I am successfully backing up running-config using Embedded Event Manager:
event manager applet Backup-Config
event timer absolute time 1:00:00
action 0 cli command "copy /noconfirm running-config tftp://guru/backups/asa-x-vpn-config-latest"
output file overwrite flash:Backup-Config.output
However, both the Active and the Standby unit of the cluster execute this applet ... sometimes the TFTP host 'guru' contains running-config from the Active unit, sometimes from the Standby unit
Minimally, I would rather see running-config from the Active unit be the one which 'wins' on the tftp server, because it contains a key configuration line, e.g.
route inside 0.0.0.0 0.0.0.0 10.1.2.3 tunneled
while running-config on the Standby unit does not.
The two config files also vary in the following line:
failover lan unit primary
vs
failover lan unit secondary
The set of X.509 certificates also differs between the two
Maximally, I would like to save both configs separately, say, as:
asa-active-vpn-config
asa-standby-vpn-config
But I don't see a way to do this. I have looked for a couple of features, notably:
- I would like to reflect the value of 'prompt hostname state' into a variable, so that I could write:
copy /noconfirm running-config tftp://server-name//backups/$prompt-vpn-config
This would prduce, in my imagination at least, two files:
asa-x-vpn/act-config
and
asa-x-vpn/stby-config
Alternatively, some way to instruct the ASA OS to *not* replicate a set of config lines to the Standby unit
Both approaches have flaws in them. But in any case, I don't see these features.
I have also tried triggering the Appleton the 111008 Syslog message rather than via an Absolute timer -- works fine, but with the same results, i.e. both the Active and the Standby units execute the 'copy running-config' command
Has anyone else come up with a coherent way to automatically backup the config file(s) of an ASA cluster?
--sk
