: compression stoc: none
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug1: kex: algorithm: curve25519-sha256
> debug1: kex: host key algorithm: rsa-sha2-256
> debug1: kex: server->client cipher: ***@***.*** ***@***.***> MAC:
compression: none
> debug1: kex: client->server cipher: ***@***.*** ***@***.***> MAC:
compression: none
> debug3: send packet: type 30
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>
> —
> Reply to this email directly, view it on GitHub <
#45 (comment)>,
or unsubscribe <
https://github.com/notifications/unsubscribe-auth/AJFHTJ5SIS3G4MCU4KIMBSLVN2OOHANCNFSM5XZSHIMA
>.
> You are receiving this because you commented.
>
—
Reply to this email directly, view it on GitHub
<#45 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AZPBTVHDVCL3B3NHNPA3HBTVN6FQVANCNFSM5XZSHIMA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Swell.
Maybe compare this ssh -vvv output with what happens when you successfully invoke ssh with -vvv from the command line?
… On Jun 7, 2022, at 5:16 PM, UntestedEngineer ***@***.***> wrote:
That may sound great but unifi runs an older version of dropbear and only
supports rsa.
On Tue, Jun 7, 2022, 2:06 PM Patrice ***@***.***> wrote:
> Just in the past few days, a new version of open SSH was released that
> removes default support for RSA keys (they are trying to deprecate them)
>
> I wonder if this has something to do with it..
>
> Maybe try to generate a new ‘modern’ key pair with say EDCSA and try to
> use it for that switch?
>
> It’s probably a good thing anyway since RSA/SHA1 is now considered
> dangerous..
>
> -P
>
>
> > On Jun 6, 2022, at 6:09 PM, UntestedEngineer ***@***.***> wrote:
> >
> >
> > Seems to be some type of key exchange issue? It's very strange because
> the Unifi controller has one SSH Fingerprint for all of my devices and it
> works on every other Unifi AP and switch (except the ones) from the
> automated interval shell script. I can manually invoke the switch discovery
> and switch feature discovery without issue:
> >
> > OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020
> > debug1: Reading configuration data /etc/ssh/ssh_config
> > debug1: /etc/ssh/ssh_config line 19: include
> /etc/ssh/ssh_config.d/*.conf matched no files
> > debug1: /etc/ssh/ssh_config line 21: Applying options for *
> > debug2: resolve_canonicalize: hostname 100.99.252.10 is address
> > debug2: ssh_connect_direct
> > debug1: Connecting to 100.99.252.10 [100.99.252.10] port 22.
> > debug2: fd 3 setting O_NONBLOCK
> > debug1: fd 3 clearing O_NONBLOCK
> > debug1: Connection established.
> > debug3: timeout: 4999 ms remain after connect
> > debug1: identity file /.ssh/zabbix/zb_id_rsa type 0
> > debug1: identity file /.ssh/zabbix/zb_id_rsa-cert type -1
> > debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
> > debug1: Remote protocol version 2.0, remote software version
> dropbear_2020.81
> > debug1: no match: dropbear_2020.81
> > debug2: fd 3 setting O_NONBLOCK
> > debug1: Authenticating to 100.99.252.10:22 as 'admin'
> > debug3: send packet: type 20
> > debug1: SSH2_MSG_KEXINIT sent
> > debug3: receive packet: type 20
> > debug1: SSH2_MSG_KEXINIT received
> > debug2: local client KEXINIT proposal
> > debug2: KEX algorithms: ***@***.***
> ***@***.***>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
> > debug2: host key algorithms: ***@***.*** ***@***.******@***.***
> ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
> ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
> ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
> ***@***.***>,rsa-sha2-512,rsa-sha2-256,ssh-rsa
> > debug2: ciphers ctos: ***@***.*** ***@***.******@***.***
> ***@***.******@***.*** ***@***.***>
> > debug2: ciphers stoc: ***@***.*** ***@***.******@***.***
> ***@***.******@***.*** ***@***.***>
> > debug2: MACs ctos: ***@***.*** ***@***.******@***.***
> ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
> ***@***.******@***.*** ***@***.******@***.***
> ***@***.***>,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> > debug2: MACs stoc: ***@***.*** ***@***.******@***.***
> ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
> ***@***.******@***.*** ***@***.******@***.***
> ***@***.***>,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> > debug2: compression ctos: ***@***.*** ***@***.***>,zlib
> > debug2: compression stoc: ***@***.*** ***@***.***>,zlib
> > debug2: languages ctos:
> > debug2: languages stoc:
> > debug2: first_kex_follows 0
> > debug2: reserved 0
> > debug2: peer server KEXINIT proposal
> > debug2: KEX algorithms: ***@***.*** ***@***.******@***.*** ***@***.***>
> > debug2: host key algorithms: rsa-sha2-256,ssh-rsa
> > debug2: ciphers ctos: ***@***.*** ***@***.***>,aes128-ctr,aes256-ctr
> > debug2: ciphers stoc: ***@***.*** ***@***.***>,aes128-ctr,aes256-ctr
> > debug2: MACs ctos: hmac-sha1,hmac-sha2-256
> > debug2: MACs stoc: hmac-sha1,hmac-sha2-256
> > debug2: compression ctos: none
> > debug2: compression stoc: none
> > debug2: languages ctos:
> > debug2: languages stoc:
> > debug2: first_kex_follows 0
> > debug2: reserved 0
> > debug1: kex: algorithm: curve25519-sha256
> > debug1: kex: host key algorithm: rsa-sha2-256
> > debug1: kex: server->client cipher: ***@***.*** ***@***.***> MAC:
> compression: none
> > debug1: kex: client->server cipher: ***@***.*** ***@***.***> MAC:
> compression: none
> > debug3: send packet: type 30
> > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> >
> > OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020
> > debug1: Reading configuration data /etc/ssh/ssh_config
> > debug1: /etc/ssh/ssh_config line 19: include
> /etc/ssh/ssh_config.d/*.conf matched no files
> > debug1: /etc/ssh/ssh_config line 21: Applying options for *
> > debug2: resolve_canonicalize: hostname 100.99.252.11 is address
> > debug2: ssh_connect_direct
> > debug1: Connecting to 100.99.252.11 [100.99.252.11] port 22.
> > debug2: fd 3 setting O_NONBLOCK
> > debug1: fd 3 clearing O_NONBLOCK
> > debug1: Connection established.
> > debug3: timeout: 4999 ms remain after connect
> > debug1: identity file /.ssh/zabbix/zb_id_rsa type 0
> > debug1: identity file /.ssh/zabbix/zb_id_rsa-cert type -1
> > debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
> > debug1: Remote protocol version 2.0, remote software version
> dropbear_2020.81
> > debug1: no match: dropbear_2020.81
> > debug2: fd 3 setting O_NONBLOCK
> > debug1: Authenticating to 100.99.252.11:22 as 'admin'
> > debug3: send packet: type 20
> > debug1: SSH2_MSG_KEXINIT sent
> > debug3: receive packet: type 20
> > debug1: SSH2_MSG_KEXINIT received
> > debug2: local client KEXINIT proposal
> > debug2: KEX algorithms: ***@***.***
> ***@***.***>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
> > debug2: host key algorithms: ***@***.*** ***@***.******@***.***
> ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
> ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
> ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
> ***@***.***>,rsa-sha2-512,rsa-sha2-256,ssh-rsa
> > debug2: ciphers ctos: ***@***.*** ***@***.******@***.***
> ***@***.******@***.*** ***@***.***>
> > debug2: ciphers stoc: ***@***.*** ***@***.******@***.***
> ***@***.******@***.*** ***@***.***>
> > debug2: MACs ctos: ***@***.*** ***@***.******@***.***
> ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
> ***@***.******@***.*** ***@***.******@***.***
> ***@***.***>,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> > debug2: MACs stoc: ***@***.*** ***@***.******@***.***
> ***@***.******@***.*** ***@***.******@***.*** ***@***.******@***.***
> ***@***.******@***.*** ***@***.******@***.***
> ***@***.***>,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> > debug2: compression ctos: ***@***.*** ***@***.***>,zlib
> > debug2: compression stoc: ***@***.*** ***@***.***>,zlib
> > debug2: languages ctos:
> > debug2: languages stoc:
> > debug2: first_kex_follows 0
> > debug2: reserved 0
> > debug2: peer server KEXINIT proposal
> > debug2: KEX algorithms: ***@***.*** ***@***.******@***.*** ***@***.***>
> > debug2: host key algorithms: rsa-sha2-256,ssh-rsa
> > debug2: ciphers ctos: ***@***.*** ***@***.***>,aes128-ctr,aes256-ctr
> > debug2: ciphers stoc: ***@***.*** ***@***.***>,aes128-ctr,aes256-ctr
> > debug2: MACs ctos: hmac-sha1,hmac-sha2-256
> > debug2: MACs stoc: hmac-sha1,hmac-sha2-256
> > debug2: compression ctos: none
> > debug2: compression stoc: none
> > debug2: languages ctos:
> > debug2: languages stoc:
> > debug2: first_kex_follows 0
> > debug2: reserved 0
> > debug1: kex: algorithm: curve25519-sha256
> > debug1: kex: host key algorithm: rsa-sha2-256
> > debug1: kex: server->client cipher: ***@***.*** ***@***.***> MAC:
> compression: none
> > debug1: kex: client->server cipher: ***@***.*** ***@***.***> MAC:
> compression: none
> > debug3: send packet: type 30
> > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> >
> > —
> > Reply to this email directly, view it on GitHub <
> #45 (comment)>,
> or unsubscribe <
> https://github.com/notifications/unsubscribe-auth/AJFHTJ5SIS3G4MCU4KIMBSLVN2OOHANCNFSM5XZSHIMA
> >.
> > You are receiving this because you commented.
> >
>
> —
> Reply to this email directly, view it on GitHub
> <#45 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AZPBTVHDVCL3B3NHNPA3HBTVN6FQVANCNFSM5XZSHIMA>
> .
> You are receiving this because you authored the thread.Message ID:
> ***@***.***>
>
—
Reply to this email directly, view it on GitHub <#45 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJFHTJ4BCVCUSH3SZGRWWP3VN7Q6NANCNFSM5XZSHIMA>.
You are receiving this because you commented.
|
I have since run into other RSA related issues.. You might want to try the latest which now invokes ssh with -o PubkeyAcceptedKeyTypes=+ssh-rsa -o HostKeyAlgorithms=+ssh-rsa |
Hey all, I wanted to see if you guys had an update on this. I am seeing a similar issue on my end. |
@kenbshinn and this is with the latest version of mca-dump-short.sh? Can you run the same command zabbix issues from the command line from the zabbix server successfully? |
I just saw there is a newer version of mca-dump-short.sh. Let me pull that copy and I will give it a shot. |
I just tried it with the new version of mca-dump-short.sh and I am getting the same results as before. I am just getting power statistics, but no port information. It is weird since I have a UDMP SE and that seems to work fine. Let me know if there is anything else you want me to try. |
So the command I am running from the zabbix server is: sudo -u zabbix /usr/lib/zabbix/externalscripts/mca-dump-short.sh '-d' 'ip' '-u' 'user' '-i' '/zabbix/zabbix/zb_id_rsa' '-t' 'SWITCH_FEATURE_DISCOVERY' And that comes back with the statistics I mentioned eariler about power, temp, etc. I decided to change it from SWITCH_FEATURE_DISCOVERY to just SWITCH and I appear to be seeing port statisitcs in the read out, but when I tried to run SWITCH_FEATURE it appeared to have timed out. I then realized I took out the -o for the time out which I added back in after running it a few time is when I got the time out message and also a few of these: not sure if any of this helps |
Let’s start by creating /var/lib/zabbix/.ssh
Are you using an ssh key or a password to get to that switch?
-P
… On Jan 11, 2023, at 11:00 AM, Ken Shinn ***@***.***> wrote:
So the command I am running from the zabbix server is:
sudo -u zabbix /usr/lib/zabbix/externalscripts/mca-dump-short.sh '-d' 'ip' '-u' 'user' '-i' '/zabbix/zabbix/zb_id_rsa' '-t' 'SWITCH_FEATURE_DISCOVERY'
And that comes back with the statistics I mentioned eariler about power, temp, etc.
I decided to change it from SWITCH_FEATURE_DISCOVERY to just SWITCH and I appear to be seeing port statisitcs in the read out, but when I tried to run SWITCH_FEATURE it appeared to have timed out.
I then realized I took out the -o for the time out which I added back in after running it a few time is when I got the time out message and also a few of these:
{ "reason":"Error remote invoking mca-dump-short: Could not create directory /var/lib/zabbix/.ssh (No such file or directory).Failed to add the host to the list of known hosts (/var/lib/zabbix/.ssh/known_hosts).", "time":"Wed Jan 11 06:55:22 PM UTC 2023", "device":"ip", "mcaDumpError":"Error" }
not sure if any of this helps
—
Reply to this email directly, view it on GitHub <#45 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJFHTJ775QIUKGFGEP5QVY3WR37LHANCNFSM5XZSHIMA>.
You are receiving this because you commented.
|
I created the directory that that seems to be working fine. I am still seeing: |
Also I am using SSH key |
@patricegautier Question, I am relatively new to all this, but from looking at the mcs-dump-short.sh file I noticed that on line 404 you have the connection timeout hard coded to 5. Does this superceede the Macro being set in Zabbix or when I am manually running the script and setting the -o option? |
it does.. have you tried upping it to see if it makes a difference.. Also take a look in /tmp/mcaDumpShort.err please.. |
I tried upping that value to 10 or 20, no noticable change. Here is what I am seeing in /tmp/mcaDumpShort.err: Wed Jan 11 07:51:59 PM UTC 2023 192.168.1.50 Wed Jan 11 07:52:43 PM UTC 2023 192.168.1.50 Now please forgive me if I am off base here, but when I run the command from my Zabbix server without the -o I do not get the timeout message, but when I do, it appears that every 5th or 6th attempt times out for 3 or 4 attempts. What would happen, if we were to remove the -o timeout from being used on the devices I am having these issues on? |
you would just get a timeout in zabbix.. Let's try this: • in your zabbix server conf, usually /etc/zabbix/zabbix_server.conf add: TimeOut=30 and then in zabbix set a macro in Administration > General Macros: UNIFI_CHECK_TIMEOUT to 25 and let's see if if that does it.. |
@patricegautier that seems to have worked. I am still getting an error in the lastest data section, but I am not seeing any errors in the zabbix log anymore and the Data appears to be populating. Thank you for your help with this! I really apprecate it. |
Great - so what's the error in the data section? |
Up until recently I have been using an older version of these templates and scripts. I think Version 1.0? This was back when there was the single mca-dump-short.sh file (and everything worked with no issues). I upgraded to the recent templates and shell scripts, however I appear to be having communication issues with model: US-8-150W. I upgraded to the recent templates because I have intention of moving Zabbix into a K3s cluster and need the UNIFI_CHECK_TIMEOUT macro variable.
I have several APs and other US switches that have no issues pulling data. All of my Unifi devices run the latest firmware that is available (as of this posting). Controller is also running the latest official software available.
Zabbix version: 6.0.4 (Non-container)
I continuously observe the following message in zabbix_server.log related to both of my US-8-150W:
1236:20220603:123802.511 item "Basement AP Switch 2:mca-dump-short.sh["-d","{HOST.CONN}", "-u", "{$UNIFI_USER}", "-i", "{$UNIFI_SSH_PRIV_KEY_PATH}", "-t", "SWITCH", "-p", "{$UNIFI_SSHPASS_PASSWORD_PATH}", "-o", "{$UNIFI_CHECK_TIMEOUT}" ]" became not supported: Timeout while executing a shell script.
1263:20220603:123803.800 Failed to execute command "/usr/lib/zabbix/externalscripts/mca-dump-short.sh '-d' '100.99.252.11' '-u' 'admin' '-i' '/.ssh/zabbix/zb_id_rsa' '-t' 'SWITCH_FEATURE_DISCOVERY' '-p' '{$UNIFI_SSHPASS_PASSWORD_PATH}' '-o' '20'": Timeout while executing a shell script.
Under the discovery rules in the web front end for Unifi Switch I observe:
Preprocessing failed for: {"mcaDumpError":"Error", "reason":"kex_exchange_identification: read: Connection reset by peer." }
" }'
Preprocessing failed for: /usr/lib/zabbix/externalscripts/mca-dump-short.sh: line 108: /usr/bin/expect: No such file or dir...
{"mcaDumpError":"Error", "reason":"time out wit
Preprocessing failed for: {"mcaDumpError":"Error", "reason":"kex_exchange_identification: read: Connection reset by peer." }
" }'
I have increased my ZABBIX_TIMEOUT to 10 seconds in the zabbix_server.conf file and also increased the macro variable for UNIFI_CHECK_TIMEOUT to 20 with no difference in results.
Other US switches I have with no issues:
Other UAP I have with no issues:
-UAP-nanoHD
-UAP-HD
I have tried: removing the hosts and readding them, removed and unlinked the templates and imported the templates, re-copied the .sh files into the externalscripts directory.
I am sure the shell script has changed quite a bit since version 1.0 but only the US-8-150W devices are giving me these issues.
The text was updated successfully, but these errors were encountered: