Manual sync of DAP / GP Config between ASA's?

Unanswered Question
Aug 9th, 2010
User Badges:

Hi there,


We have multiple failover clusters that we would like to sync the DAP's/Group Policies/ACL's between.  I understand that there are 2 components that are combined for, say, a DAP -- the config lines, and the dap.xml.


What I would like to do is establish a standard procedure for replicating the policies across each cluster so that our VPN users have the same portal experience wherever they terminate -- obviously some things like that are unique to each cluster like IP's, routing, and crypto maps must stay the same so its not as easy as just doing an ASDM/CLI full backup and restore.


I have successfully done this a couple of times but mostly through trial and error, by using ASDM to export some information and then importing it manually, but I`d like to script this out so doing this via command line would be key.  Any suggestions?  Thanks for any help!


-Chris

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cculligan Wed, 09/01/2010 - 16:36
User Badges:

I guess I will post what we are doing so far:


Use a common prefix for all of your DAP-related ACL's -- so for us we use DAP_ like so:


access-list DAP_URL_ORACLE_SHTERM webtype permit url html://:8080 log default


Grab all of your CLI that relates to "dynamic-access-policy-record" + your DAP acl's.


Then, use the ASDM to backup the DAP and bookmarks only.


We then import the CLI config (ACL + the dynamic-access-policy-record) and restore the ASDM backup, in that order.  We chose not to sync Group Policies, Tunnel / Connection profiles anbd the rest because they differ from gateway to gateway -- but at least this helps to provide a somewhat similar experience for the end users.  You may want to think about syncing customizations and such as well.

gdspa Tue, 11/15/2011 - 01:20
User Badges:

Hi cculligan,

I would like to do the same thing you described.

I understand procedure is:

1)backup dap with asdm

2)copy dynamic-access-policy-record lines

3)paste dynamic-access-policy-record lines on the new ASA

4)restore zip file with dap.xml and Version.properties with ASDM on the new ASA


Do you confirm?

I don't need to reload anything, do I?

Actions

This Discussion

Related Content