Junos system configuration archival is not working over scp

Junos system configuration archival over scp does not work if following conditions are not met:
1. the password and username for remote scp server are not correct.
2. the destination directory on destination server is not owned by the scp user or if the scp user does not have appropriate write + execute permissions.

This is easily solved by doing a "chown junos-configs /destination/directory" where "junos-configs" is the user used in junos scp command.

3. if the [set system archival configuration archive-sites "scp://...] command is not actually ran, but the whole config is actually loaded from terminal or from file. Example:

Code:

[edit system archival]
admin@JUNOS# load replace relative terminal 
[Type ^D at a new line to end input]
configuration {
    transfer-on-commit;
    archive-sites {
        "scp://juniper-configs@10.0.123.104:/destination/directory" password "$9$.Pfz6/tuBujHi.Rfn7Ctu1YlMWxxdABCDefghif5"; ## SECRET-DATA
    }
}
load complete

While this config is loaded and committed successfully, Junos configuration archival will not work. In order to work, Junos needs to remember the ssh fingerprint of the destination server (scp runs over ssh after all). To check this:

Code:

admin@JUNOS# top show security ssh-known-hosts

No ssh fingerprint for destination 10.0.123.104. Checking the destination directory on destination server yelds no archived configurations and local Junos directory keeps the archived configuration files as they haven't been moved to the scp server:

Code:

[edit]
admin@JUNOS# run start shell    
% ls -la /var/transfer/config/
total 12
drwxr-xr-x  2 root  wheel   512 Jan  1 07:57 .
drwxr-xr-x  3 root  wheel   512 Dec 12 12:27 ..
-rw-r-----  1 root  wheel  2014 Jan  1 07:57 JUNOS_juniper.conf.gz_20150101_075750

How to make Junos configuration archival work then ?

The Junos "set" command issuing the scp has to be deleted from configuration and then ran individually. When scp command is ran in cli, the ssh fingerprint will be displayed and, upon user confirmation, it will be added to Junos ssh known hosts:

Code:

[edit]
admin@JUNOS# show system archival | display set 
set system archival configuration transfer-on-commit
set system archival configuration archive-sites "scp://juniper-configs@10.0.123.104:/destination/directory" password "$9$.Pfz6/tuBujHi.Rfn7Ctu1YlMWxxdABCDefghif5"

[edit]
admin@JUNOS# delete system archival configuration archive-sites 

[edit]
admin@JUNOS# set system archival configuration archive-sites "scp://juniper-configs@10.0.123.104:/destination/directory" password "$9$.Pfz6/tuBujHi.Rfn7Ctu1YlMWxxdABCDefghif5"     
The authenticity of host '10.0.123.104 (10.0.123.104)' can't be established.
ECDSA key fingerprint is 1b:bb:8e:28:c6:da:df:0a:7c:6f:48:bf:18:b4:4e:4d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.123.104' (ECDSA) to the list of known hosts.

[edit]
admin@JUNOS# show security ssh-known-hosts 
host 10.0.123.104 {
    ecdsa-sha2-nistp256-key AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEdKPOfyVKAWkYKKtIY2gTXXCzRPkVOB/0FtB6ML4cf8SVufbfeE1F1i2Nh92nH6Krt8pjjzDjetpAOA5BrgLBg=;
}

Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

Junos system configuration archival is not working over scp

Junos system configuration archival is not working over scp