07-20-2022 10:19 PM
I have a scheduled backup job running every night, which exports my Panorama config to a backup server, it is running for over a year now without any problem.
Yesterday I went over the config, changed the time and permitted the config.
This morning I saw that the backup failed due to missing ECDSA SSH key.
Failed exporting config bundle via ssh to 1x.xx.xx.xx. No ECDSA host key is known for 1x.xx.xx.xx ...Host key verification failed...lost connection
The test connection button on the backup schedule page asks if I want to add the key, system says it added the key but it seems to do nothing. Same message when I press the button again, same error message when the backup job runs again.
Im on Panorama version 10.2.2
Has anyone a hint how to fix or work around that issue?
08-02-2022 08:44 PM
We could fix the problem temporarily yesterday during our support session. The TAC guy logged in via root to Panorama. Then a simple ssh [user]@[backup-server-ip] was all whats needed. SSH key got saved and the web gui scheduled export function was working again.
They gonna check the issue and hopefully it will be fixed soon.
08-03-2022 12:56 AM
Just got the info from my support partner, that the issue has been analyzed by PA and will be fixed in Version 10.2.3, release date is planed for next month.
08-10-2022 01:00 PM
@PaulMarroquin my system is not in FIPS mode. I did get "confirmation" from the Palo Alto tech as well that it is a glitch and it will be fixed in the next version (whether it was actually confirmation or just took this thread at it's word I'm not sure)
09-30-2022 12:20 AM
Today I upgraded to 10.2.3 version and problem with Scheduled Config Export via SCP still appears. Somebody upgraded to 10.2.3 and also obtain the same results?
10-04-2022 03:06 PM
@Pablo-Molina @Netzer @PaulMarroquin @ahandoo I just upgraded to 10.2.3 on Panorama and this issue is still there. The release notes didn't seem to mention this problem either.
11-30-2022 10:20 PM
@CKobelsky Got an update from PA Support stating that this will be fixed in 10.2.4 which is going to be released in February 2023.
01-25-2023 04:39 AM
So has this issue been fixed yet as i too am having this issue. I have installed the RSA key over and over to no avail and still the scheduled export is failing. What is the fix please?
01-25-2023 04:40 AM
Incidentally i am running PAN-OS 10.2.3!!
01-25-2023 04:52 AM
The fix was done by the PA support, they got root access and opened a ssh connection to the backup server. Key came up -> yes
Open a case, you cannot fix it by yourself.
Mmmm not going to work as they cant have ssh connection into my client devices. Since when did vendors think its ok to take root access away from competent engineers with years of experience and hand over to them to jump all over client devices? At least Checkpoint don't do this.
Palo Alto need to provide a fix in the next Patch level of 10.2.4 in my opinion!
01-25-2023 07:34 AM
Thanks for responding anyway!
03-03-2023 06:07 AM
Just wanted to confirm that having PA TAC remotely access Panorama as root and add the host key to known_hosts does work. There must be a permissions issue introduced at some point.
10.2.4 is supposed to address this issue, coming out this month.
04-05-2023 05:38 AM
10.2.4 is out now, I can't see a fix directly mentioned in the release notes: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-4-known-and-addressed...
Anybody already upgraded and tested if it is indeed fixed?
04-12-2023 03:32 AM
10.2.4 solved this issus. I can confirm it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!