I upgraded one of our lab systems from ONTAP 8.2.4 to 8.2.5 (7-mode). Since that some of my scripts fail when doing "Invoke-NaSsh" against that system.
No idea why, I already regenerated SSH keys but error persists. It used to work with 8.2.4. And it's definitely not a credential issue.
PS C:\Users\mark> invoke-nassh -Name ucnlabfiler07 -Command date
invoke-nassh : An established connection was aborted by the software in your host machine. In Zeile:1 Zeichen:1 + invoke-nassh -Name ucnlabfiler07 -Command date + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidResult: (:) [Invoke-NaSsh], SshConnectionException + FullyQualifiedErrorId : SshExecFailed,DataONTAP.PowerShell.SDK.Cmdlets.Toolkit.Ssh.InvokeNaSsh
Any ideas? Does ONTAP reject the client's key length? How can I make it work again?
PS C:\Users\mark> invoke-nassh -Name ucnlabfiler07 -Command date invoke-nassh : An established connection was aborted by the software in your host machine. In Zeile:1 Zeichen:1 + invoke-nassh -Name ucnlabfiler07 -Command date + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidResult: (:) [Invoke-NaSsh], SshConnectionException + FullyQualifiedErrorId : SshExecFailed,DataONTAP.PowerShell.SDK.Cmdlets.Toolkit.Ssh.InvokeNaSsh
As you see the connection to ONTAPI works, but gets teared down when using SSH with the PSTK.
PuTTy works. OpenSSH clients work. Invoke-NaSSh does not longer work. But works with other systems including cDOT (or even third-party SSH servers), even when not connected to a NaController.
Toolkit version is 4.4.0. Can anyone check if invoke-nassh works with DOT 8.2.5?
Any hints? I suspect some new security related "feature" of ONTAP's sshd that blocks the connection request. Does anyone know what SSH client (wrapper) is embedded in the PSTK?
I think I found it. On 8.2.5 you have options for tls. Per default they are off. You have to enable tls.enable for connecting to the controller via https. Then invoke-nassh will work also. This is new in Ontap 8.2.5.
I also tried the newest toolkit on another w2k12R2 Server with powershell 5. Same issue. So I think it is Ontap 8.2.5. Without a solution for the issue we will have to stick with 8.2.4. Anybody an idea how this could be solved?
I noticed the same issue in my lab on an old 7-Mode simulator (Invoke-NsSsh failed).
The fix (in my environment) was to re-run secureadmin (ensuring the key length is set to 2048):
TESTNS01> secureadmin setup -f ssl
Country Name (2 letter code) [US]: AU
State or Province Name (full name) [California]: NSW
Locality Name (city, town, etc.) [Santa Clara]: Sydney
Organization Name (company) [Your Company]: NetApp
Organization Unit Name (division): NetApp
Common Name (fully qualified domain name) [TESTNS01.testlab.local]:
Administrator email: firstname.lastname@example.org
Days until expires  :3650
Key length (bits)  :2048
Tue Sep 5 10:20:38 AEST [TESTNS01:secureadmin.ssl.setup.success:info]: Restarting SSL with new certificate.
PS C:\> Invoke-NaSsh -Name testns01.testlab.local -Command version -Credential $credential NetApp Release 8.2.3 7-Mode: Thu Jan 15 21:30:45 PST 2015
If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
The issue is getting worse. We have several workflows in WFA that don't work anymore because we are using invoke-nassh for a lot of workaround where there's no native cmdlet. So please if somebody of PSTK development looks into this, how can we workaround or solve this issue? To stay below 8.2.5 is not an option.