cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2013
Views
0
Helpful
6
Replies
Highlighted
Beginner

FMC Status: Backup complete, Copy failed

Hi everyone,

 

I can't get fpmc to copy to an sftp server. It's a well tested tftp server and it is currently being used for call manger backups and it has worked for years. All I get from FPMC is this:

 

Backup Name: test_fpmc_backup_20180321103002-2018-03-21T10-30-04
Status: Backup complete, Copy failed

The backup file can be located in the Backup/Restore section of the product.

I can test login to sftp using WinSCP and I can upload files just fine but for some reason FMC fails on the copy operation with no additional info as to what exactly is going on, is it authentication issue, permissions, what?


If you can share similar experience and remedies that would be appreciated very much!
Thanks

~B

 

6 REPLIES 6
Highlighted
Cisco Employee

Hi There,

 

Copy when complete uses SCP which is over port 22.

You can try to login to FMC CLI, elevate to root and then try to SSH to your SCP/SFTP server and see if that works.

If that doesn't work, you would get the error and based on that issue can be isolated further.

1 common issue I have seen is that if the SCP/SFTP server's DH key is less than 1024 bits, FMC cannot connect. Make sure the DH key is minimum of 1024 or above.

 

Hope that helps,

Yogesh

Highlighted

@yogdhanu Thanks for the reply - both of the things you mentioned have been tested; yes sftp just as scp runs on 22 and yes I can ssh to the sftp server, and yes the key is actually double the minimum suggested -- it is 2048


Any other feedback guys?

 

sftp.png

Highlighted

Hi

 

I hope you have also copied the SSH public key to authorized_keys  in the sftp server.

If that's done, check the FMC logs from CLI to see whats going wrong when FMC tries to copy.

You can also open a TAC case.

 

Hope it helps,

Yogesh

 

Highlighted

copied the SSH public key to authorized_keys  in the sftp server.

 

Where exactly does this go?  I have seen that it should be in the user's ~ssh folder, but do you copy/paste that info into a file named authorized_keys, or is authorized_keys another folder under ~ssh?  And if so, what is the file name to copy the info into?

Thanks for clarification!

Highlighted

@yogdhanu @psturm Hey guys I wanted to share that if a stock Ubuntu 16 is used, totally generic and totally out of the ISO with sshd added via apt-get (so it is totally generic install) the sftp copy works just fine without the need to do any kind of manual manipulation of keys, etc

 

So that throws me off, it means some sftp servers work just fine but others require some kind of manual intervention which I'm very unclear about.. any success on your end as far as the manual copying of keys?

Highlighted

I found that on my SFR, to make the backups work, I had to first SSH to the firepower module and perform a SCP transfer using sudo. Then it prompted me to save the key for the remote host. I transferred a small file just to get it going, like /etc/hosts. I used a command like this : sudo scp /etc/hosts root@x.x.x.x:/remotefolderforbackups

Once I had the key stored, I was able to setup the rest via the gui and setup my offbox backups in the scheduling section. Hope this helps.

Content for Community-Ad