This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Asifoxy
Explorer
4 weeks ago

Unable to schedule backup using SCP R81.10

Hi All,

I am looking to schedule a backup from GAIA in LAB , but when tried adding entry to know host file by following sk164234 GW cli is giving error "NMHOST9999 Fingerprint does not match remote public key".

Attaching snap for reference, any help will be greatly appreciated.

Preview file
21 KB
0 Kudos
15 Replies
_Val_
Admin
Admin
4 weeks ago

You need to add that public key first. Please look into sk164234 and tell us if it helps.

0 Kudos
the_rock
Legend
Legend
3 weeks ago

Just replace last part of that command with the actual finderprint from the screenshot and it should work.

Andy

0 Kudos
Asifoxy
Explorer
2 weeks ago
In response to the_rock

Hi Val and the_rock thanks for you reply but i am still facing the same issue, attaching snap from both cli and Gaia, 

please look and let me know what am i missing also i have gone through mention SK but it didn't help.

 

Preview file
10 KB
Preview file
9 KB
Preview file
23 KB
0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to Asifoxy

I see now it matches, but still an issue. I would confirm with TAC.

Andy

0 Kudos
Asifoxy
Explorer
2 weeks ago
In response to the_rock

Thanks, will be looking forward for your response.

BR

Asif

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to Asifoxy

One other thing you can try is also maybe remove that config and try again, but if that fails, I would open support case and confirm what could be the reason for the failure.

Andy

0 Kudos
Asifoxy
Explorer
2 weeks ago
In response to the_rock

I have already tried that, but still it is not working and showing same error.

BR

Asif

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to Asifoxy

Hey Asif, good morning again. So if thats the case, then I would certainly open TAC case and see if they can verify.

https://help.checkpoint.com

Andy

0 Kudos
Asifoxy
Explorer
2 weeks ago
In response to the_rock

Hi Andy, thanks for sharing the link but unfortunately i do not have subscription for checkpoint also i am trying this in my lab and hence i have reached out on this community to see if someone have faced similar error earlier.

Anyways thanks for all your help.

BR 

Asif

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to Asifoxy

We are not sadly allowed, as per community policies, to paste content of the sk, so you would have to see if someone you know may have access to the article @_Val_ pointed to, I believe it would help.

Andy

0 Kudos
Asifoxy
Explorer
a week ago
In response to the_rock

I have already followed the SK but i think something is missing in what i am doing and that i am not able to figure it out.

BR

Asif

0 Kudos
the_rock
Legend
Legend
a week ago
In response to Asifoxy

Just to make sure Im not missing anything, is it the case where you delete this config, then when you try it again, it fails at exact same step?

Andy

0 Kudos
Asifoxy
Explorer
Sunday
In response to the_rock

Yes!

BR

Asif

0 Kudos
the_rock
Legend
Legend
Sunday
In response to Asifoxy

Ok, fair enough. Im tagging @Ilya_Yusupov , I have all the confidence in the world he can help you fix this problem.

Andy

0 Kudos
Ilya_Yusupov
Employee
Employee
Monday
In response to the_rock

Thank you @the_rock  🙂

@Asifoxy  - i replicated it in my lab but i'm not sure its a bug 

in my lab i see that for my known host i have 3 options for the fingerprint, when i choose "ecdsa-sha2-nistp256" it worked but if i choose same as in your attachment i will get same results 

 

the fingerprint options - if i choose the first one it works but if i choose last one it will not work, based on the SK looks like we support only SHA256, i suggest to open a TAC ticket in case you see this as an issue.

[Expert@ilya29000-2:0]# ssh-keyscan 10.15.255.131 | ssh-keygen -lf -
# 10.15.255.131:22 SSH-2.0-OpenSSH_7.8
# 10.15.255.131:22 SSH-2.0-OpenSSH_7.8
# 10.15.255.131:22 SSH-2.0-OpenSSH_7.8
256 SHA256:QTmIeCF6wc+6UFpbaT8bDM5Jtd/DOkr1h7eRAoh3kmM 10.15.255.131 (ECDSA)
2048 SHA256:K8VKLJsuzkpmqGV0DPif4MVQMefi3Sy2PwuV3v8ECls 10.15.255.131 (RSA)
256 SHA256:Ap8u/SvBfrGCNVMk76JqO+bbvb6lMQYj2bTNwXwYWao 10.15.255.131 (ED25519)

Good:

ilya29000-2> add ssh hba ipv4-address 10.15.255.131 public-key access-mode online fingerprint QTmIeCF6wc+6UFpbaT8bDM5Jtd/DOkr1h7eRAoh3kmM

 

Bad:

ilya29000-2> add ssh hba ipv4-address 10.15.255.131 public-key access-mode online fingerprint Ap8u/SvBfrGCNVMk76JqO+bbvb6lMQYj2bTNwXwYWao
NMHOST9999 Fingerprint does not match remote public key

 

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events