How to export config bundles to a replacement SCP server with the same IP address as the failed server
9048
Created On 11/23/19 02:14 AM - Last Modified 06/01/20 19:56 PM
Objective
To export config bundles to a replacement SCP server with the same IP address as the failed server.
Environment
- Any Panorama (M-series and VM)
- PAN-OS 7.1, 8.1 and 9.0
Procedure
The Firewall is holding on to an old RSA key while the new OS requires a new key.
- Delete the keys using command delete user-file ssh-known-hosts
> delete user-file ssh-known-hosts
- Do a test connection, it will fail, but get the RSA key from the output.
> test scp-server-connection initiate port <port no> hostname <> username {user} password {pass}
- Note down the key value from above and install the key
> test scp-server-connection confirm hostname <Ip or hostname> key "<Ip or hostname> ssh-rsa {rsa key from above}"
Additional Information
- When SCP is used for exporting configuration or logs, the key exchanged is normally stored in the Firewall.
- When the SCP server has failed and the replacement SCP server is configured using the same IP address, it will start using a new SSH/SCP key.
- When the Firewall starts to establish a connection to the replacement SCP server it will fail since the key value is changed.
- The procedure explained above to install the new key on the firewall so that the connection gets established correctly.