Solved: Having a quick scan through - Page 2

Simon.peters1 · ‎01-20-2016

Hello,

I have tried to use the ASDM to backup a config which includes vpn tunnels and other objects, I selected all the tick options full the backup through the asdm and I assumed all was ok but then when I went to restore it to a new factory asa I noticed all the site to site vpn details were missing.

Any reason why they would happen?

If I use putty to do a Wr t and copy the config which has all the keys showing as encrypted can I pasted this into the new one or do I need to enter the correct details before pasting. Basically is the password shown as encrypted but I can past in ok.

Thanks,

Simon

Simon.peters1 · ‎01-25-2016

Having a quick scan through that link you sent looks like just the ticket!

I will give it a shot and come back to you!

Thank you!

Richard Burts · ‎01-25-2016

Simon

If you use the link that I sent I would use it up to step 9 but I am not sure that there is necessarily need to keep going with the step that formats the disk and then loads the image file to disk again.

Once you get it to boot and it is running normally then we can assess what is on the disk and what changes we might need to make.

HTH

Rick

HTH

Rick

Simon.peters1 · ‎01-25-2016

Perfect, thanks!

I won't be able to try it for a while but I will come back.

Thanks again for your help

Simon.peters1 · ‎01-26-2016

Morning Rick,

Ok, I have made some progress. I done up to step 9 and I gained access to the console again but on a reboot it done the same as I assume the bin file is no longer in the flash file. I have done a "dir disk0" and it is showing as blank.

I tried to continue with the document but I am getting errors when trying to set some of the commands.

I currently have access to the console and I have the attached error. Do I just need to copy the bin file to the flash?

Many thanks,
Simon

Philip D'Ath · ‎01-26-2016

Do I just need to copy the bin file to the flash?

Yes, and make the boot command match the image you have copied to the flash.

Simon.peters1 · ‎01-26-2016

Thanks Phillip!

I thought as much but my tftp is playing up now!

I will try again.

Thanks

Philip D'Ath · ‎01-26-2016

Put it on a memory key, plug the memory key into the ASA, and then copy it.

Simon.peters1 · ‎01-26-2016

All sorted!

Many thanks indeed for your help!

Philip D'Ath · ‎01-26-2016

I think it is called usb0: or usbdisk0:. Just do a "copy ?" and look at the disk names.

Simon.peters1 · ‎01-25-2016

Hi Rick,

I have made a bit of a mess of downgrading the ASA to an older version.

My device is now stuck on Loading disk0:/ asa841-k8.bin..... I followed this https://supportforums.cisco.com/document/98421/how-upgrade-or-downgrade-ios-isr-or-similar-router it will reboot and I can press ESC to load rommon. I verified the new version as per the document but it hangs on loading and then eventually restarts.

and reloaded and its' now stuck, Could you help me load the flash file so it boots ok? I have copied the older version via FTP to the Cisco device and changed the boot entry but now it won't boot. Can it be sorted via - confreg?

Many thanks,
Simon

Simon.peters1 · ‎01-26-2016

Hi all,

The ASA is now backup and running the same version exactly as the one I backed up. I have restored it and the keys all copied over to the new one ok but I have noticed a differnece in VPN section with the IPSEC

Below is working on live ASA

vpn-group-policy VPN
tunnel-group 10.0.0.0 type ipsec-l2l
tunnel-group 10.0.0.0 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 10.0.0.0 type ipsec-l2l
tunnel-group 10.0.0.0 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool RemotePool
default-group-policy VPN
tunnel-group VPN ipsec-attributes
ikev1 pre-shared-key *****
!

Here is what the config shows on the new restored asa

vpn-group-policy VPN
tunnel-group 10.0.0.0 type remote-access
tunnel-group 10.0.0.0 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 10.0.0.0 type remote-access
tunnel-group 10.0.0.0 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group RemoteVPN type remote-access
tunnel-group RemoteVPN general-attributes
address-pool RemotePool
default-group-policy VPN
tunnel-group VPN ipsec-attributes
ikev1 pre-shared-key *****
!

I have changed the ip's to 10.0.0.0, it appears to have taken off - type ipsec-l2l from the end of the line.

Is this ok?

Many thanks!

Richard Burts · ‎01-26-2016

Simon

I am glad that the ASA is now up and running. I am not sure what happened as you restored the config but what you show on the restored ASA is significantly different from the live ASA and I would say that it is not ok.

The live ASA has two tunnel groups for addresses that you have turned into 10.0.0.0. Both of those tunnels were of type ipsec-l2l. What this means is that they are site to site VPN. In the restored config those two tunnel groups are of type remote-access. This is for user client based VPN and quite different from site to site. Then the live ASA has a tunnel group called VPN which is type remote-access. But the restored config changed the name to RemoteVPN. But then it goes back to name VPN as it defines the pre shared key. I suspect there is some other part of the config that relates to these and the shifting names could cause problems.

HTH

Rick

HTH

Rick

Simon.peters1 · ‎01-26-2016

Hi Rick,

Its odd why it would change following a restore.The config should have both site to site and remote user vpns.

I have shipped the ASA to site now but I should be able to make the changes when it arrives.

I am confused why a device on the exact same version didn't restore as it was though, have you got an other ways to backup and restore the config?

Thanks,
Simon

Richard Burts · ‎01-26-2016

Simon

It is certainly odd that some entries would change in the process of doing a restore. In fact I would consider it worrysome. I do not have an explanation of why it would have changed but I wonder if there is something in the course of changing version, having trouble with disk0 (if dir disk0 shows blank) that might impact restoring the config.

At this point the primary concern probably is getting the config corrected. I hope that you will have access to the ASA and can make the changes to correct it. I am concerned about the two site to site VPN that should have been in the config but are not and whether your access to the site might have depended on one of them.

Doing backup of config and restore is an interesting question and perhaps is a bit of a moving target. I will admit that in general I use "more system:running-config" and copy and paste the text into a file to backup and could then use that text file to restore. Note that show running-config does not contain the shared keys and would not be suitable for restore. My preference for this method of backup reflects my general preference for doing things from the command line. However on the ASA there are some things that are done in ASDM and can not be done from the command line (Dynamic Access Policy is one example that comes to mind). Doing the backup from the command line does not back these things up and so the answer is that doing the ASA backup using ASDM is better than doing the backup from the CLI.

HTH

Rick

HTH

Rick

Simon.peters1 · ‎01-26-2016

Hi Rick,

it it is worrying for sure. As you say my main concern is to get it sorted. I am not worried about accessing it as I sent a console cable and a machine on site has a serial port so I can always connect to it that way.

i think what I will do is possibly factory the unit and do a show running config and paste it in. Could I then restore the keys via the asdm or can I just paste them into the cli?

Many thanks,

Simon

ASA Config Backup and restore