11-07-2013 08:58 AM
Hi !
I saw several posts on this subject, but the latest was 4 years ago, so I expect that now someone can help me
My situation : 2*ESA (C370 with AsyncOS 7.6.3), Centralized management
My wish : automatic daily backup configuration files
To prevent :
- when my two appliances die together
- when an administrator do sh*t with the configuration and I want to roll back to the las week configuration
(basic stuff for admin)
I try to simply use "saveconfig" command, but the result (a "cluster configuration file") is just useless because appliance in Centralized Management mode cannot load configuration files, and appliance in Standalone mode cannot lod "cluster configuration file".
The only way I see is leaving the cluster, backup configuration, and rejoin the cluster, but :
- what are the consequences of acting like that ?
- is there an automatic way to leave and join cluster ?
Thank you for your help
Best regards
Quentin
11-08-2013 08:29 AM
Quentin -
Unfortunatly - you are correct - the only way to get a useable backup of a configuration for a single machine level appliance would be to take it out of cluster, run the backup/dump of the configuration - and then rejoin this back to a cluster level.
This may aide in your question:
https://ironport.custhelp.com/app/answers/detail/a_id/1759/
#########################
Question:
How to setup automated backup of configuration in cluster using batch commands?
Symptoms:
Clustered machines can not save a usable configuration. To get a usable configuration from the machine, it must be removed from cluster before saving the configuration. While saving configuration using the saveconfig command from CLI, ESA generates following warning:
WARNING: Clustered machines do not support loadconfig. Your configuration file has complete data for the entire cluster, but cannot be used to restore a configuration.
There is no need to backup the configuration from every machine in a cluster. However, there could be multiple clusters in a network with multiple groups configured for each cluster. It will be quite difficult to remove every machine from cluster then save the configuration and join the cluster again manually.
The following batch commands can be used in conjunction with logging in to the Email Security appliance, remove machine from cluster, save or mail the config and join the cluster again.
Note: The syntax for the clusterjoin command has changed in version 7.5 and now requires an admin username.
To Remove machine from Cluster:
> clusterconfig removemachine
To Save configuration on appliance with passwords:
In AsyncOS 7.5 and newer:
> saveconfig
Do you want to mask the password? Files with masked passwords cannot be loaded
using loadconfig command. [Y]> Yes
In AsyncOS 7.1.5 and older:
> saveconfig
Do you want to include passwords? Please be aware that a configuration without
passwords will fail when reloaded with loadconfig. [N]> Yes
To email configuration with passwords:
> mailconfig
To Join Cluster again:
In AsyncOS 7.5 and newer
(clusterconfig join [--port=xx]
In AsyncOS 7.1.5 and older:
> clusterconfig join
#########################
Also --- please find the following article to aide in any automation/script creation:
https://ironport.custhelp.com/app/answers/detail/a_id/579/
*Please note - that external scripting an automation is solely responsibile from the customer side, and is not supportable from Cisco Support.*
Hope that helps!
-Robert
11-08-2013 08:44 AM
Thank you (again) for you answer.
I'm sorry but I cannot open your links, they are all redirected to the Cisco Ironport ScanSafe Customer Support...
As I was afraid that it was the only solution, I started to work on an automated script to leave - backup - join the cluster.
In this script, I backup standalone configuration file from ESA1, which is in cluster with ESA2 (ESA2 needs CCS activated on his interface to avoid using admin password in the script).
#1) Remove ESA1 from the cluster
ssh backup@
"clustermode cluster; clusterconfig removemachine " #2) Download standalone configuration file
filename=`ssh backup@
"saveconfig no" | grep xml | sed "s/\"//g" | sed "s/\.$//"` scp backup@
:$filename #3) Add ESA1 as a future CCS cluster user on ESA2
ssh backup@
"clustermode cluster;clusterconfig prepjoin new \" \";commit CCS" #4) Put ESA1 back into the cluster
ssh backup@
"clusterconfig join --port=2222 Main_Group"
It works well, except for the step 4, within the prompt ask to press Enter to validate the ESA2-host-key fingerprint.
Is someone know how to complete step 4 without human action ?
Thank you for your help, I feel that I'm close to the solution ^^
Quentin
11-08-2013 09:34 AM
*I edited the reply, and tried to correct the KB links...
Let me try to get some free time here in a bit - will attempt to answer your #4...
-Robert
11-12-2013 12:45 AM
Hi Robert,
Thank you for your time, but I still cannot open your new links (still redirected to the Cisco Ironport ScanSafe Customer Support... problem of rights ?)
11-09-2013 05:40 AM
Are you using a unix / linux host to run the script? There is a tool called expect which works by issuing commands over e.g. an SSH interface with send and looking for a response with expect.
http://en.wikipedia.org/wiki/Expect
So you could issue the clusterconfig command and look for the prompt to validate the key fingerprint and send a CR (\n)
I think there is a Windows based version as well, but I believe you have to run cygwin.
There may be other ways. I assume you have run sshconfig already to avoid having to use passwords? That should have already validated the key.
11-12-2013 12:59 AM
Hi David,
Yes I'm using linux to host the script.
I will look about the expect function, thank you for the advice.
I search around the sshconfig command, and would like to add the key from my ESA in the cluster to my ESA joining the cluster but I didn't find which key was send (I only have the fingerprint of this key).
Do you know where I can find this key to try ?
Thank you
11-12-2013 01:38 AM
The sshconfig command should list the keys already there, or allow you to add new ones. You can create new keys on the linux box using ssh-keygen command and then paste the key into the sshconfig command. The help and manuals on this are a bit sparse, the best info I have found is in a Cisco publication written by a former Cisco IronPort employee Chis Porter, called "Email Security with Cisco IronPort" from ciscopress.com
http://www.ciscopress.com/store/email-security-with-cisco-ironport-9781587142925
There's a whole chapter on automating with scripts like this.
11-12-2013 01:51 AM
Hi,
I finally solve my step #4 problem !
Here is the way :
- On a member of the cluster, do logconfig > hostkeyconfig > host, and copy the ssh-dss key of all the machine in the cluster.
- Add these keys in logconfig > hostkeyconfig > new, with their associated IP/hostname (one key at the time).
With this configuration, every machine can leave and join the cluster without human action following my previsous script.
#1) Remove ESA1 from the cluster
ssh backup@
"clustermode cluster; clusterconfig removemachine " #2) Download standalone configuration file
filename=`ssh backup@
"saveconfig no" | grep xml | sed "s/\"//g" | sed "s/\.$//"` scp backup@
:$filename #3) Add ESA1 as a future CCS cluster user on ESA2
ssh backup@
"clustermode cluster;clusterconfig prepjoin new \" \";commit CCS" #4) Put ESA1 back into the cluster
ssh backup@
"clusterconfig join --port=2222 Main_Group"
Thank you for all your answers
Best Regards
Quentin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide