Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3806
Views
0
Helpful
2
Replies

Manual sync of DAP / GP Config between ASA's?

cculligan
Level 1
Level 1

‎08-09-2010 03:18 PM

Hi there,

We have multiple failover clusters that we would like to sync the DAP's/Group Policies/ACL's between.  I understand that there are 2 components that are combined for, say, a DAP -- the config lines, and the dap.xml.

What I would like to do is establish a standard procedure for replicating the policies across each cluster so that our VPN users have the same portal experience wherever they terminate -- obviously some things like that are unique to each cluster like IP's, routing, and crypto maps must stay the same so its not as easy as just doing an ASDM/CLI full backup and restore.

I have successfully done this a couple of times but mostly through trial and error, by using ASDM to export some information and then importing it manually, but I`d like to script this out so doing this via command line would be key.  Any suggestions?  Thanks for any help!

-Chris

Labels:
0 Helpful
2 Replies 2

cculligan
Level 1
Level 1

‎09-01-2010 04:36 PM

I guess I will post what we are doing so far:

Use a common prefix for all of your DAP-related ACL's -- so for us we use DAP_ like so:

access-list DAP_URL_ORACLE_SHTERM webtype permit url html://

:8080 log default

Grab all of your CLI that relates to "dynamic-access-policy-record" + your DAP acl's.

Then, use the ASDM to backup the DAP and bookmarks only.

We then import the CLI config (ACL + the dynamic-access-policy-record) and restore the ASDM backup, in that order.  We chose not to sync Group Policies, Tunnel / Connection profiles anbd the rest because they differ from gateway to gateway -- but at least this helps to provide a somewhat similar experience for the end users.  You may want to think about syncing customizations and such as well.

0 Helpful

gdspa
Level 1
Level 1
In response to cculligan

‎11-15-2011 01:20 AM

Hi cculligan,

I would like to do the same thing you described.

I understand procedure is:

1)backup dap with asdm

2)copy dynamic-access-policy-record lines

3)paste dynamic-access-policy-record lines on the new ASA

4)restore zip file with dap.xml and Version.properties with ASDM on the new ASA

Do you confirm?

I don't need to reload anything, do I?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents