Configuration File Backups While in Cluster - Recent Changes

MARK SCHWANTJE · ‎12-02-2014

I know that with older versions of AsyncOS a configuration file backed up while in a cluster could not be restored/loaded. However, in more recent versions (possibly introduced in 8.x), you can now load the configuration files you backed up while in a cluster. I cannot find any detailed information on this process and was wondering if someone could point me in the right direction. For example, are there any limitations or caveats that I should be aware of? Can it definitely be used to restore the entire cluster's configuration as well as specific machine's?

Thank you.

Robert Sherwin · ‎12-02-2014

What type of detailed information are you looking for? This was a new feature as of 8.5, and per the release notes:

8.5 release notes

8.5.6 release notes

Full details are in the end user guide, 37-22:

http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-5/user_guide/ESA_8-5_User_Guide.pdf

-Robert

Cheers,
Robert Sherwin

MARK SCHWANTJE · ‎12-02-2014

Thanks. I did review the end user guide and wasn't quite sure about Step 3.3 on page 37-23. Can you shed any light on this step? Also, I'm assuming all the specific appliances' information is stored in the config file, which is what allows you to restore a single appliance in the event of a failure.

Mark

Robert Sherwin · ‎12-08-2014

Yes - the appliance information is contained and separated in the cluster configuration. But - keep in mind that you will be restoring the cluster configuration to an appliance that was in cluster @ the time that configuration was saved. (*So - if you did a restore of the configuration and then wanted to remove that appliance FROM cluster, yes - it would then save out that original single appliance.)

To review this in a little more detail ---

Cluster config was saved from “mail.x”. Two appliances in cluster - mail.x and mail2.x

We’ll be using “othermail.x” for this repro.

When loading a saved configuration, the appliance must be joined in a cluster.

If not - you’ll be presented with the following:

Once appliance is in cluster… you have two choices -

1) Load Configuration for Cluster:

For othermail.x, I want it to assume the appliance of mail2.x — so, I’ll set it as above. (If I had other groups in cluster, I could also set that here — but, I only have the one group, as shown.)

Once review and commit completed - IP and hostname/listener is now set to be mail2.x. Only thing I would need to do to complete mail2.x for completing the takeover of othermail.x would be to run sethostname.

2) Load Configuration for Appliance in Cluster:

The column on the left is the appliances currently IN cluster, othermail.x Select the appliance you intend to have the configuration loaded FOR.

The column on the right is the appliances that WERE IN cluster @ the time the configuration was saved from. Select the appliance you intend to copy to the current appliance selected in the left column. So, here, I want to assume the previous role of mail2.x

Once you click OK, presented:

Click Continue.

After - the appliance now has loaded the configuration for the appliance as indicated from the column on right, and now is named the appliance “mail2.x” If the difference before was IP, hostname, etc - that is now loaded, and the appliance has assumed these previous configuration settings as per the configuration.

Once review and commit completed - IP and hostname/listener is now set to be mail2.x. Only thing I would need to do to complete mail2.x for completing the takeover of othermail.x would be to run sethostname.

Hope that helps!

-Robert

Cheers,
Robert Sherwin

MARK SCHWANTJE · ‎12-09-2014

Thanks a lot for the detailed overview of the process. It definitely helps to have the screenshots and explanation.

Last questions - I think. Do you still need to save any certs you use separately, or is that stored in the cluster configuration?

Robert Sherwin · ‎12-09-2014

No worries. It's a new feature, and a little on the confusing side. If you don't test a get a feel for it, it is easy to get confused.

As for the certs - the certs are included in the saved configuration - so, either at cluster level, if they are imported and saved @ cluster, or individually, if they are machine level.

(*But - as a paranoid admin, I would also have saved out the certificates regardless, but that is just my experience.)

-Robert

Cheers,
Robert Sherwin

MARK SCHWANTJE · ‎12-26-2014

I wanted to confirm one other thing with you. For loading an appliance configuration in a cluster, can you simply save the configuration file on one machine in the cluster and use that to load the configuration of any appliance in the cluster (since it contains all appliances' information)? Or is it necessary to save the configuration file on each machine in the cluster, and use that appliance's specific saved configuration file to load that appliance's configuration file?

Hopefully that makes sense.

Thanks.

a12288 · ‎12-03-2014

Hi, Robert.

How to automate the Ironport config backup process? Is there any built-in method now? thanks.

Leo Song

Robert Sherwin · ‎12-08-2014

No - still no build in way to automate/built-in from the appliance(s) - this would still be based on an external process to accomplish that...

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118403-technote-esa-00.html

Note - this TechNote does contain proof of concept, and is not intended as a supported option from Cisco.

-Robert

Cheers,
Robert Sherwin