BAckup in CSM 4.4

Hi Everyone,
Need to confirm what does Backup in CSM 4.4 does ?
does it backup and save running config of ASA also ?
I check the backup folder but could not see any running config of asa there?
Regards
Mahesh

I think you missed to add Logging filters settings, they are available at Platform->Logging->Syslog->Logging Filter. In this select Logging Destination as "Syslog Servers" and "Filter on Severity" as per need.
Thanks,
Ashutosh

Similar Messages

CSM Bridging during Backups?

I have two questions? This might seem like some dumb questions but, we have dual CSM's 4.2.6 in 6509 IOS 12.2(18)SXF in bridge mode. 1st question is, we have backup clients on one network and the host on another. The host is on a vlan behind the CSM and the backup client is not. Correct me if im wrong, but from my knowledge traffic should not go through the CSM when accessing the server RIP's directly. But why, does the CSM portchannel260 get impacted during backups? Shouldn't it route through the MSFC first? 2nd question if the backup server and the host is both on the same network but different vlans will it still communicate thru the MSFC or CSM? Please advise...Thx!

Usually in bridge mode, the default gateway of a device is a router (often the MSFC) behind the CSM. The CSM bridge the front vlan with the backend vlan.
So, even if the MSFC is the device that does the routing between your source and destination, this traffic still needs to go through the CSM.
Same if the source and destination are in the same subnet. If the source is in vlan X and the destination in vlan Y using the same subnet with the CSM bridging the 2, the traffic still needs to go through the CSM.
So, you should look at the CSM as an external device even if it sits in the same chassis as the MSFC.
Gilles.

CSM v3.3.1 backup file size incredible 3GB

Hi
Does anybody else have backup files with the size of 3GB and more with a CSM v3.3.1 SP1? The interessting thing is that this CSM manages about 30 network devices. Looking into the backup files it's just the "vms.db" file which consumes the most (2.9 GB) of the data.
Is this normal behaviour for a CSM?
Regards
Roberto

Hi Roberto,
I understand your point, I will try to bring this back internally .
Regarding the specific issue, indeed that installation guide was wrong and got fixed after we flagged this issue on: CSCsz22077
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz22077
Sorry for all the confusion it led . Let me know if there is anything else we can do, appreciate your suggestion
Stefano

CSM Backup Server

Is the old CSS "sorry" or backup server supported on the CSM?
Trying to setup two web servers as active and backup behind a CSM. No load sharing.
Regards
Joe

yes, the backup option exist with the CSM
If you server1 active and server2 backup, here is an example
gdufour-cat6k-2(config-module-csm)#vserver www
gdufour-cat6k-2(config-slb-vserver)#serverfarm linux1 backup ?
WORD backup server farm name
gdufour-cat6k-2(config-slb-vserver)#serverfarm linux1 backup linux2
Gilles.

Is it really possible to revert IPS signatures from CSM

Hi folks,
I've been trying to revert IPS signatures that I deployed through CSM Signature policies to the older release but it doesn't seem to be working. Contrary to it Cisco's CSM guide says:
If you later decide that you did not want to apply a signature update, you can revert to the
previous update level by selecting the Signatures policy on the device, clicking the View
Update Level button, and clicking Revert
I can't imagine it is possible as the signatures are normally compiled into xml files. How would the sensor do it ?
Eugene

During installation a copy of files that will be replaced or updated during the installation will be copied into a backup directory.
The CLI has a "downgrade" command that can uninstall the last update, and the backup copies will be used to replace the files being removed.
A few things to be aware of:
1) Old configuration will be copied back. So changes made since the update may be lost.
2) This works only for Engine Updates and Signature Updates. Major Updates, Minor Updates, and Service Packs replace the complete operating system so there is too much data to try and make backup copies for.
3) This works only for the last update installed. Once you've downgraded the latest one, you can't downgrade the previous one.
4) This can be done through CLI, and now also available in CSM.
Here are some things to check in your situation where it appears to not be working.
Login to the sensor and execute "show ver".
Does the history in the "show ver" output show a Signature Update package as the last update installed?
If not then either another downgrade was previously done, or a Major Update, Minor Update, or Service Pack was the last package installed and can't be downgraded.
If it can't be done through CSM you might try the CLI' "downgrade" command and see if it works through the CLI or if the CLI gives you an error and explanation.

Fault Tolerance not working between CSMs

I have two CSM modules in two differnt switches (Bridge mode) configured for high availability. After noticing one of the CSM modules was in failed mode, I reset the module. While the module reboots I get the following messages: %CSM_SLB-4-REDUNDANCY_WARN: Module 3 FT warning: LRP: no ACK from standby.. standby may be down
%CSM_SLB-4-TOPOLOGY: Module 3 warning: IP address conflict: ARP frame from 170.41.228.10 with MAC 00:01:64:f9:
1a:07 received on VLAN 2.
With both online a "show mod csm 3 ft" shows both modules active.
I can no longer access the real servers.
When I remove the module that I reset (Primary) I can access the servers using the backup CSM.
Whe I remove the backup CSM and insert the Primary, I cannot acces the servers once again.
The FT vlan is VLAN 7 configured on both switches and is the only allowed VLAN on the trunk.
The config for the Primary CSM is:redundancy
mode sso
main-cpu
auto-sync running-config
spanning-tree mode pvst
module ContentSwitchingModule 3
ft group 7 vlan 7
priority 30
preempt
vlan 2 client
ip address 170.41.228.20 255.255.255.192
gateway 170.41.228.1
vlan 8 server
ip address 170.41.228.20 255.255.255.192
probe CARMENWEBPROBE tcp
interval 10
failed 100
probe HTTPS tcp
interval 10
failed 100
port 443
serverfarm CARMENWEBFARM
nat server
no nat client
real 170.41.228.15
inservice
real 170.41.228.16
inservice
probe HTTPS
vserver CARMENVSERVER
virtual 170.41.228.10 tcp 0
serverfarm CARMENWEBFARM
persistent rebalance
inservice
Trunk for VLAN 7 config :
interface GigabitEthernet4/2
switchport
switchport trunk encapsulation isl
switchport trunk allowed vlan 7
switchport mode trunk
no ip address
logging event link-status
logging event spanning-tree status
logging event trunk-status
Has anyone had this problem?
Thanks, Donald

The plan is to take a working CSM from a DR site with the same config to try in place of the not working active. I did not want to risk taking the working stanby and moving it and possibly having an outage at this time since this is a production switch being heavily utilized at the moment. I wanted to verify there was not something in the config that was not configured properly.

Satellite P870 - simple image backup & restore software required

Does anyone know of simple disk imaging software to back up and restore C: drive including the OS and every file.
I used to use BartPE which had the shell of Windows XP on the CD and booted from the CD and allowed an image to be made or restored. It didn't matter if the PC's OS was broken was a simple OS on the CD plus Norton Ghost 8.
My Satellite P870 can only boot from a USB (selected in the BIOS) and I've been unsuccessful getting my BartPE to boot from a USB. Similarly I installed Odin Imaging software but it doesn't boot from the USB either, though I can run it from Explorer (but relies on Windows 8 loading properly).
I also downloaded Paragon Free Data Recovery but it wants to install the program on the laptop. I want a purely portable drive/image copying program.
Message was edited by: Hanlen

> {quote:title=peterk_1 wrote:}{quote}
> How about " Regardless of your operating system, file system and partition scheme, through creating a bootable CD it can sector-by-sector copy you disk to assure you a 100% identical copy of the original one."
> [http://www.easeus.com/disk-copy/home-edition/]
>
> And it's free
>
> Just noted your comment about booting - Your P870 won't boot from the optical drive???
>
> Message was edited by: peterk_1
Firstly, I have to correct where I said the P870 does not boot from the optical drive. Both USB and ODD are options. In the process I managed to create a bootable USB with EaseUS and a bootable CD with Paragon Backup & Data Recovery 2013 (free version). However the laptop would not boot from the USB or CD despite setting USB or ODD at the number 1 position in the BIOS.
The following changes to the BIOS (version 2.30) does cause the laptop to boot from the USB or CD as the case may be, however it is not a permanent solution as the laptop will not boot into Windows even if there is no USB device attached or a CD/DVD in the ODD.
Set Secure Boot to disable. Set Advanced System Configuration Boot Mode to CSM Boot.
When the job is done Boot Mode will need to be put back to UEFI Boot. If there is a better way whereby the settings do not have to constantly be changed, Id be interested but its not important for my needs.
On using EaseUS to back up C: drive, I could not see the 2 partitions I had created from splitting C drive so I put it aside and tried Paragon Backup & Data Recovery 2013 (free version). I had to download the install the program on the laptop and from there, create a bootable CD (or USB).
That all worked smoothly as did running the program.
There is no need to keep the program on the laptop once the bootable USB/CD is created though I have not reviewed it for other useful operations.
The commands are relatively intuitive and the help answered one question I had along the way.
The only confusing thing I found was when restoring the data and being confronted with a string of drives to copy the data back to. Following the process of elimination I chose F drive in my case based on the drive size. The only odd thing was the cursor; each time I touched the track pad with a second finger, the cursor flew to the left or right.
That might be peculiar to the P870 and Windows 8 its pretty much straight out of the box with virtually no software installed by myself (yet).
As for my old BartPE, it caused the blue screen of death twice in succession so it is relegated to use only with my old XP laptop.

Two CSM's in single chassis

hi folks
if we install two CSM's in the same 6500, can we load balance serverfarmA using CSM1 & serverfarmB using CSM2.
would the csm's be in csm mode or rp mode? would we need to configure them identically or use hsrp for failover?
any ideas appreciated since i have 0 experience with content stuff.
thanks,
anurag

there is no more rp mode. Everything must be csm mode nowadays.
If you put 2 CSM in the same chassis, they can workd independently and therefore be both acitve, or you can have the same config on both and work in active/standby.
With version 4.2.x and the corresponding ios version, there is a command to sync the config between active and standby so you don't have to configure everything twice. The command is 'hw-module ContentSwitching X standby config-sync'.
Regarding the serverfarm the question is not really important. You first have to decide if you want to be active/standby or active/active.
Be aware that if you go for active/active you have no backup [you can't be active and standby at the same time] and you will have to split your traffic between the 2 CSM by configuring different vservers on each.
Gilles.

Predictor Forward in CSM (catalyst 6509)

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
Hello:
My problem is that not can make that the Catalyst, forwarded packets come vlan client when the Cache is down. Adjunt config.6509#sh runn
Building configuration...
Current configuration : 5084 bytes
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname router
boot system slot0:c6sup22-ps-mz.121-13.E3.bin
enable secret 5 xxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxx
ip subnet-zero
no ip domain-lookup
ip slb mode csm
ip slb vlan 30 server
ip address 192.168.198.2 255.255.255.0
gateway 192.168.198.200
ip slb vlan 40 server
ip address X.X.0.1 255.255.255.0
ip slb vlan 20 client
ip address 10.1.1.1 255.255.255.0
ip slb probe PRUEBA icmp
address X.X.0.2
interval 5
retries 1
ip slb serverfarm CACHE
no nat server
no nat client
real X.X.0.2
inservice
probe PRUEBA
ip slb serverfarm ROUTE
no nat server
no nat client
predictor forward
ip slb vserver FROMCACHE
virtual 0.0.0.0 0.0.0.0 any
vlan 40
serverfarm ROUTE
persistent rebalance
inservice
ip slb vserver HTTP
virtual 0.0.0.0 0.0.0.0 tcp www
vlan 20
serverfarm CACHE
persistent rebalance
inservice
ip slb vserver INTERNET
virtual 0.0.0.0 0.0.0.0 any
vlan 20
serverfarm ROUTE
persistent rebalance
inservice
ip slb vserver RESPONSE
virtual 0.0.0.0 0.0.0.0 any
vlan 30
serverfarm CACHE backup ROUTE
persistent rebalance
inservice
ip slb vserver RTSP
virtual 0.0.0.0 0.0.0.0 tcp rtsp service rtsp
vlan 20
serverfarm CACHE
persistent rebalance
inservice
ip slb vserver WMT
virtual 0.0.0.0 0.0.0.0 tcp 1755
vlan 20
serverfarm CACHE
persistent rebalance
inservice
no dss interface-purge
no dss range-purge
no dss mac-purge
mls rp ip
no mls netflow
mls flow ip destination
mls flow ipx destination
redundancy
mode rpr-plus
main-cpu
auto-sync running-config
auto-sync standard
interface FastEthernet6/12
no ip address
switchport
switchport access vlan 20
interface FastEthernet6/36
no ip address
duplex full
speed 100
switchport
switchport access vlan 40
interface FastEthernet6/46
no ip address
switchport
interface FastEthernet6/47
no ip address
switchport
switchport access vlan 30
interface FastEthernet6/48
no ip address
switchport
switchport access vlan 30
interface Vlan1
ip address 192.1.1.1 255.255.255.0
interface Vlan20
ip address 10.1.1.2 255.255.255.0
interface Vlan30
ip address 192.168.198.10 255.255.255.0
interface Vlan40
ip address X.X.0.10 255.255.255.0
ip default-gateway 192.168.198.200
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.198.200
no ip http server

When the cache engine goes down, the switch should be forwarding w/o using the cache. There is a keepalive mechanism to keep track of this. The switch and the cache exchange keepalives regularly. Check if there is a problem with the keepalives.

CSM Displaying incorrect information

On our current infastructure we have a number of Vservers built , utilising vserver SSO-GP-443
serverfarm SSO-GP-SY-443 backup SSO-GP-NW-443
Both server farms show up and available until we fail the primary server farm, when this happens the Vserver shows as below
SSO-GP-443 SLB TCP 172.27.117.25/32:443 ALL OUTOFSERVICE 1
Although on testing, traffic is passed to the servers and the display may be purely cosmetic, but we would like this confirmed and also if its a known bug , if this is the case when this bug will be fixed
c6slb-apc.4-2-4.bin CSM Code
s72033-advipservicesk9_wan-mz.122-18.SXF5.bin Switch Code

If the data is incorrect, the system generates error messages and displays the page on which the error occurs.
http://www.cisco.com/en/US/products/ps6498/products_user_guide_chapter09186a00806b79f3.html#wp1055751

Cannot connect with CSM client

One of our clients has a problem with their CSM deployment, they recently upgraded their CSM version which is deployed on a vmware environment, the services are listed as running and the webservice is available on port 1714 - when he tries to access it with the CSM client he gets the error.
The client cannot connect to the authentication service."
* Please cofnirm whether the security manager server is running
I cant find any troubleshooting information for this specific issue - has anyone got any experience of this issue or what could be causing it.
Regards
Joel

I'm having the exact same problem. My work around is to run C:\Program Files (x86)\cscopx\setup\support\resetcasuser.exe, select option 1 and reboot the CSM box.
TAC said the issue was a GPO preventing the casuser for running batch, but we just modified the GPO yesterday and still have trouble.
Strange thing is twe did not have this issue when the backup job was failing.

CSM - inservice standby - question

10.176.56.113 and 10.176.56.114 are 2 x DNS servers in Site 1.
We are planning to put in 10.188.56.49 and 10.188.56.50 which are Site 2 DNS servers as standby realserver because there was a time when 2 of the Site 1 DNS servers went dead and there was no DNS server running in Site 1.
We do not want the DNS vip to route to Site 2 DNS unless both of the .113 and .114 are dead. Can you advice if 'inservice standby' can be used?
serverfarm DNS
nat server
nat client DNS
real 10.176.56.113
inservice
real 10.176.56.114
inservice
real 10.188.56.49
inservice standby
real 10.188.56.50
inservice standby
probe DNS
In Cisco documentation: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.1.x/4.1.2/configuration/guide/rsfarms.html#wp1038112
"If a client making a request is stuck to an out-of-service server (using a cookie, SSL ID, source IP, etc), this connection is balanced to an in-service server in the farm. If you want to be stuck to an out-of-service server, enter the inservice standby command. When you enter the inservice standby command, no connections are sent to the standby real server with the exception of those connections that are stuck to that server and those servers with existing connections. After the specified standby time, you can use the no inservice command to allow only existing sessions to be sent to that real server. Sticky connections are then sent to an in-service real server in the server farm. "
The explanation above is rather vague and confusing. Hence I would like to seek your advice whether the usage of 'inservice standby' can serve the purpose that we required, which is to failover to .49 and .50 when .113 and .114 became "out of service" in the CSM.

"no inservice" and "inservice standby" are used to gracefully shutdown the real servers. "Inservice standby" is used for shutting down (taking out of LB logic) a real server when stickiness is configured.
You can use Backup server farm for your requirement. A sample config
vserver DNS
virtual z.z.z.z tcp
serverfarm SITE1 backup SITE2
inservice
serverfarm SITE1
nat server
real x.x.x.1
inservice
real x.x.x.2
inservice
serverfarm SITE2
nat server
real y.y.y.1
inservice
real y.y.y.2
inservice
If all the servers in SITE1 goes down then the real of SITE2 will be used. If a single server of SITE1 comes back then all connections will go to that server in SITE1.
Hope it helps
Syed Iftekhar Ahmed

CSM Fault Tolerance and IGMP Snooping

For "connection redundancy" the redundancy guide says to turn off IGMP snooping.
Is there any way around this?
I need to have multicasting everywhere and I don't want to multicast all streams to every port on this switch.

Most of the show statements are at the end of the attached file in an earlier post. The vservers details are at the end of this post.
I have an ARP entry for the VIP - 0001.64f9.1a64, but it does not respond to pings. I tried both the alias and the server vlan IP as the default gateway of the servers.
I took a trace and found that the VIP sends a TCP reset immediately after a request. I have tried versions 4.2.1 and 4.1.4 with the same result. I wonder if this could be a problem with the Sup720 with 12.2.17d IOS. I also tried the CSM in slots 2 and 3.
720Test2#sh mod csm 3 vserver detail
SOFTRICITY, type = SLB, state = OPERATIONAL, v_index = 10
virtual = 10.10.249.6/32:0 bidir, any, service = NONE, advertise = FALSE
idle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4
max parse len = 2000, persist rebalance = TRUE
ssl sticky offset = 0, length = 32
conns = 0, total conns = 1
Default policy:
server farm = SOFT1, backup =
sticky: timer = 0, subnet = 0.0.0.0, group id = 0
Policy Tot matches Client pkts Server pkts
(default) 1 1 0

Botnet Traffic Filtering option in CSM 4.0 evaluation

I have CSM evaluation 4.0. (about 50 days left) and deployed Botnet Traffic Filtering rules with traffic classification rule according to http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/configuration/example/sm400bot.html#wp51455.
I don't see any botnet activity logs neither via ASDM nor via CSM.
Does this logs include all activities according to access rules for Botnet Traffic Filtering or only detected botnet traffic?
How can I be sure that Botnet Filtering checks all the packets to my test zone?
Does this evaluation version support monitoring activities logs and access to blacklist server?
Thanks in advance.

Hi,
mm, I could not find the proper documentation (i see it for LMS...) anyway, you can try the following:
1- stop the server
net stop crmdmgtd
2- Erase the DBs
set NMSROOT=c:\progra~2\cscopx
%NMSROOT%\bin\perl %NMSROOT%\bin\dbRestoreOrig.pl dsn=cmf dmprefix=Cmf npwd=admin
%NMSROOT%\bin\perl %NMSROOT%\bin\dbRestoreOrig.pl dsn=vms dmprefix=vms npwd=admin
If using Performance Monitoring (MCP):
%NMSROOT%\bin\perl %NMSROOT%\bin\dbRestoreOrig.pl dsn=mcp dmprefix=mcp npwd=admin
NOTE:
NMROOT is the root where CSM is installed. I am assuming you are using default settings for Win2008 but you need to change if you installed somewhere else
3- restart the server.
net start crmdmgtd
Please note that all you data will be lost. Also, make sure to have the license handy as it might be required to install the license again.
Also I would suggest you do a backup of your DB before you perform these steps
Stefano

CSM configuration question

Customer wasnt current CSM config changed:
===================================
Customer's request is to make all requests go to real server 173.200.12.109 and if that server is down only then send all requests to backup server 173.200.12.110. But if server 173.200.12.109 comes back online then start sending all requests back to 173.200.12.109 and not use 173.200.12.110.
Questions:
==========
1. I think I have to put the two servers in VLAN 110 and not VLAN 12 and use the CSM in bridge mode by giving the same IP addresses of 173.200.12.8 for client VLAN 12 and server VLAN 110. Right?
2. There are two CAT 6500 with a CSM in each in Fault Tolerant Mode already configured and running and now need the above config changes added. Do I need to configure both CSM manually or if I configure one CSM will the other copy the config automatically.
3. I need to add VLAN 12 and VLAN 110 to Switch VLAN DATABASE, but not add VLAN 12 or VLAN 110 to the MSFC2 or should I only add VLAN 12 to MSFC2 and not VLAN 110.
4.Do new firewall rules need to be created for the two new server real IP addresses or VIP or non change required to the Firewall Rules.
4. What are some useful troubleshooting commands I can see if this doesn't work ? -
show module csm x connection detail, etc.

1 & 3) The servers will go into vlan 110. You need to create this vlan on the switch but there is not a routed interface for it.
The client vlan (vlan 12) will need a routed interface however it is not clear from your diagram where this should be. You will need to create vlan 12 on the switch as well. If you are putting a firewall in front of this vlan which it seems you are from your diagram then the routed interface for vlan 12 will be on the firewall not the MSFC. If you put it on the MSFC you will simply route round the firewall - probably not what you want.
2) Version 4.1(1) does not seem to support the command "hw-module csm 'slot no" standby config-sync" (worth checking tho). Looks like this was brought in on version 4.2. Without this command yes you will have to manually copy the config.
4) if you are not allowing through http ( assuming it is http) to the VIP already yes you will need a new firewall rule. That will allow application traffic. If you need direct access to the servers for management etc. then you will need to add in rules for those as well.
5) sh mod csm x reals
sh mod csm x vservers.
sh mod csm x ft
sh mod csm x conn
HTH

BAckup in CSM 4.4

Similar Messages

Maybe you are looking for