cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4483
Views
5
Helpful
8
Replies

Restore cluster configuration

quentinperceval
Level 1
Level 1

Hi !

I saw several posts on this subject, but the latest was 4 years ago, so I expect that now someone can help me

My situation : 2*ESA (C370 with AsyncOS 7.6.3), Centralized management

My wish : automatic daily backup configuration files

To prevent :

- when my two appliances die together

- when an administrator do sh*t with the configuration and I want to roll back to the las week configuration

(basic stuff for admin)

I try to simply use "saveconfig" command, but the result (a "cluster configuration file") is just useless because appliance in Centralized Management mode cannot load configuration files, and appliance in Standalone mode cannot lod "cluster configuration file".

The only way I see is leaving the cluster, backup configuration, and rejoin the cluster, but :

- what are the consequences of acting like that ?

- is there an automatic way to leave and join cluster ?

Thank you for your help

Best regards

Quentin

8 Replies 8

Robert Sherwin
Cisco Employee
Cisco Employee

Quentin -

Unfortunatly - you are correct - the only way to get a useable backup of a configuration for a single machine level appliance would be to take it out of cluster, run the backup/dump of the configuration - and then rejoin this back to a cluster level.

This may aide in your question:

https://ironport.custhelp.com/app/answers/detail/a_id/1759/

#########################

Question:

How to setup automated backup of configuration in cluster using batch commands?

Symptoms:

Clustered machines can not save a usable configuration. To get a usable configuration from the machine, it must be removed from cluster before saving the configuration. While saving configuration using the saveconfig command from CLI, ESA generates following warning:

WARNING: Clustered machines do not support loadconfig. Your configuration file has complete data for the entire cluster, but cannot be used to restore a configuration.

There is no need to backup the configuration from every machine in a cluster.  However, there could be multiple clusters in a network  with multiple groups configured for each cluster. It will be quite difficult to remove every machine from cluster then save the configuration and join the cluster again manually.

The following batch commands can be used in conjunction with logging in to the Email Security appliance, remove machine from cluster, save or mail the config and join the cluster again.

Note: The syntax for the clusterjoin command has changed in version 7.5 and now requires an admin username.

To Remove machine from Cluster:

> clusterconfig removemachine

To Save configuration on appliance with passwords:

In AsyncOS 7.5 and newer:

> saveconfig

Do you want to mask the password? Files with masked passwords cannot be loaded

using loadconfig command. [Y]>  Yes

In AsyncOS 7.1.5 and older:

> saveconfig

Do you want to include passwords? Please be aware that a configuration without

passwords will fail when reloaded with loadconfig. [N]>  Yes

To email configuration with passwords:

> mailconfig yes

To Join Cluster again:

In AsyncOS 7.5 and newer

(clusterconfig join [--port=xx] [

In AsyncOS 7.1.5 and older:

> clusterconfig join [--port=xx]

#########################

Also --- please find the following article to aide in any automation/script creation:

https://ironport.custhelp.com/app/answers/detail/a_id/579/

*Please note - that external scripting an automation is solely responsibile from the customer side, and is not supportable from Cisco Support.*

Hope that helps!

-Robert

Thank you (again) for you answer.

I'm sorry but I cannot open your links, they are all redirected to the Cisco Ironport ScanSafe Customer Support...

As I was afraid that it was the only solution, I started to work on an automated script to leave - backup - join the cluster.

In this script, I backup standalone configuration file from ESA1, which is in cluster with ESA2 (ESA2 needs CCS activated on his interface to avoid using admin password in the script).

#1) Remove ESA1 from the cluster

ssh backup@ "clustermode cluster; clusterconfig removemachine "

#2) Download standalone configuration file

filename=`ssh  backup@ "saveconfig no" | grep xml | sed "s/\"//g" | sed "s/\.$//"`

  scp backup@:$filename

#3) Add ESA1 as a future CCS cluster user on ESA2

ssh backup@ "clustermode cluster;clusterconfig prepjoin new \"\";commit CCS"

#4) Put ESA1 back into the cluster

ssh backup@ "clusterconfig join --port=2222 Main_Group"

It works well, except for the step 4, within the prompt ask to press Enter to validate the ESA2-host-key fingerprint.

Is someone know how to complete step 4 without human action ?

Thank you for your help, I feel that I'm close to the solution ^^

Quentin

*I edited the reply, and tried to correct the KB links...

Let me try to get some free time here in a bit - will attempt to answer your #4...

-Robert

Hi Robert,

Thank you for your time, but I still cannot open your new links (still redirected to the Cisco Ironport ScanSafe Customer Support... problem of rights ?)

Are you using a unix / linux host to run the script?  There is a tool called expect which works by issuing commands over e.g. an SSH interface with send and looking for a response with expect.

http://en.wikipedia.org/wiki/Expect

So you could issue the clusterconfig command and look for the prompt to validate the key fingerprint and send a CR (\n)

I think there is a Windows based version as well, but I believe you have to run cygwin.

There may be other ways.  I assume you have run sshconfig already to avoid having to use passwords?  That should have already validated the key.

Hi David,

Yes I'm using linux to host the script.

I will look about the expect function, thank you for the advice.

I search around the sshconfig command, and would like to add the key from my ESA in the cluster to my ESA joining the cluster but I didn't find which key was send (I only have the fingerprint of this key).

Do you know where I can find this key to try ?

Thank you

The sshconfig command should list the keys already there, or allow you to add new ones.  You can create new keys on the linux box using ssh-keygen command and then paste the key into the sshconfig command.  The help and manuals on this are a bit sparse, the best info I have found is in a Cisco publication written by a former Cisco IronPort employee Chis Porter, called "Email Security with Cisco IronPort" from ciscopress.com

http://www.ciscopress.com/store/email-security-with-cisco-ironport-9781587142925

There's a whole chapter on automating with scripts like this.

Hi,

I finally solve my step #4 problem !

Here is the way :

- On a member of the cluster, do logconfig > hostkeyconfig > host, and copy the ssh-dss key of all the machine in the cluster.

- Add these keys in logconfig > hostkeyconfig > new, with their associated IP/hostname (one key at the time).

With this configuration, every machine can leave and join the cluster without human action following my previsous script.

#1) Remove ESA1 from the cluster

ssh backup@ "clustermode cluster; clusterconfig removemachine "

#2) Download standalone configuration file

filename=`ssh  backup@ "saveconfig no" | grep xml | sed "s/\"//g" | sed "s/\.$//"`

  scp backup@:$filename

#3) Add ESA1 as a future CCS cluster user on ESA2

ssh backup@ "clustermode cluster;clusterconfig prepjoin  new   \"\";commit CCS"

#4) Put ESA1 back into the cluster

ssh backup@ "clusterconfig join --port=2222 Main_Group"

Thank you for all your answers

Best Regards

Quentin