Symptoms
Unable to collect 'supportsaves' or 'configupload' by Secure Copy (SCP) and Secure File Transfer Protocol (SFTP).
Please confirm the following before proceeding:
1. Switch is able to ping the SCP/SFTP server.
2. SCP/SFTP server is also able to ping switch.
3. No firewall blocking SCP or SFTP ports.
4. Works with FTP.
Can also occur during upgrade from FOS 7.1.x to 7.4.x.
SCP Example:
switch:admin> configupload
Protocol (scp, ftp, sftp, local) [ftp]: scp
Do you want to continue with CRA (Y/N) [N]: y
Server Name or IP Address [host]: 10.0.0.1
User Name [user]: admin
Path/Filename [<home dir>/config.txt]: /configupload.scp
Section (all|chassis|switch [all]): switch
lost connection
configUpload not permitted (scp failed).
Terminated
SFTP Example:
switch:admin> supportsave
This command collects RASLOG, TRACE, supportShow, core file, FFDC data
and then transfer them to a FTP/SCP/SFTP server or a USB device.
This operation can take several minutes.
NOTE: supportSave will transfer existing trace dump file first, then
automatically generate and transfer latest one. There will be two trace dump
files transferred after this command.
OK to proceed? (yes, y, no, n): [no] y
Host IP or Host Name: 10.0.0.1
User Name: admin
Password:
Protocol (ftp | scp | sftp): sftp
Remote Directory: /
Do you want to continue with CRA (Y/N) [N]: y
Saving support information for switch:switch, module:RAS...
....................................................................................
Remote Host:Could not connect to remote host.
SupportSave failed.
If CRA (Challenge Response Authentication) is chosen as "NO" or "N" and the issue is still seen and/or root access is not available follow resolution 2.
Cause
The known_hosts file has an incorrect public key which is preventing outbound authentication with the scp/sftp server.
This usually occurs if the server had to be rebuilt and in doing so the "key" information changed and as such anytime a supportsave is run the "key" sent from the switch is different than what is listed on the server causing the 'connection failed' message.
Resolution
To correct this issue root access to the switch will be needed to remove the host from the switches RSA entry in the known_hosts file. When the switch makes its next connection a new RSA key will be generated and propagated to the known_hosts file to allow access to completing the data collection.
Please follow these steps:
Resolution 1:
- Log into switch as "root"
- Enter the following command to remove the public RSA key of the scp/sftp server:
ssh-keygen -R XXX.XXX.XXX.XXX (Where XXX.XXX.XXX.XXX represents the IP address of the scp/sftp server
Resolution 2:
1. Log into the switch as "admin"
2. Remove the IP address of the SFTP/SCP from the list of known hosts:
#> sshutil delknownhost
The switch will prompt to enter the IP address of the SFTP server whose entry needs to be removed.
IP Address/Hostname to be deleted: <IP address of the SFTP Server>
After this, when supportsave or configupload is tried, the IP address of the host is added to the list of known_host.