VCSA SFTP Backup Fails when FTP Proxy is set

Not really a question but a bug and a solution...

I have run into an issue since installing VCSA build 17491101. We use an HTTP and HTTPS proxy in our environment so this was configured under Networking -> Proxy Settings. This was also configured as an FTP proxy, although this would never be used in practice.

I then tried to set up SFTP backups under Backup -> Backup Schedule. On trying to submit the form with the settings, this failed immediately with a very generic error along the lines of "General error reported by the backup server". I reviewed /var/log/vmware/applmgmt/applmgmt.log and found the following:



2021-03-04T14:02:27.774 [2307]INFO:vmware.appliance.vapi.auth:Authorization request for service_id: com.vmware.appliance.health_check_settings, operation_id: update
2021-03-04T14:02:27.775 [2307]DEBUG:vmware.vherd.base.authorization_local:Verify privileges user (root) privilege ['ModifyConfiguration']
2021-03-04T14:02:27.777 [2307]DEBUG:root:Validated user privileges in localstore or SSO
2021-03-04T14:02:27.779 [2307]DEBUG:vmware.appliance.update.update_state:In State._get using state file /etc/applmgmt/appliance/software_update_state.conf
2021-03-04T14:02:27.864 [2307]INFO:vmware.appliance.vapi.auth:Authorization request for service_id: com.vmware.appliance.recovery.backup.schedules, operation_id: create
2021-03-04T14:02:27.864 [2307]DEBUG:vmware.vherd.base.authorization_local:Verify privileges user (root) privilege ['ModifyConfiguration']
2021-03-04T14:02:27.865 [2307]DEBUG:root:Validated user privileges in localstore or SSO
2021-03-04T14:02:27.866 [2307]DEBUG:vmware.appliance.update.update_state:In State._get using state file /etc/applmgmt/appliance/software_update_state.conf
2021-03-04T14:02:27.869 [2307]DEBUG:vmware.appliance.backup_restore.ScheduleManager:Schedule data file /storage/applmgmt/backup_restore/backup_schedule.json does not exist.
2021-03-04T14:02:27.870 [2307]DEBUG:vmware.appliance.backup_restore.schedule_impl:Validating schedule spec.
2021-03-04T14:02:27.871 [2307]INFO:plugins.CurlLib:Proxy is enabled. Protocol: ftp, proxy: http://proxy.ip.address:port/
2021-03-04T14:02:27.926 [2307]ERROR:plugins.FtpStorageIOLib:sftp cmd failed. RC: 22, Err: curl: (22) The requested URL returned error: 403
, Cmd: ['/usr/bin/curl', '--fail', '-u', 'backupusername:****', '--connect-timeout', '10', '--ssl-reqd', '-k', '--proxy', 'http://proxy.ip.address:port/', '--proxytunnel', '--silent', '--show-error', '--list-only', 'sftp://sftp.ip.address:22/path/']



Turning off the FTP proxy settings resolved this issue. So it looks as though when an FTP proxy is set, the VCSA tries to validate the SFTP credentials via the FTP proxy settings using curl. Since V7 of VCSA the URL scheme has changed from scp:// to sftp:// - my hunch would be that whatever is parsing this URL is matching 'ftp' and treating it as an FTP connection and trying to proxy it. Obviously this will never work - it is my understanding that because at its heart SFTP is based on SSH connectivity, it cannot go through a traditional web proxy... You could issue a CONNECT on port 22 but the vast majority of proxies will not permit that, and I don't know if that's how curl behaves. 

Labels (3)
2 Replies

Had to do the same as well.

Strange thing is we have 2 vCenters (, and this problem/bug only occurred on the of them.

0 Kudos

I don't have ftp proxy set, and still see the curl, but with --noproxy '*' 

However, the curl seg faults, and the backups fail!

0 Kudos