Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Scheduled backup export

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Scheduled backup export

L2 Linker

Hi there,

 

I have a scheduled backup job running every night, which exports my Panorama config to a backup server, it is running for over a year now without any problem.

 

Yesterday I went over the config, changed the time and permitted the config.

This morning I saw that the backup failed due to missing ECDSA SSH key.

 

Failed exporting config bundle via ssh to 1x.xx.xx.xx. No ECDSA host key is known for 1x.xx.xx.xx ...Host key verification failed...lost connection

 

The test connection button on the backup schedule page asks if I want to add the key, system says it added the key but it seems to do nothing. Same message when I press the button again, same error message when the backup job runs again.

 

Im on Panorama version 10.2.2

 

Has anyone a hint how to fix or work around that issue?

40 REPLIES 40

We could fix the problem temporarily yesterday during our support session. The TAC guy logged in via root to Panorama. Then a simple ssh [user]@[backup-server-ip] was all whats needed. SSH key got saved and the web gui scheduled export function was working again.

 

They gonna check the issue and hopefully it will be fixed soon.

Just got the info from my support partner, that the issue has been analyzed by PA and will be fixed in Version 10.2.3, release date is planed for next month.

L2 Linker

@PaulMarroquin my system is not in FIPS mode.  I did get "confirmation" from the Palo Alto tech as well that it is a glitch and it will be fixed in the next version (whether it was actually confirmation or just took this thread at it's word I'm not sure)

L1 Bithead

Hi all,

 

Today I upgraded to 10.2.3 version and problem with Scheduled Config Export via SCP still appears. Somebody upgraded to 10.2.3 and also obtain the same results?

L2 Linker

@Pablo-Molina @Netzer @PaulMarroquin @ahandoo I just upgraded to 10.2.3 on Panorama and this issue is still there.  The release notes didn't seem to mention this problem either.

L0 Member

@CKobelsky Got an update from PA Support stating that this will be fixed in 10.2.4 which is going to be released in February 2023.

L2 Linker

So has this issue been fixed yet as i too am having this issue.  I have installed the RSA key over and over to no avail and still the scheduled export is failing.  What is the fix please?

L2 Linker

Incidentally i am running PAN-OS 10.2.3!!

 

The fix was done by the PA support, they got root access and opened a ssh connection to the backup server. Key came up -> yes

 

Open a case, you cannot fix it by yourself.

 

 

Mmmm not going to work as they cant have ssh connection into my client devices.  Since when did vendors think its ok to take root access away from competent engineers with years of experience and hand over to them to jump all over client devices?  At least Checkpoint don't do this.

Palo Alto need to provide a fix in the next Patch level of 10.2.4 in my opinion!

Thanks for responding anyway!

L1 Bithead

Just wanted to confirm that having PA TAC remotely access Panorama as root and add the host key to known_hosts does work. There must be a permissions issue introduced at some point. 
10.2.4 is supposed to address this issue, coming out this month.

L1 Bithead

10.2.4 is out now, I can't see a fix directly mentioned in the release notes: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-4-known-and-addressed...

Anybody already upgraded and tested if it is indeed fixed?

Hi,

 

10.2.4 solved this issus. I can confirm it.

  • 15310 Views
  • 40 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!