Scheduled backup export

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Scheduled backup export

L2 Linker

Hi there,

 

I have a scheduled backup job running every night, which exports my Panorama config to a backup server, it is running for over a year now without any problem.

 

Yesterday I went over the config, changed the time and permitted the config.

This morning I saw that the backup failed due to missing ECDSA SSH key.

 

Failed exporting config bundle via ssh to 1x.xx.xx.xx. No ECDSA host key is known for 1x.xx.xx.xx ...Host key verification failed...lost connection

 

The test connection button on the backup schedule page asks if I want to add the key, system says it added the key but it seems to do nothing. Same message when I press the button again, same error message when the backup job runs again.

 

Im on Panorama version 10.2.2

 

Has anyone a hint how to fix or work around that issue?

40 REPLIES 40

L1 Bithead

Just had a case open with Palo support. It's not yet fully fixed and scheduled for 10.2.4-H3 and 10.2.5. 

Yes the only other way beforehand is to get them to give you the root password but that is only possible if no remote access is permitted.   It really is a simple task to run the normal root commands to fix it once you get in!  I feel very frustrated they refuse to give that out.  Been using Unix for many years now and its a bit of an insult to one's integrity!  Other vendors do not seem to have this restriction.....

That fix they do is temporary, the scheduled config exports will work for a few weeks then it will break again.

I can understand if you patch the system it might break as that may well overwrite the root directories, but mine have been backing up now for the last 6 weeks since fixing...

Ours broke twice without any changes

10.2.4-h2 -- tried to follow the KB article, but after deleting the host keys and attempting the connection, it's successful (same via GUI). Consequently there's nothing displayed that can be manually added. The scheduled export still fails. Any other ideas?

It's not yet fixed. It should be in 10.2.5 and maybe 10.2.5-h3. Until then you have to open a support case and they need to login with root and then make an ssh session from the Panorama to the backup server and store the key.

L0 Member

I updated last week to 10.2.4-h3 and SCP backup export still works. To me, it seems that it has been fixed in 10.2.4-h3 even if there is no fixed issue listed for 10.2.4-h3 release.

 

bye

Daniel

 

As far as I can tell, it breaks in the following two circumstances:

- fresh setup

- SCP backup server generates new keys

If it already was working on an older version, it should continue to work after updating Panorama. 

Yes, it is fixed in 10.2.4-h3 - issue ID PAN-218620

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-4-known-and-addressed...

Check out the PANCast Channel
https://live.paloaltonetworks.com/t5/pancast/tkb-p/palo-alto-networks-podcasts-PANCast

L2 Linker

I recently upgraded from 10.2.4 to 10.2.6 and once I did the scheduled export job started working.  I didn't have to reset anything, just entered in the info, set a time, and away it went

  • 10956 Views
  • 40 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!