Author: DK
Date: 1/21/2016
This the procedure to RMA or rebuild a VPN cluster.
1.backup the following files:
1.backup the following files:
cp.license
fwkern.conf
show configuration - (remove the SNMP stuff for interfaces - it would not import)
/var/ace directory
trac_client_1.ttm file
1.b Reset to factory default (or do a new installation via USB)
dlpdemo> set fcd revert Gaia_R77.20
reverting to factory defaults Gaia_R77.20
dlpdemo>
Broadcast message from admin (Tue Jan 6 13:38:20 2015):
2. Install R77.20
vi create config - paste show configuration
load configuration config
3. Web wizard via https://myvpn-fwa.mydomain.com:4434
fw uninstall (otherwise it will stuck at 99%)
4. install Take 91
reboot
5. reset sic
push policy (which create /var/ace directory)
copy ace file
copy track.ttm file
copy fwkern.conf file (important for ClusterXL to function)
6. reboot
install GA fw1
install GA Sim
--------------------------------------------------------------------------------------------------
- Get the license file
[Expert@myvpn-fwb:0]# cd $CPDIR/conf
[Expert@myvpn-fwb:0]# pwd
/opt/CPshrd-R77/conf
[Expert@myvpn-fwa:0]# cat $CPDIR/conf/cp.license
Sign {
LICENSE 10.210.70.250 never CPAP-SG1260X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS CPSB-URLF CPSB-APCL CPSB-AV CPSB-ABOT-L CPSB-ASPM CK-00-1C-7F-36-A8-
05
}= 76sdQuNjnhC4AGzuG4ZwfdTixxBbbv9JBsk Index=3 Version=0
[Expert@myvpn-fwa:0]#
- Get any special Kernel config
[Expert@myvpn-fwa:0]# find / -name fwkern.conf
/var/opt/fw.boot/modules/fwkern.conf
[Expert@myvpn-fwa:0]#
[Expert@myvpn-fwb:0]# cat /var/opt/fw.boot/modules/fwkern.conf
fwha_mac_magic=218
fwha_mac_forward_magic=217
[Expert@myvpn-fwb:0]#
- Get any local.arp files
[Expert@myvpn-fwa:0]# fw ctl arp
No proxy ARP entries
- Validate number of routes
[Expert@myvpn-fwa:0]# netstat -rn | wc -l
298
[Expert@myvpn-fwa:0]#
- Get a copy of the trac_Client1.ttm file (for vpn clients)
[Expert@myvpn-fwb:0]# find ./ -name trac_client_1.ttm
./var/opt/CPsuite-R77/fw1/conf/trac_client_1.ttm
./home/scp/trac_client_1.ttm
[Expert@myvpn-fwb:0]#
Update default settings in trac_client_1.ttm on both member cluster
Update default settings in trac_client_1.ttm on both member cluster
:client_decide (client_decide) to :client_decide (false)
:default (true) to :default (false)
mytestvpn-fwa:#
mytestvpn-fwa:# cd /var/opt/CPsuite-R77/fw1/conf
more trac_client_1.ttm
mytestvpn-fw
:automatic_mep_topology (
:gateway (
:map (
:false (false)
:true (true)
:client_decide (client_decide)
)
:default (true)
mytestvpn-fw
:automatic_mep_topology (
:gateway (
:map (
:false (false)
:true (true)
:client_decide (false)
)
:default (false)
6. get a copy of the show configuration file
7. Get a copy of the /var/ace directory
sdconf.rec - Generated by the ACE SERVER and copied to the /var/ace directory
sdopts.rec - Allows you to force the ACE AGENT to use a specific IP address when generating its hash
sdstatus.12 - Automatically created at point of communication between the ACE AGENT and SERVER
securid - Automatically created at point of successful communication between the ACE AGENT and SERVER
sdconf.rec - Seed File from RSA for mytestvpn-fwb
sdopts.rec - file contains the gateway IP address for RSA CLIENT_IP=100.105.249.61
sdstatus.12 - Created automatically with gateway first contacted RSA for authentication
[Expert@mytestvpn-fwb:0]# cd /var/ace
[Expert@mytestvpn-fwb:0]# ls -lt
total 12
-rw-rw-r-- 1 admin root 2418 Mar 10 23:22 sdstatus.12
-rw-r----- 1 admin root 22 Mar 10 22:07 sdopts.rec
-rw-r----- 1 admin root 2757 Mar 8 13:58 sdconf.rec
[Expert@[Expert@mytestvpn-fwb:0]# cat sdopts.rec
CLIENT_IP=100.105.249.61[Expert@mytestvpn-fwb:0]# :0]#
[Expert@mytestvpn-fwb:0]# cat sdopts.rec
CLIENT_IP=10.15.249.61
Expert@mytestvpn-fwb:0]#
