Use the -O Option to Ensure Successful SCP from Clients on OpenSSH9.0 to IOS XE Devices

Available Languages

Download Options

  • PDF     (34.0 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (87.6 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (74.6 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 10, 2023
Document ID:220371

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to use the -O option to ensure successful SCP from clients on OpenSSH9.0 to Cisco IOS® XE devices. 

    Workaround

    The -O option can be used on newer versions of OpenSSH with the SCP command to force SCP to be used for the file transfer instead of SFTP.  

    scp -O file.ext username@192.0.2.1:file.ext

    Background Information


    SCP can be used to transfer files between an SCP client and an SCP server. SCP uses an SSH session for authentication.  Once the user is authenticated another channel is opened to transfer the file with SCP.  In OpenSSH9.0 and higher versions SSH is still used for authentication, but SFTP is used for the file transfer instead of SCP.  This creates a problem with current versions of Cisco IOS XE because SFTP is not currently supported to transfer files over SSH. The SSH session succeeds and there is a login success log in the syslog buffer.  However, the connection closes abruptly when the SCP client tries to start the SFTP transfer. 

    Configure SSH and SCP

    Prerequisites to use an SCP client to transfer a file to a Cisco IOS XE device.

    • SSH must be configured
    • Local login or AAA must be configured
    • Privilege level 15 is required for the user to SCP
    • SCP server must be enabled

    Here is an example configuration

    # configure SSH
hostname c8000v
ip domain name cisco.com
crypto key generate rsa
# optional - use ssh version 2
ip ssh version 2
# verify the SSH server is online
show ip ssh
# create a user with privilege level 15
username cisco privilege 15 password 0 cisco
# configure the vty line to use local login and allow ssh
line vty 0 4
login local
transport input ssh
# Enable the SCP server
ip scp server enable
    tip-icon

    Tip: Additional information about SSH configuration can be found here

    note-icon

    Note: aaa can be used instead of local login.

    Once the configuration is done you can SSH/SCP to the device with a reachable IP address on the device.  

    From a Linux device, you can use these commands with the IP address for the device:

    note-icon

    Note: By default, the file is copied to bootflash.

    Troubleshoot

    If the issue is encountered check for these symptoms:

    1. The OpenSSH version of the client shows 9.0 or higher.

    jeff@jeff-virtual-machine:~$ ssh -V
    OpenSSH_9.0p1 Ubuntu-1ubuntu7, OpenSSL 3.0.5 5 Jul 2022

    2. The client shows the connection closes abruptly without any error or file transfer. 

    jeff@jeff-virtual-machine:~$ scp test.txt cisco@192.0.2.1:test.txt
    (cisco@192.0.2.1) Password: 
    scp: Connection closed

    3. On the router a syslog shows the successful SSH connection but the file was not transferred. 

    *Mar 26 18:06:57.290: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 192.0.2.2] [localport: 22] at 18:06:57 UTC Sun Mar 26 2023

    4.  SCP debugs on the router do not show any information.

    c8000v#debug ip scp
    Incoming SCP debugging is on

    5.  SCP with -v option shows debug logs sending the SFTP subsystem.

    scp -v test.txt cisco@192.0.2.1:test.txt
    Executing: program /usr/bin/ssh host 192.0.2.1, user cisco, command sftp
    OpenSSH_9.0p1 Ubuntu-1ubuntu7, OpenSSL 3.0.5 5 Jul 2022

    <snip>

    debug1: Entering interactive session.
    debug1: pledge: filesystem
    debug1: Sending environment.
    debug1: channel 0: setting env LANG = "en_US.UTF-8"
    debug1: Sending subsystem: sftp 
    debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
    scp: Connection closed

    6. ssh debugs on the router show SSH looks for an SFTP subsystem and then closes the connection. 

    c8000v#debug ip ssh detail 

    ssh detail messages debugging is on

    *Mar 24 14:25:05.074: SSH: MD5 compliance exception Registered 

    *Mar 24 14:25:05.074: SSH1: starting SSH control process 

    *Mar 24 14:25:05.074: SSH1: sent protocol version id SSH-2.0-Cisco-1.25 

    *Mar 24 14:25:05.075: SSH1: protocol version id is - SSH-2.0-OpenSSH_9.0p1 Ubuntu-1ubuntu7 <snip> 

    *Mar 24 14:25:07.370: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 10.10.10.10] [localport: 22] at 14:25:07 UTC Fri Mar 24 2023 

    *Mar 24 14:25:07.379: SSH2 1: channel open request *Mar 24 14:25:07.389: SSH2 1: env request 

    *Mar 24 14:25:07.389: SSH2 1: subsystem request *Mar 24 14:25:07.389: SSH2 1: subsystem message received 

    *Mar 24 14:25:07.389: SSH2 1: searching for subsystem sftp for vty 

    *Mar 24 14:25:07.490: SSH1: Session terminated normally 

    7. Finally, SCP with the -O option succeeds. 

    jeff@jeff-virtual-machine:~$ scp -O test.txt cisco@192.0.2.1:test.txt
    (cisco@192.0.2.1) Password: 
    test.txt 100% 28 2.7KB/s 00:00

    Revision History

    Revision Publish Date Comments
    1.0
    10-Apr-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Jeffrey Riehle
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products