Cisco Systems CL-28826-01

8-60

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 8 Managing Deployment

Rolling Back Configurations

Caution It is usually a better idea to fix the configuration in Security Manager and deploy the fixed configuration,

because rolling back a configuration creates a situation where the configuration defined in Security

Manager is not the same one running on the device. After rollback, you should rediscover policies on the

device to make the device configuration and its configuration in Security Manager consistent. Roll back

configurations only in extreme circumstances.

You can roll back configurations using these tools:

•Deployment Manager—You can roll back a deployment to the last good configuration if that

configuration was deployed to the device rather than to a file. To open the Deployment Manager,

select Manage > Deployments.

•Configuration Archive—You can roll back deployment to any archived configuration that was

deployed to the device or that originated from the device. To open the Configuration Archive, select

Manage > Configuration Archive.

When you roll back a configuration, Security Manager does the following:

•On PIX Firewalls and ASA and FWSM devices, Security Manager uses the replace config option

on the device’s SSL interface to perform the equivalent of a reload (xlates are cleared, IPsec tunnels

are torn down, and so on).

•For devices running IOS 12.3(7)T or later, Security Manager uses the configure replace command

to replace the running configuration with the contents of a configuration file. Support for this

command is dependent on the IOS version installed on the device:

–

On devices running IOS 12.3(7)T or later, Security Manager copies the configuration file to the

startup configuration before executing the configure replace command. If the configure replace

operation fails, Security Manager issues the reload command to reload the operating system

using the contents of the startup configuration. The reload command restarts the system, which

might result in a temporary network outage.

–

On routers running a version prior to 12.3(7)T, Security Manager copies the configuration file

to the startup configuration and issues the reload command, which restarts the system. Security

Manager uses the TFTP server and directory specified in the Configuration Archive settings

page (see Configuration Archive Page, page 11-3) when using this method.

•The rolled-back configuration becomes another archived version in the Configuration Archive for

that device.

Tip Configuration rollback does not include user account policies. When you roll back a configuration, the

existing state of user accounts is not changed. This helps ensure that users can continue to log into the

device.

Special considerations apply to the rollback of certain device types and configurations. See the following

sections for more information:

•Understanding Rollback for Devices in Multiple Context Mode, page8-61

•Understanding Rollback for Failover Devices, page8-61

•Understanding Rollback for Catalyst 6500/7600 Devices, page 8-61

•Understanding Rollback for IPS and IOS IPS, page 8-62

•Commands that Can Cause Conflicts after Rollback, page 8-64

•Commands to Recover from Failover Misconfiguration after Rollback, page8-65