How to export config bundles to a replacement SCP server with the same IP address as the failed server

How to export config bundles to a replacement SCP server with the same IP address as the failed server

9226
Created On 11/23/19 02:14 AM - Last Modified 06/01/20 19:56 PM


Objective


To export config bundles to a replacement SCP server with the same IP address as the failed server.

Environment


  • Any Panorama (M-series and VM)
  • PAN-OS 7.1, 8.1 and 9.0

Procedure


The Firewall is holding on to an old RSA key while the new OS requires a new key.
  1. Delete the keys using command delete user-file ssh-known-hosts
> delete user-file ssh-known-hosts
  1. Do a test connection, it will fail, but get the RSA key from the output.
> test scp-server-connection initiate port <port no> hostname <> username {user} password {pass}
  1. Note down the key value from above and install the key
> test scp-server-connection confirm hostname <Ip or hostname> key "<Ip or hostname> ssh-rsa {rsa key from above}"


 

Additional Information


  • When SCP is used for exporting configuration or logs, the key exchanged is normally stored in the Firewall.
  • When the SCP server has failed and the replacement SCP server is configured using the same IP address, it will start using a new SSH/SCP key.
  • When the Firewall starts to establish a connection to the replacement SCP server it will fail since the key value is changed.
  • The procedure explained above to install the new key on the firewall so that the connection gets established correctly.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNcLCAW&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail