BugZero | Cisco BugID CSCwh92156 - Firewall shows misleading SCP file copy failure re...

Cisco - Defect ID: CSCwh92156

Firewall shows misleading SCP file copy failure reasons

Cisco - Defect ID: CSCwh92156

Firewall shows misleading SCP file copy failure reasons

Last updated on 4/23/2025

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

The firewall shows the following error messages that may mislead users in the following cases: 1. Missing route to the SCP server - in this case, the firewall does not have a route to the destination server. firewall# copy scp://user@192.0.2.1//tmp/file flash: Address or name of remote host [192.0.2.1]? Source username [user]? Source filename [/tmp/file]? Destination filename [file]? Accessing scp://user@192.0.2.1//tmp/file... %Error opening scp://user@192.0.2.1//tmp/file (No such device) <======== No such device 2. Connectivity failure to the SCP server due to reasons other than a missing route - in this case, there's no reply from the SCP server: firewall# copy scp://user@192.0.2.1//tmp/file flash: Address or name of remote host [192.0.2.1]? Source username [user]? Source filename [/tmp/file]? Destination filename [file]? Accessing scp://user@192.0.2.1//tmp/file... %Error opening scp://user@192.0.2.1//tmp/file (Permission denied) <======== Permission denied capture capi type raw-data interface inside [Capturing - 172 bytes] match tcp any any eq ssh ciscoasa(config)# show capture capi 2 packets captured 1: 07:04:41.538241 198.51.100.100.35882 > 192.0.2.1.22: S 3665990749:3665990749(0) win 32768 2: 07:04:44.564774 198.51.100.100.35882 > 192.0.2.1.22: S 3665990749:3665990749(0) win 32768

Conditions

First seen when all of the conditions are true: 1. On Secure Firewall Threat Defense (FTD) the user copies files over Secure Copy Protocol (SCP) on Lina engine (in diagnostic CLI) 2. On Adaptive Security Appliance (ASA) the user copies files over SCP and ciscossh stack is disabled: ciscoasa(config)# show run ssh no ssh stack ciscossh 3. Missing route to the SCP server or connectivity failure to the SCP server due to reasons other than a missing route.

Workaround

1. On the firewall, check the route to the SCP servers. 2. Using troubleshooting tools, such as captures, verify connectivity to the SCP servers.

Further Problem Description

In the case of ASA, if ciscossh is enabled, the following error messages are shown in both of the above cases: ciscoasa(config)# show run ssh ssh stack ciscossh copy scp://user@192.0.2.1//tmp/file flash: ssh: connect to host 192.0.2.1 port 22: Connection timed out

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwh92156

Firewall shows misleading SCP file copy failure reasons

Cisco - Defect ID: CSCwh92156

Firewall shows misleading SCP file copy failure reasons

Last updated on 4/23/2025

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?