Server error : No ECDSA host key is known for netadmin2.intra.chu-rennes.fr . Host key verification failed.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Server error : No ECDSA host key is known for netadmin2.intra.chu-rennes.fr . Host key verification failed.

L2 Linker

Hello team,

 

I have a problem with my export configuration Panorama via  scheduled task.

When I make a test SCP server connexion I have this mesage : 

 

Mamoudou_0-1665479202274.png

 

Before upgrade to 10.2 the export was working fine.

I have also saw that PAN-188052 talk about this issue. Do you know how to fix it ? 

Could you help me please tu understand this problem.

 

Thank you in advance.

 

24 REPLIES 24

L0 Member

Hi, I have the same trouble in 10.2.2-h2 ... Do you fix it?

L2 Linker

Actually spent a few hours with TAC last night, bottom line, their is a work around, where they log into to root and delete the host/key folder and then you can try again to import the key through the article

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HByDCAW

 

This this not work for me, and they are researching a possible workaround, if there is any.

They said it is a know issue and it is said to be fixed in 10.2.4.  we are running 10.2.3 and .4 is not available for download.

 

It seems the key the gui is looking for is the md5 "hex key word" but what you import is actually a alaphnumberic equivelant.

ive tried all kinds of combinations but have not gotten anywhere.

L2 Linker

Thanks everyone for posting about this. Ran into the issue also immediately after upgrading Panorama to 10.2.3H2. This saves me a ticket since it appears there is no current fix.

unfortunately no, but they should be able to log into root and do the needful, like they did in my case.

 

L4 Transporter

I had this issue under the same circumstances and TAC were also able to resolve it by logging in as root and manually removing the old key, so it may be worth asking them to try for you.

L0 Member

The known issue id is PAN-194805. Probably fixed in March 10.2.4 release. A mentioned, in the meantime, you can contact support and have them login to root.

L1 Bithead

Seem also still be an issue  in 10.2.3-h4,   but i also don't see the bug id back in the know issue list.

Does anyone know under which bug id this will be fixed and also in which release?

 

Thanks!

RV

L4 Transporter

We hit this issue again after having it fixed, but following the H4 patch installation.  We are still working on the understanding that hit will be resolved in 10.2.4

Hi,  

Now 10.2.4 is available,  i didn't see an fix regarding this issue.     Is there more info when this is fixed or which release?

 

Thanks,

RV

L1 Bithead

Hi,

it is resolved in 10.2.4. Confirmed in lab.

 

Regards,

L2 Linker

Hello,

 

After an upgrade to 10.2.4 the issue appear again. I will contact the TAC to connect as a root like the first time I had this issue.

 

Regards

L1 Bithead

Hi,

Confirm. However the test option works well and sample file creates. While doing scheduled task there is an error only in log file :

admin@Panorama> less mp-log logd.log

2023-04-14 01:45:05.806 +0200  ### [Failed exporting config bundle via ssh to X.X.X.X. No RSA host key is known for X.X.X.X.

L1 Bithead

Same issue on PA-850 after upgrade from 9.1.4 >10.2.0>10.2.4 .

Support me ask to roll back and follow the recommended upgrade path

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan...

 

w8&c

 

edit

File "/usr/local/bin/pan_log_export_scp", line 533, in <module>
print(sshconn.insertHostkey(opt.add_host_key))
File "/usr/local/bin/pan_log_export_scp", line 174, in insertHostkey
cleanhostkey = filterKeyString(hostkey).strip() + "
"
AttributeError: 'filter' object has no attribute 'strip'

 

this error needs root access to be fixed

L0 Member

For our Panorama the upgrade from 10.2.3-h2 to 10.2.4 did not fix the scp issue. The test option works but I did not asked for that, I just want a working scheduled scp. This means I need to contact TAC again to fix it as root for us.

  • 13491 Views
  • 24 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!