CSM 4.1 - ASA Configuration Backup Files via TFTP

Answered Question
Apr 9th, 2012

      I'm fairly new to CSM so this may be a newbee question.  In the "old days" we would write mem to save the running config to startup, then write net to save the running config to a defined file on an TFTP server.  But now that we use CSM, there is no write net function that happens during the process of  deploying a change to the config.  The actual config is saved in CSM somewhere since we are actually making changes to it before deploying a change, right?  But it's not in a format where I could replace a failed ASA by "copy tftp startup-config?" 

     I read where you can "Preview Configuration" and then Copy/Paste the "ASA(Full)" configuration, but there is a major flaw in that plan.  The displayed output hides all of the passwords. I.E. enable, passwd, tacacs+ or radius keys, local username password.  Beside's, Copy/Paste has never been the best option to initially configure, or to replace a failed unit.  All you are doing is hoping the running config isn't interfering with what you are pasting. (The Factory Config for DHCP comes to mind).

     Is there a function where I can export the entire configuration to a file that is the complete startup configuration?  Or, is there a function I could enable to have the ASA's periodically "Write Net?"

I have this problem too.
0 votes
Correct Answer by Todd Pula about 2 years 2 weeks ago

You could configure a FlexConfig for one or more ASAs in order to execute the copy command before and/or after a config push.  I just tested this on my CSM 4.2 server and it worked.  You will want to use the /noconfirm option so that the end device doesn't present interactive prompts to CSM.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
Todd Pula Mon, 04/09/2012 - 08:18

You could configure a FlexConfig for one or more ASAs in order to execute the copy command before and/or after a config push.  I just tested this on my CSM 4.2 server and it worked.  You will want to use the /noconfirm option so that the end device doesn't present interactive prompts to CSM.

mleiby Mon, 04/09/2012 - 11:21

Todd,

     Thanks for the post.  I did try a "write net" like this previously, but I thought it was a once and done thing.  I just tested this again and it sure does run this evertime a change is deployed.   Excellent!  BTW, the "write net" Flex Config  works best for me since I already have my TFTP Server information confgured on each firewall.

     So, does this mean that all Flex Configs are applied again and again each time a change is deployed?

Todd Pula Wed, 04/11/2012 - 10:08

In the current versions, the Flex Config is prepended/appended during each deployment.  In the upcoming 4.3 release, you will have the option to deploy each time or only when a FlexConfig is new or modified.

Actions

Login or Register to take actions

This Discussion

Posted April 9, 2012 at 6:50 AM
Stats:
Replies:3 Avg. Rating:5
Views:1918 Votes:0
Shares:0
Tags: asa, csm4.1
+

Related Content

Discussions Leaderboard