I recently had a sensor failure, and tried to use the recovery partition. It was unsuccessful, and I was told that once I backed up my config using the "copy current-config backup-config" command, I needed to scp the file off the sensor to a backup location. Can someone confirm whether this is true or not????
The "copy current-config backup-config" will work OK when all you are trying to do is revert to your older configuration with the:
"copy backup-config current-config" command.
This is the standard normal day to day backup in case you misconfigured the sensor you can go back to a good configuration.
BUT the "copy current-config backup-config" will not work in cases where you have to use the recovery partition of the sensor.
The recovery partition is not used in normal day to day troubleshooting of problems. The recovery partition is meant for disaster recovery where something on the application partition has been corrupted and an entire new file system is needed.
The recovery process will wind up reformatting the application partition of the hard drive.
Both the current-config as well as the backup-config are stored in the application partition and so will be lost when application partition is reformatted.
NOTE: During the recovery process the sensor will save off a few key configuration parameters needed for setting up Network Access on the sensor. This includes the sensorip, netmask, default gateway, and list of permitted addresses from the current-config. All other configuration will be lost. The are saved off in a temporary location and re-applied after the recovery is complete.
This is so the recovery process can be initiated from a remote site, and the remote site can connect again after the recovery completes.
So when you need to make backups that will be available even after a disaster recovery you will need to archive the configuration onto another server (ftp or scp).
You would need to log back into the sensor as user cisco (use the default cisco password initially and change to your password)
Then use the upgrade command to re-apply all of the updates since the last remote backup of the configuration.
THIS IS IMPORTANT. You need to ensure that the version running on the recovered sensor matches the same version that was running when the backup happened. If not then when you try to apply the backup the sensor will generate errors about unknown signatures and may reject the configuration.
(This is also the reason we can't just have the backup configuration from the sensor automatically re-applied after a recovery. The sensor would likely reject it because of the new signatures and other parameters in the configuration that the older version recovered to does not know about.)
Once the sensor is back to the same version then use the copy command to reload the backup config from the remote site:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...