Configuration Changes Made to ASAs in Active-Active Failover Mode

When Cisco Defense Orchestrator (CDO) changes an ASA's running configuration with the one staged on CDO, or when it changes the configuration on CDO with the one stored on the ASA, it attempts to change only the relevant lines of the configuration file if that aspect of the configuration can be managed by the CDO GUI. If the desired configuration change cannot be made using the CDO GUI, CDO attempts to overwrite the entire configuration file to make the change.

Here are two examples:

  • You can create or change a network object using the CDO GUI. If CDO needs to deploy that change to an ASA's configuration, it overwrites the relevant lines of the running configuration file on the ASA when the change occurs.

  • You cannot create a new ASA user using the CDO GUI. If a new user is added to the ASA using the ASA's ASDM or CLI, when that out-of-band change is accepted and CDO updates the stored configuration file, CDO attempts to overwrite that ASA's entire configuration file staged on CDO.

These rules are not followed when the ASA is configured in active-active failover mode. When CDO manages an ASA configured in active-active failover mode, CDO cannot always deploy all configuration changes from itself to the ASA or read all configuration changes from the ASA into itself. Here are two instances in which this is the case:

  • Changes to an ASA's configuration file made in CDO, that CDO does not otherwise support in the CDO GUI, cannot be deployed to the ASA. Also, a combination of changes made to the configuration file that CDO does not support, along with changes made to the configuration file that CDO does support, cannot be deployed to the ASA. In both cases, you receive the error message, "CDO does not support replacing full configurations for devices in failover mode at this time. Please click Cancel and apply changes to the device manually." Along with the message in the CDO interface, you see a Replace Configuration button that is disabled.

  • Out-of-band changes made to an ASA configured in active-active failover mode will not be rejected by CDO. If you make an out-of-band change to an ASA's running configuration, the ASA gets marked with "Conflict Detected" on the Inventory page. If you review the conflict and try to reject it, CDO blocks that action. You receive the message, "CDO does not support rejecting out-of-band changes for this device. Either this device is running an unsupported software version or is a member of a active/active failover pair. Please proceed to accept the out-of-band changes by clicking Continue."

Caution

If you find yourself having to accept out-of-band changes from the ASA, any configuration changes staged on CDO, but not yet deployed to the ASA, will be overwritten and lost.

CDO does support configuration changes made to an ASA in failover mode when those changes are supported by the CDO GUI.