Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Asifoxy
Explorer

Unable to schedule backup using SCP R81.10

Hi All,

I am looking to schedule a backup from GAIA in LAB , but when tried adding entry to know host file by following sk164234 GW cli is giving error "NMHOST9999 Fingerprint does not match remote public key".

Attaching snap for reference, any help will be greatly appreciated.

0 Kudos
17 Replies
_Val_
Admin
Admin

You need to add that public key first. Please look into sk164234 and tell us if it helps.

0 Kudos
the_rock
Legend
Legend

Just replace last part of that command with the actual finderprint from the screenshot and it should work.

Andy

0 Kudos
Asifoxy
Explorer

Hi Val and the_rock thanks for you reply but i am still facing the same issue, attaching snap from both cli and Gaia, 

please look and let me know what am i missing also i have gone through mention SK but it didn't help.

 

0 Kudos
the_rock
Legend
Legend

I see now it matches, but still an issue. I would confirm with TAC.

Andy

0 Kudos
Asifoxy
Explorer

Thanks, will be looking forward for your response.

BR

Asif

0 Kudos
the_rock
Legend
Legend

One other thing you can try is also maybe remove that config and try again, but if that fails, I would open support case and confirm what could be the reason for the failure.

Andy

0 Kudos
Asifoxy
Explorer

I have already tried that, but still it is not working and showing same error.

BR

Asif

0 Kudos
the_rock
Legend
Legend

Hey Asif, good morning again. So if thats the case, then I would certainly open TAC case and see if they can verify.

https://help.checkpoint.com

Andy

0 Kudos
Asifoxy
Explorer

Hi Andy, thanks for sharing the link but unfortunately i do not have subscription for checkpoint also i am trying this in my lab and hence i have reached out on this community to see if someone have faced similar error earlier.

Anyways thanks for all your help.

BR 

Asif

0 Kudos
the_rock
Legend
Legend

We are not sadly allowed, as per community policies, to paste content of the sk, so you would have to see if someone you know may have access to the article @_Val_ pointed to, I believe it would help.

Andy

0 Kudos
Asifoxy
Explorer

I have already followed the SK but i think something is missing in what i am doing and that i am not able to figure it out.

BR

Asif

0 Kudos
the_rock
Legend
Legend

Just to make sure Im not missing anything, is it the case where you delete this config, then when you try it again, it fails at exact same step?

Andy

0 Kudos
Asifoxy
Explorer

Yes!

BR

Asif

0 Kudos
the_rock
Legend
Legend

Ok, fair enough. Im tagging @Ilya_Yusupov , I have all the confidence in the world he can help you fix this problem.

Andy

0 Kudos
Ilya_Yusupov
Employee
Employee

Thank you @the_rock  🙂

@Asifoxy  - i replicated it in my lab but i'm not sure its a bug 

in my lab i see that for my known host i have 3 options for the fingerprint, when i choose "ecdsa-sha2-nistp256" it worked but if i choose same as in your attachment i will get same results 

 

the fingerprint options - if i choose the first one it works but if i choose last one it will not work, based on the SK looks like we support only SHA256, i suggest to open a TAC ticket in case you see this as an issue.

[Expert@ilya29000-2:0]# ssh-keyscan 10.15.255.131 | ssh-keygen -lf -
# 10.15.255.131:22 SSH-2.0-OpenSSH_7.8
# 10.15.255.131:22 SSH-2.0-OpenSSH_7.8
# 10.15.255.131:22 SSH-2.0-OpenSSH_7.8
256 SHA256:QTmIeCF6wc+6UFpbaT8bDM5Jtd/DOkr1h7eRAoh3kmM 10.15.255.131 (ECDSA)
2048 SHA256:K8VKLJsuzkpmqGV0DPif4MVQMefi3Sy2PwuV3v8ECls 10.15.255.131 (RSA)
256 SHA256:Ap8u/SvBfrGCNVMk76JqO+bbvb6lMQYj2bTNwXwYWao 10.15.255.131 (ED25519)

Good:

ilya29000-2> add ssh hba ipv4-address 10.15.255.131 public-key access-mode online fingerprint QTmIeCF6wc+6UFpbaT8bDM5Jtd/DOkr1h7eRAoh3kmM

 

Bad:

ilya29000-2> add ssh hba ipv4-address 10.15.255.131 public-key access-mode online fingerprint Ap8u/SvBfrGCNVMk76JqO+bbvb6lMQYj2bTNwXwYWao
NMHOST9999 Fingerprint does not match remote public key

 

(1)
Asifoxy
Explorer

Thanks @Ilya_Yusupov for taking time and testing it out in your lab, as i mention earlier currently i am on learning path and does not have support to checkpoint services, still i will updated the JHF in my lab and will let you guys know if it helps or not.

BR

Asif

the_rock
Legend
Legend

Hey @Asifoxy 

I also tested what @Ilya_Yusupov did in his lab and result was the same.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events