Solved: Router can not SCP after IP and Name Change but can SSH

jason.menningen · ‎07-08-2021

Hi all this is my first time asking a question on here, but I have used other answered questions enough to trust in the comments from here.

Issue Breakdown: We changed a Routers IPs, lo0/Gi0/0, and Hostname via a modified startup config so the new configurations would take affect after a reboot. My original worry in this experiment was that SSH would stop working as SSH keys use the systems Hostname in the generation of the RSA keys. Thankfully when the router came back up with the new hostname and IPs SSH still functioned normally, unfortunately SCP did not. My initial thought was the router had saved a known hosts file for the SCP servers, but after much looking through other Cisco documents and online forums I can not find any mention of that being the cause.

Interested Devices:

Cisco CISCO3945-CHASSIS with a C3900-SPE150/K9 running IOS Version 15.7(3)M8

Solarwinds SFTP/SCP server on a windows 2016 server

Interested Configs: #sho run all | i ssh
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh window-size 8192
ip ssh source-interface Loopback0
ip ssh break-string ~break
ip ssh version 2
ip ssh dh min size 2048
no ip ssh rekey time
no ip ssh rekey volume
ip ssh server authenticate user publickey
ip ssh server authenticate user keyboard
ip ssh server authenticate user password
no ip ssh server peruser session limit
ip ssh server certificate profile
ip ssh server algorithm mac hmac-sha1
ip ssh server algorithm encryption aes256-ctr
ip ssh server algorithm kex diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1
ip ssh server algorithm hostkey x509v3-ssh-rsa ssh-rsa
ip ssh server algorithm authentication publickey keyboard password
ip ssh server algorithm publickey x509v3-ssh-rsa ssh-rsa
ip ssh client algorithm mac hmac-sha2-256 hmac-sha2-512 hmac-sha1 hmac-sha1-96
ip ssh client algorithm encryption aes256-ctr
ip ssh client algorithm kex diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1

also all console and line configs are set to transport input/output ssh

Troubleshooting done so far: I have verified both ICMP and SSH from the 2016 server to the router. I have verified the SolarWinds SFTP/SCP server is not storing known hosts. I have verified the SolarWinds SFTP/SCP server can still do SCP transfers with other Cisco devices. My next thought is to re-generate my SSH keys on the router but I fear losing remote access to the device. Does anyone have any ideas? And if any further information is needed please let me know.

jason.menningen · ‎07-09-2021

Found Issue:

A firewall policy was modified allowing only SSH traffic from our Network Management servers to our Network devices but not from. Fixed the Firewall policy for fix action. Marce1000 thank you for looking at my question. If you hadn't asked me to look at my SFTP/SCP logs I might not have looked for the traffic logs within the firewall.

View solution in original post

marce1000 · ‎07-08-2021

>...functioned normally, unfortunately SCP did not.

How is it failing then, which error(s) do you get ?

>.... I have verified the SolarWinds SFTP/SCP server

Check the logs (ssh-scp-service) on the Solarwinds for the now-failing scp-attempts , look for errors if any.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

jason.menningen · ‎07-09-2021

Found Issue:

A firewall policy was modified allowing only SSH traffic from our Network Management servers to our Network devices but not from. Fixed the Firewall policy for fix action. Marce1000 thank you for looking at my question. If you hadn't asked me to look at my SFTP/SCP logs I might not have looked for the traffic logs within the firewall.