03-01-2021 02:40 PM
I am successfully backing up running-config using Embedded Event Manager:
event manager applet Backup-Config
event timer absolute time 1:00:00
action 0 cli command "copy /noconfirm running-config tftp://guru/backups/asa-x-vpn-config-latest"
output file overwrite flash:Backup-Config.output
However, both the Active and the Standby unit of the cluster execute this applet ... sometimes the TFTP host 'guru' contains running-config from the Active unit, sometimes from the Standby unit
Minimally, I would rather see running-config from the Active unit be the one which 'wins' on the tftp server, because it contains a key configuration line, e.g.
route inside 0.0.0.0 0.0.0.0 10.1.2.3 tunneled
while running-config on the Standby unit does not.
The two config files also vary in the following line:
failover lan unit primary
vs
failover lan unit secondary
The set of X.509 certificates also differs between the two
Maximally, I would like to save both configs separately, say, as:
asa-active-vpn-config
asa-standby-vpn-config
But I don't see a way to do this. I have looked for a couple of features, notably:
- I would like to reflect the value of 'prompt hostname state' into a variable, so that I could write:
copy /noconfirm running-config tftp://server-name//backups/$prompt-vpn-config
This would prduce, in my imagination at least, two files:
asa-x-vpn/act-config
and
asa-x-vpn/stby-config
Alternatively, some way to instruct the ASA OS to *not* replicate a set of config lines to the Standby unit
Both approaches have flaws in them. But in any case, I don't see these features.
I have also tried triggering the Appleton the 111008 Syslog message rather than via an Absolute timer -- works fine, but with the same results, i.e. both the Active and the Standby units execute the 'copy running-config' command
Has anyone else come up with a coherent way to automatically backup the config file(s) of an ASA cluster?
--sk
Solved! Go to Solution.
03-03-2021 05:36 AM - edited 03-03-2021 05:41 AM
OK, I would prefer to push from EEM to the tftp/ftp/scp server
Or, I would prefer to pull using SNMP (for IOS and NX-OS http://www.skendric.com/nmgmt/device/Cisco/auto-save)
However, I don't see EEM being suffiicently capable yet for this task. Nor does ASA support SNMP copying of files. So, one creates a local, highly-privileged account to facilitate all this
Here are a couple ways to do this:
test-asa# config t
ssh scopy enable
username foo password secret privilege 15
username foo attributes
ssh authentication publickey {paste public key here}
end
test-asa#
test-asa#config t
event manager applet Backup-Config
event none
action 1 cli command "copy /noconfirm running-config tftp://tftp-server//backups/asa-config-latest"
output file overwrite flash:Backup-Config.out
end
test-asa#
And then on the tftp-server, run the following bash script from cron:
#!/bin/sh
ssh test-asa<<EOF
event manager run Backup-Config
EOF
The whole 'EOF' thing is one way to send a carriage return to the ASA (and the only way I have identified)
Alternatively, use scp:
config t
ssh scopy enable
username foo password secret privilege 15
username foo attributes
ssh authentication publickey {paste public key here}
end
Then the following works:
scp foo@test-asa:system://running-config running-config
scp foo@test-asa:startup-config startup-config
In tandem with an EEM applet, this approach also allows backing up the entire configuration:
config t
event manager applet Backup-All
event timer absolute time 01:00:00
action 1 cli command "backup /noconfirm location flash:test-asa-all.tar.gz"
output file overwrite flash:Backup-All.out
end
And then sometime after 01:00:00, run a cron job on the backup server:
scp foo@test-asa:test-asa-all.tar.gz test-asa-all.tar.gz
Or, if you prefer to drive more of this from EEM:
config t
event manager applet Backup-All
event timer absolute time 01:00:00
action 1 cli command "backup /noconfirm location flash:test-asa-all.tar.gz"
action 2 cli command "copy /noconfirm flash:test-asa-all.tar.gz scp://foo:secret@tftp-server/test-asa-all.tar.gz"
output file overwrite flash:Backup-All.out
end
Other community members have sketched these solutions in other posts:
https://community.cisco.com/t5/switching/using-scp-to-backup-your-configs-safely/td-p/1208822
https://community.cisco.com/t5/firewalls/asa-backup-using-eem-and-scp/td-p/3947596
hth,
--sk
03-01-2021 02:50 PM
Good question I was just thinking, if the ASA in Active/Standby mode, Once you configure the EEM script on active, they can not replicate to standby? (never tried) - as per the technical theory the config will replicate with Mate, right?
My approach was always for the config, do out of the box script so script poll from outside and pull the config and store in archive folder (for both active and standby)
03-01-2021 03:50 PM
Right, as soon as I add the Applet to the Active member, those config lines get replicated to the Standby member, and now both of them are executing it
Sounds like you have used an external 'pull' approach -- thank you for that input
--sk
03-01-2021 03:54 PM
yes, external get ability pulls the config each box, but we always need only Active box config, standby config very simple. (it only required when you replacing the kit with faulty)
03-01-2021 04:25 PM
OK, so how do I send a carriage return over ssh to an ASA?
In this case, I had to hit 'Enter' and then type 'exit'
guru% ssh admin@asa "event manager run Backup-Config"
User admin logged in to asa-x-vpn
[...]
Type help or '?' for a list of available commands.
asa-x-vpn/act# event manager run Backup-Config
asa-x-vpn/act# exit
exit
Logoff
Connection to asa-active-vpn closed by remote host.
guru%
With this approach, I have to hit 'enter' and then type 'exit'
guru% ssh asa-active-vpn "event manager run Backup-Config; exit;"
[...]
Type help or '?' for a list of available commands.
asa-x-vpn/act# event manager run Backup-Config; exit;
^
ERROR: % Invalid input detected at '^' marker.
asa-x-vpn/act# exit
exit
Logoff
guru%
Again, I must type 'Enter' and then 'exit'
guru% ssh asa-active-vpn "event manager run Backup-Config\nexit\n"
[...]
Type help or '?' for a list of available commands.
asa-x-vpn/act# event manager run Backup-Config\nexit\n
ERROR: Applet not found
asa-x-vpn/act# exit
exit
Logoff
Connection to asa-active-vpn closed by remote host.
guru%
--sk
03-01-2021 04:44 PM
What is the reason to run even-manager script to run from out of the box, you can simple SSH to device copy the config to TFTP Locaation right
simple bash script :
http://paklids.blogspot.com/2012/01/securely-backup-cisco-firewall-asa-fwsm.html
https://www.linickx.com/multi-context-https-backups-of-cisco-asa-script
python based :
https://github.com/orgito/ncm-scripts/blob/master/cisco_asa_config_capture.py
03-03-2021 05:36 AM - edited 03-03-2021 05:41 AM
OK, I would prefer to push from EEM to the tftp/ftp/scp server
Or, I would prefer to pull using SNMP (for IOS and NX-OS http://www.skendric.com/nmgmt/device/Cisco/auto-save)
However, I don't see EEM being suffiicently capable yet for this task. Nor does ASA support SNMP copying of files. So, one creates a local, highly-privileged account to facilitate all this
Here are a couple ways to do this:
test-asa# config t
ssh scopy enable
username foo password secret privilege 15
username foo attributes
ssh authentication publickey {paste public key here}
end
test-asa#
test-asa#config t
event manager applet Backup-Config
event none
action 1 cli command "copy /noconfirm running-config tftp://tftp-server//backups/asa-config-latest"
output file overwrite flash:Backup-Config.out
end
test-asa#
And then on the tftp-server, run the following bash script from cron:
#!/bin/sh
ssh test-asa<<EOF
event manager run Backup-Config
EOF
The whole 'EOF' thing is one way to send a carriage return to the ASA (and the only way I have identified)
Alternatively, use scp:
config t
ssh scopy enable
username foo password secret privilege 15
username foo attributes
ssh authentication publickey {paste public key here}
end
Then the following works:
scp foo@test-asa:system://running-config running-config
scp foo@test-asa:startup-config startup-config
In tandem with an EEM applet, this approach also allows backing up the entire configuration:
config t
event manager applet Backup-All
event timer absolute time 01:00:00
action 1 cli command "backup /noconfirm location flash:test-asa-all.tar.gz"
output file overwrite flash:Backup-All.out
end
And then sometime after 01:00:00, run a cron job on the backup server:
scp foo@test-asa:test-asa-all.tar.gz test-asa-all.tar.gz
Or, if you prefer to drive more of this from EEM:
config t
event manager applet Backup-All
event timer absolute time 01:00:00
action 1 cli command "backup /noconfirm location flash:test-asa-all.tar.gz"
action 2 cli command "copy /noconfirm flash:test-asa-all.tar.gz scp://foo:secret@tftp-server/test-asa-all.tar.gz"
output file overwrite flash:Backup-All.out
end
Other community members have sketched these solutions in other posts:
https://community.cisco.com/t5/switching/using-scp-to-backup-your-configs-safely/td-p/1208822
https://community.cisco.com/t5/firewalls/asa-backup-using-eem-and-scp/td-p/3947596
hth,
--sk
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide