Hello there,

Jernej has set you off on the right path for the restoration should you have a system that has failed.

In regards to backup up a cluster configuration file, you can certainly back this file up, but like Jernej and you have also pointed out, you won't be able to load this cluster configuration file into a 'machine' on the older AsyncOS versions.

On version 8.5 releases, there is a new feature to load cluster configuration into the entire cluster, or into individual appliance within the cluster.

See notes: http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-5/release_notes/ESA_8-5_Release_Notes.pdf

Limitations:

Loading configuration in clustered appliances
You can now load configuration in clustered appliances in the following scenarios:

• If you are migrating from on-premise environment to hosted environment and you want to migrate the on-premise cluster configuration to the hosted environment.
• If an appliance in a cluster is down or needs to be retired and you want to load the configuration from this appliance to a new appliance that you plan to add to the cluster.
• If you want to load a backed up configuration to a cluster.

However for standard replacements for devices in a Cluster I would also suggest this approach:

If a device in the cluster has failed and is completely inaccessible.

Once replacement device is received, do your license transfers as necessary.

Upgrade the device to appropriate AsyncOS version

Add it to the cluster.

Note: It is important that you ensure your devices are always upgraded to  supported versions as RMA devices at this stage will not be able to downgrade to older version and there are some builds that are no longer available to upgrade to.

Recommended versions at this point are:

7.6.3-019

8.0.1-023

8.5.6-092/106 respectively.

You can try out my updated script that I use... based on this TechNote:

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118403-technote-esa-00.html

(It is in the publication update process... but, here is updated script I wrote.)

#! /bin/bash

#

# Script to save the ESA config, then copy locally via SCP.  This is assuming you wish to

# have the cluster in SSH via port 22.  This script has been written and tested against

# AsyncOS 9.0.0-390 (01/15/2014).

#

# *NOTE* This script is a proof-of-concept and provided as an example basis. While these steps have 

# been successfully tested, this script is for demonstration and illustration purposes. Custom 

# scripts are outside of the scope and supportability of Cisco. Cisco Technical Assistance will 

# not write, update, or troubleshoot custom external scripts at any time.

#

# <SCRIPT>

#

# $HOSTNAME & $HOSTNAME2 can be either the FQDN or IP address of the ESAs in cluster.

#

HOSTNAME= [IP/HOSTNAME ESA1]

HOSTNAME2= [IP/HOSTNAME ESA2]

#

# $MACHINENAME is the local name for ESA1.

# 

MACHINENAME= [MACHINENAME AS LISTED FROM ‘clusterconfig list’]

#

# $USERNAME assumes that you have preconfigured SSH key from this host to your ESA.

# http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118305-technote-esa-00.html

#

USERNAME=admin

#

# $BACKUP_PATH is the directory location on the local system.

#

BACKUP_PATH= [/local/path/as/desired]

#

# Following will remove ESA1 from cluster in order to backup standalone config.

# "2> /dev/null" at the end of string will quiet any additional output of the clustermode command.

#

echo "|=== PHASE 1  ===| REMOVING $MACHINENAME FROM CLUSTER"

ssh $USERNAME@$HOSTNAME "clustermode cluster; clusterconfig removemachine $MACHINENAME" 2> /dev/null

#

# $FILENAME contains the actual script that calls the ESA, issues the 'saveconfig' command.

# The rest of the string is the cleanup action to reflect only the <model>-<serial number>-<timestamp>.xml.

#

echo "|=== PHASE 2  ===| BACKUP CONFIGURATION ON ESA"

FILENAME=`ssh -q $USERNAME@$HOSTNAME "saveconfig y 1" | grep xml | sed -e 's/\/configuration\///g' | sed 's/\.$//g' | tr -d "\""`

#

# The 'scp' command will secure copy the $FILENAME from the ESA to specified backup path, as entered above.

# The -q option for 'scp' will disable the copy meter/progress bar.

#

echo "|=== PHASE 3  ===| COPY XML FROM ESA TO LOCAL"

scp -q $USERNAME@$HOSTNAME:/configuration/$FILENAME $BACKUP_PATH

#

# Following will re-add ESA1 back into cluster.

#

echo "|=== PHASE 4  ===| ADDING $MACHINENAME BACK TO CLUSTER"

ssh $USERNAME@$HOSTNAME "clusterconfig join $HOSTNAME2 admin ironport Main_Group" 2> /dev/null

#

echo "|=== COMPLETE ===| $FILENAME successfully saved to $BACKUP_PATH"

#

# </SCRIPT>

#