Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Backup-Config Question

I recently had a sensor failure, and tried to use the recovery partition. It was unsuccessful, and I was told that once I backed up my config using the "copy current-config backup-config" command, I needed to scp the file off the sensor to a backup location. Can someone confirm whether this is true or not????

1 REPLY
Cisco Employee

Re: Backup-Config Question

The "copy current-config backup-config" will work OK when all you are trying to do is revert to your older configuration with the:

"copy backup-config current-config" command.

This is the standard normal day to day backup in case you misconfigured the sensor you can go back to a good configuration.

BUT the "copy current-config backup-config" will not work in cases where you have to use the recovery partition of the sensor.

The recovery partition is not used in normal day to day troubleshooting of problems. The recovery partition is meant for disaster recovery where something on the application partition has been corrupted and an entire new file system is needed.

The recovery process will wind up reformatting the application partition of the hard drive.

Both the current-config as well as the backup-config are stored in the application partition and so will be lost when application partition is reformatted.

NOTE: During the recovery process the sensor will save off a few key configuration parameters needed for setting up Network Access on the sensor. This includes the sensorip, netmask, default gateway, and list of permitted addresses from the current-config. All other configuration will be lost. The are saved off in a temporary location and re-applied after the recovery is complete.

This is so the recovery process can be initiated from a remote site, and the remote site can connect again after the recovery completes.

So when you need to make backups that will be available even after a disaster recovery you will need to archive the configuration onto another server (ftp or scp).

copy current-config ftp://user@ipaddress/directory/filename

or

copy backup-config ftp://user@ipaddress/directory/filename

After the recovery is complete.

You would need to log back into the sensor as user cisco (use the default cisco password initially and change to your password)

Then use the upgrade command to re-apply all of the updates since the last remote backup of the configuration.

THIS IS IMPORTANT. You need to ensure that the version running on the recovered sensor matches the same version that was running when the backup happened. If not then when you try to apply the backup the sensor will generate errors about unknown signatures and may reject the configuration.

(This is also the reason we can't just have the backup configuration from the sensor automatically re-applied after a recovery. The sensor would likely reject it because of the new signatures and other parameters in the configuration that the older version recovered to does not know about.)

Once the sensor is back to the same version then use the copy command to reload the backup config from the remote site:

copy ftp://user@ipaddress/directory/filename current-config

Side Note: It is generally easiest if you just store these remote backups in another directory on the same scp or ftp server where you are placing your updates.

One last comment.

If you are using IDS MC (IDS Management Center - part of VMS) for configuring the sensor then there is really no need to do the remote backup.

The IDS MC and it's database are your remote backup of the sensor's configuration.

If you ever need to do a recovery on a sensor managed by the IDS MC, then go through the recovery process. Update the sensor back to the last update the IDS MC knew about for the sensor.

THEN from the IDS MC push the last known good configuration to the sensor (this would be comparable to doing "copy ftp://... current-config")

115
Views
0
Helpful
1
Replies