Sometimes it is required to copy IOS image or file from one router to another and need it to be done quickly – in this case the fastest and secure way for that will be the use of scp protocol.
Enabling SCP on a router either router, say Router_A.



Router_A# conf terminal
Router_A(config)# ip scp server enable
Router_A(config)# end
Router_A#


Now on another router, say – Router_B do copy command:
Router_B# copy scp: flash:
Address or name of remote host []?192.168.2.254
Source username []? admin
Source filename []? /vlan.dat
Destination filename [vlan.dat]
!
780 bytes copied in 5.044 secs (155 bytes/sec)
Router_B#


However sometimes you can observe error like this:
%Error opening scp://*****@192.168.2.254/vlan.dat (No such file or directory)

And it seems very odd, as everything look configured and file is in place!
Router_A# sh flash: | in vlan.dat
2          780 Dec 19 2016 09:02:54 +10:00 vlan.dat


Let’s enable debug on Router_A and see what’s going on:

Router_A#debug ip scp 
Incoming SCP debugging is on
Router_A#


On Router_B run copy again:
Router_B#copy scp: flash:
Address or name of remote host [192.168.2.254]? 
Source username [admin]? 
Source filename [vlan.dat]? 
Destination filename [vlan.dat]? 
Password: 


%Error opening scp://*****@192.168.2.254/vlan.dat (No such file or directory)


Let’s see what is in Router_A console:
May 23 14:22:50.968: SCP: [22 <- 192.168.1.1:65252] recv <OK>
May 23 14:22:50.968: SCP: [22 -> 192.168.1.1:65252] send Privilege denied.

 
Now it looks better, so user admin does not have enough privilege to access file over the network!
But how come:
Router_A#sh run | in username
username admin privilege 15 secret 5 $1$XlfX$Nlz1.Vzaek7ELbyJAAQhH/
 
We can’t have it higher :). 
 
Taking a deeper look on the Router_A configuration we can notice that it has ‘aaa new-model‘ enabled:

Router_A#sh run | in aaa
aaa new-model
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization commands 15 default local 

Since AAA enabled we have to explicitly state which authorization source we have to use for exec privilege, and we can do that by adding config line below:

Router_A(config)# aaa authorization exec default local  
Router_A(config)#end
Router_A#

 
This small addition to the configuration tells router to use local database to lookup for exec privilege level of the user (I am not quite sure why it is not default though).
Now let’s run copy and see what is printed on both consoles:

Router_B#copy scp: flash:
Address or name of remote host [192.168.2.254]? 
Source username [admin]? 
Source filename [vlan.dat]? 
Destination filename [vlan.dat]? 
Password: 
!
780 bytes copied in 3.352 secs (233 bytes/sec)
Router_B#




Router_A#
May 23 14:30:40.199: SCP: [22 <- 192.168.1.1:12944] recv <OK>
May 23 14:30:40.203: SCP: [22 -> 192.168.1.1:12944] send C0644 780 vlan.dat
May 23 14:30:40.207: SCP: [22 <- 192.168.1.1:12944] recv <OK>
May 23 14:30:40.207: SCP: sent 780 bytes
May 23 14:30:40.207: SCP: [22 -> 192.168.1.1:12944] send <OK>
May 23 14:30:40.215: SCP: [22 <- 192.168.1.1:12944] recv <OK>


Problem solved!