Solved: Re: Restore config on AIP-SSM20 ?

tiwang · ‎06-23-2011

Hi out there

I have a minor problem here - we are in the phase inupgrading our firewalls from a set of 5510 with SSM10 to a set of 5520 with SSM20 - and I expected it was quite simple just to restore the current config from the SSM10 on the SSM20'es - and weel - it also looks so when I first copy the config from my ftp-server to the backup-config and then load the backup to current config with erase - but when I afterwards look in the network configuration it has been replaced?

I am running the 7.04(E4) version of the kernel there...

Has anyoine out there tried to backup and restore the complete config - without problems?

If I copy the restored config back and do a diff on them all the difference is located in the service host section:

2c2

< ! Current configuration last modified Wed Jun 22 23:42:31 2011

---

> ! Current configuration last modified Wed Mar 30 15:03:54 2011

8c8

< ! Signature Update S573.0 2011-06-08

---

> ! Signature Update S561.0 2011-04-20

34c34

< service host

---

> service host

36c36,38

< host-ip x.x.x.42/24,x.x.x.111

---

> host-ip x.x.x.42/24,x.x.x.1

> host-name isp-fw_pri

> telnet-option enabled

37a40,54

> dns-primary-server enabled

> address 8.8.8.8

> exit

> dns-secondary-server disabled

> dns-tertiary-server disabled

> exit

> time-zone-settings

> offset 60

> standard-time-zone-name GMT+01:00

> exit

> ntp-option enabled-ntp-unauthenticated

> ntp-server 193.162.145.130

> exit

> auto-upgrade

> cisco-server disabled

is this a know issue?

best regards /ti

Dustin Ralich · ‎06-27-2011

we are in the phase inupgrading our firewalls from a set of 5510 with SSM10 to a set of 5520 with SSM20 - and I expected it was quite simple just to restore the current config from the SSM10 on the SSM20'es

Correct. You should be able to restore a sensor configuration backup from an AIP-SSM-10 onto an AIP-SSM-20 sensor module without much trouble, as even though hardware-wise the AIP-SSM-20 is more capable/powerful, there are not any differences in interface naming conventions (or quantity), etc. that would appear in the configuration.

I expected it was quite simple just to restore the current config from the SSM10 on the SSM20'es - and weel - it also looks so when I first copy the config from my ftp-server to the backup-config and then load the backup to current config with erase - but when I afterwards look in the network configuration it has been replaced?

I'm not sure I follow exactly the procedure you attempted, but you should be able to backup the current-config from the AIP-SSM-10 sensor module to a remote server, then copy from the remote server to the AIP-SSM-20 sensor module. Example:

aip-ssm-10# copy current-config

aip-ssm-20# copy /erase current-config

NOTE: The /erase parameter only applies to the current-config. If specified for destination current-config, the source configuration is applied to the system default configuration. If it is not specified for the destination current-config, the source configuration is merged with the current-config. Perhaps this is part of the confusion?

View solution in original post

Dustin Ralich · ‎06-27-2011

we are in the phase inupgrading our firewalls from a set of 5510 with SSM10 to a set of 5520 with SSM20 - and I expected it was quite simple just to restore the current config from the SSM10 on the SSM20'es

Correct. You should be able to restore a sensor configuration backup from an AIP-SSM-10 onto an AIP-SSM-20 sensor module without much trouble, as even though hardware-wise the AIP-SSM-20 is more capable/powerful, there are not any differences in interface naming conventions (or quantity), etc. that would appear in the configuration.

I expected it was quite simple just to restore the current config from the SSM10 on the SSM20'es - and weel - it also looks so when I first copy the config from my ftp-server to the backup-config and then load the backup to current config with erase - but when I afterwards look in the network configuration it has been replaced?

I'm not sure I follow exactly the procedure you attempted, but you should be able to backup the current-config from the AIP-SSM-10 sensor module to a remote server, then copy from the remote server to the AIP-SSM-20 sensor module. Example:

aip-ssm-10# copy current-config

aip-ssm-20# copy /erase current-config

NOTE: The /erase parameter only applies to the current-config. If specified for destination current-config, the source configuration is applied to the system default configuration. If it is not specified for the destination current-config, the source configuration is merged with the current-config. Perhaps this is part of the confusion?

tiwang · ‎06-27-2011

hi dustin

Have you tried it yourself (eg: are you sure that it works?) - the net I am testing from is a local net without any connection to other networks so it might be there we have a little problem - during the restore it claims that it cannot contact the ntp server (thats correct - it is a closed net) and this is the only error it shows - but I could suspect that if it cannot contact that ntp server to verify connectivity it drops completely out of that section - eg the host section - and hereby none of the parameters are updated - but I'll try this evening to do a restore of it again.

best regards /ti

Dustin Ralich · ‎06-28-2011

hi dustin. Have you tried it yourself (eg: are you sure that it works?)

Yes. I ran through the process (copying the current-config off to a remote server (then manually verifying the remote copy) and then copying it back, including the /erase parameter (and then manually verifying the current-config to be intact)). Here's the output from the copy back portion:

sensor# copy /erase scp: current-config

User: service

Server's IP Address: 192.168.0.10

Port[22]:

File name: sensor.cfg

Password: ********

Warning: Copying over the current configuration may leave the box in an unstable state.

Would you like to copy current-config to backup-config before proceeding? [yes]:

sensor.cfg 100% 3012 0.0KB/s 00:00

Warning: Replacing existing network-settings may leave the box in an unstable state.

Would you like to replace existing network settings(host-name/ipaddress/netmask/gateway/access-list) on the sensor? [no]: yes

Processing config: |Connection to sensor closed.

Perhaps when you tried earlier, you answered "no" (which is the default) to the prompt to replace the existing network settings?

the net I am testing from is a local net without any connection to other networks so it might be there we have a little problem - during the restore it claims that it cannot contact the ntp server (thats correct - it is a closed net) and this is the only error it shows - but I could suspect that if it cannot contact that ntp server to verify  connectivity it drops completely out of that section - eg the host section - and hereby none of the parameters are updated

Yes, I would suspect as you noted that since the configured NTP server was/is not reachable by your AIP-SSM-20, that when the NTP portion of the config was processed and the sensor attempted to validate the specified NTP server IP address as reachable/working, that failed and interrupted the process. In that case (where you know the sensor will not be able to access/reach the configured NTP server), you could try manually removing the NTP config lines from the remote server's copy of the sensor config before you restore it.

tiwang · ‎06-28-2011

hi again

yesterday evening I got a chance to test it and yes - it is the "missing" connectivity to that ntp-server that causes the problem - if it cannot reach/validate the ntp server it drops out of the whole "service host" section but continues restoring after that- no big deal if you are aware of it...

best regards /ti