SCP connection failed

  • 1
  • Question
  • Updated 3 years ago
  • (Edited)
We upgraded our HMOL to 6.5r1 but cannot push configuration to the access points after the upgrade. We get an error "SCP connection failed". We were able to push the configuration to two access points so we know that it is not a port issue on the firewall since all the APs are on the same network. We did come across an article to change capwap transport to http but this doesn't configuration change doesn't seem to stick since after an AP reboot it reverts back to udp event after running save config. 

Is there a proper solution for this issue?

Thanks

Photo of Ebenezer

Ebenezer

  • 8 Posts
  • 1 Reply Like

Posted 3 years ago

  • 1
Photo of Ruwan Indika

Ruwan Indika

  • 66 Posts
  • 22 Reply Likes
Hi Ebenezer,

1) User this command to test scp connectivity to the HiveManager

AH-91c000#exec  _test  tcp-service host 52.18.42.176 port 22 

Testing TCP connection for host=52.18.42.176, port=22, timeout=10 seconds

Test successfully.



2) Upgrade to 6.4r1d if the AP firmware is 6.1r1 
.
.
(Edited)
Photo of Ebenezer

Ebenezer

  • 8 Posts
  • 1 Reply Like
Hi Ruwan

I get the following error after running the command. Outbound SSH is allowed on our firewall. 

Test failed:Connection refused, maybe the TCP service on the port doesn't provide.

Thanks.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
That does mean that the issue isn't likely to be with your APs. Can you get a packet capture so that we see what's going on?
Photo of Ebenezer

Ebenezer

  • 8 Posts
  • 1 Reply Like

Before we try a packet capture, can you please try to SSH to 52.18.42.176 from one of your APs to make sure that its not an issue on the HMOL side.


Thanks.

Photo of Ruwan Indika

Ruwan Indika

  • 66 Posts
  • 22 Reply Likes
Hi Ebenezer,

Please check your firewall for functions like unified threat management which may be inspecting traffic even though port 22 is open outbound,



SSH test result below, please try the same from your network,




1)  SSH to the server 52.18.42.176
 

AH-91c000#exec ssh-client server 52.18.42.176 user admin

Warning: Permanently added '52.18.42.176' (RSA) to the list of known hosts.

admin@52.18.42.176's password: 




2) TCP port 22 test 


AH-91c000#exec _test tcp-service host 52.18.42.176 port 22

Testing TCP connection for host=52.18.42.176, port=22, timeout=10 seconds

Test successfully.







(Edited)
Photo of Ebenezer

Ebenezer

  • 8 Posts
  • 1 Reply Like

We have contacted the firewall vendor support to check the cause of the timeout.


Thanks.

Photo of Ebenezer

Ebenezer

  • 8 Posts
  • 1 Reply Like

We have changed capwap transport to http and done a saveconfig. This helps us to upgrade the APs to the new firmware. But when the APs reboot, the capwap transport setting gets changed to UDP. Is there a way to make sure it remains on http?


Thanks.