07-20-2022 10:19 PM
Hi there,
I have a scheduled backup job running every night, which exports my Panorama config to a backup server, it is running for over a year now without any problem.
Yesterday I went over the config, changed the time and permitted the config.
This morning I saw that the backup failed due to missing ECDSA SSH key.
Failed exporting config bundle via ssh to 1x.xx.xx.xx. No ECDSA host key is known for 1x.xx.xx.xx ...Host key verification failed...lost connection
The test connection button on the backup schedule page asks if I want to add the key, system says it added the key but it seems to do nothing. Same message when I press the button again, same error message when the backup job runs again.
Im on Panorama version 10.2.2
Has anyone a hint how to fix or work around that issue?
07-21-2022 01:16 AM
I tried it two times but still the same error. SCP from CLI works, but the scheduled task still doesn't and is throughing the same error.
07-22-2022 02:07 AM
Is anyone using FTP for config export? I installed vsftpd on SLES, a standard ftp client can connect normally, the export job in Panorama cannot login - Login incorrect.
What a **bleep** mess....
07-22-2022 09:05 AM
I'm setting up a new Panorama system (version 10.2.2-h1) and I'm having the same issue. Can't get schedule config export working at all (either using FTP or SCP).
07-24-2022 09:43 PM - edited 07-24-2022 11:21 PM
Did you try the suggestion from ahandoo? I had no luck with it.
Did the update to 10.2.2-h1 during weekend but still the same situation, seems to be a bug. Is there any way to report this issue officially to Palo Alto Networks?
Is it possible to create the scheduled backup via CLI?
07-25-2022 01:44 PM
Yes I tried that, no dice. It seems like it isn't storing the host key at all. I'm not sure if you can make a scheduled backup from the CLI, but considering what I'm seeing I don't think that will help.
07-26-2022 01:45 AM
Hi @Netzer , @CKobelsky
Ideally, the device should update the ssh key in the known-hosts file after following the article. It is interesting to know that the CLI test work fine but the schedule for config export.
As it does not work, then the TAC may access the known-hosts file to check if there are any issue or if this is any Bug.
Have you tried reaching out to the TAC regarding this?
Regards,
07-26-2022 04:13 AM
The article commands react like this.
Looks good but it doesn't fix the problem with the scp export.
07-26-2022 05:22 AM
The only option what works for me is anonymous ftp.
07-26-2022 09:59 PM - edited 07-26-2022 10:01 PM
Same here, we checked the issue yesterday with our PA support partner and opened a case at PA. Hopefully it doesn't take that long to fix as the ACC IP issue...
In the meantime I'm using anonymous ftp together with a copy script which moves the backup file away, shi**y solution I know but better than nothing.
Keep you up2date
08-01-2022 08:57 AM
@Netzer Is there any way for you to DM me the PAN-TAC case# ? I'm having the same issue and would like to reference it when I open a ticket with them
08-01-2022 08:58 PM - edited 08-01-2022 09:03 PM
I have a TAC remote session today in the afternoon, I will let you know the result here. At the moment I have only the case number from my palo alto support partner but this is not the real PA case number. If they have no short workaround today and we have to way for a fix then I'll ask my partner to send me the PA case number and then I can give it to you.
08-02-2022 08:14 AM
I had a discussion with support last week which didn't accomplish anything (just made me run a few commands that I already messaged them about). They have the tech support bundle from my Panorama instance so we will see if they can find anything.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
