SOL3499: Backing up and restoring BIG-IP LTM, ASM, GTM, Link Controller, or WebAccelerator configuration files

SOL3499: Backing up and restoring BIG-IP LTM, ASM, GTM, Link Controller, or WebAccelerator configuration files

---

Updated: 4/14/09 9:54 AM

This Solution describes how to back up and restore your configuration data using a UCS configuration archive. Unless your configuration has been customized to run programs that are not normally supported on the BIG-IP system, the UCS archive will contain all files required to restore your current configuration to a new system.

Note: The F5 Networks Enterprise Manager product is designed to facilitate the configuration management process for multiple systems. For more information, refer to the Enterprise Manager product documentation.

Note: If you are backing up or restoring BIG-IP configuration files prior to replacing an RMA unit, refer to SOL8086: Replacing a BIG-IP 9.x system in a redundant pair without interrupting service and for version 9.4.5 and later, SOL9420: Installing a UCS file containing an encrypted passphrase..

Note: For information about UCS archive files, refer to SOL4423: Overview of UCS archives.

The .ucs file contains the following configuration data:

• All BIG-IP-specific configuration files
• BIG-IP product licenses
• User accounts and password information
• DNS zone files
• Installed SSL certificates and keys

Note: For information about the contents of a UCS archive file, refer to SOL4422: Viewing and modifying the files that are configured for inclusion in a UCS archive.

Backing up your current configuration data

To back up your current configuration data, perform the following procedure:

1. Log in to the command line.
2. Save the configuration into a UCS archive by typing the following command, replacing with the filename of your choice:

   bigpipe config save

   Note: F5 Networks recommends that you name the file the same as the BIG-IP host name, because you will need this information before you restore the configuration.

   By default, the BIG-IP system will save the UCS archive file in the /var/local/ucs directory.

3. Copy the .ucs file to another system.

   Note: For specific instructions about copying files to and from the BIG-IP system, refer to SOL175: Transferring files to or from an F5 Networks system.

Important: In addition to user accounts, passwords, and critical system files, the UCS archive file contains the SSL private keys that are used with your SSL proxies. It is important to store the backup UCS archives in an environment that is as secure as where you store your private keys.

Note: The backup process described here may be automated using a cron job and passwordless SSH login to a remote system. Sample scripts and instructions for doing so can be found in the DevCentral codeshare: BIGIPBackupScripts, LTM_Backup_Shell_Script. A separate login is required to access DevCentral content.

Restoring configuration data

To restore the BIG-IP system configuration, perform one of the following two procedures:

• Restoring the configuration data for a system that is currently running system software
• Installing the operating system and restoring the configuration data to a new system
  

Restoring the configuration data for a system that is currently running system software

If you are using a system that already has system software running, and you do not want to reinstall the software, perform the following procedure:

1. Copy the UCS archive file to the system.
   
   Note: For specific instructions about copying files to and from the BIG-IP system, refer to SOL175: Transferring files to or from an F5 Networks system.
2. Set the hostname of the system to match the hostname of the system on which the UCS archive was created, by typing one of the following commands:
   
   • BIG-IP systems version 9.4.2 and later, type the following command:
     
     bigpipe system hostname
   • BIG-IP systems versions 9.4.1 and earlier, type the following command:
     
     hostname
   
   Important: If you do not set the hostname to match the original hostname, the configuration restoration will fail.
3. Restore the configuration from the UCS archive, by typing the following command, replacing with the name of your UCS archive file:
   
   Important: Installing a UCS archive containing configurations for an add-on module, such as BIG-IP WebAccelerator or BIG-IP ASM, will fail if the system is not licensed for the module. If you are restoring a UCS archive containing configurations for a module, you must ensure the system has a valid license before installing the UCS archive. For information about licensing, refer to SOL7752: Overview of licensing the BIG-IP system.
   
   bigpipe config install
   
   Note: You may need to type the absolute filename if the UCS archive is not located in the default directory. For more information, refer to SOL9446: Explicit pathname to UCS archive is required with the 'bigpipe config install' command
   
   Important: If you are restoring the backup on a different device than the system on which the backup was created, such as an RMA system, the configuration load may fail with a license error. As a result, a BigDB.dat load error message similar to the following will display:
   
   b config install /var/local/ucs/backup.ucs
   Installing full configuration on host bigip1.askf5.com
   Saving active configuration...
   Creating UCS for config save request...
   Dec 8 12:00:00 bigip1 mcpd[2395]: 01070608:0: License is not operational
   (expired or digital signature does not match contents).
   Loading the new /config/BigDB.dat failed.
   01080023:3: Error return while getting reply from mcpd: 0x1070370,
   01070370:3: Failover (redundant mode) is not licensed.
   After updating your license, run
   loaddb -local /config/BigDB.dat.cs
   
   Note: If you did not receive the above error when installing the UCS archive, you can skip to Step 8 below.
   
   Important: If you are restoring a backup from version 9.4.5 or later after reinstalling the operating system, replacing a failed system with a new system, or otherwise moving an existing configuration to a new system), the encrypted passphrase(s) for SSL private keys used in the configuration cannot be decrypted, and an error message similar to the following will display:
   
   BIGpipe client SSL profile creation error:
   01070937:3: Master Key decrypt failure - decrypt failure
   
   Note: If you receive the above error when installing the UCS archive, refer to SOL9420: Installing a UCS file containing an encrypted passphrase.
4. If you are running BIG-IP version 9.x software on a 1500, 3400, 4100, 6400, 6800, or 8400 hardware platform, type the following command to verify that the new or replaced SSH keys from the UCS file are synchronized between the BIG-IP and the SCCP:
   
   keyswap.sh sccp
   
   Note: For more information about synchronizing SSH keys, refer to SOL3759: Synchronizing SSH keys between the BIG-IP host system and the SCCP.
5. Reboot the system by typing the following command:
   
   reboot
   
   If you installed this system on the same device on which the backup was created, it will load the restored configuration after the system reboots. However, if you restored the backup on a different device, and received the errors noted in Step 3, you will need to perform Steps 6 through 8.
6. Relicense the system.
   
   For information about licensing, refer to SOL7752: Overview of licensing the BIG-IP system.
7. Finish loading the BigDB.dat information by typing the following command:
   
   Note: You can skip this step if you did not receive the license error listed in Step 3.
   
   loaddb -local /config/BigDB.dat.cs
8. Synchronize the BIG-IP system clock with the restored timezone configuration, by typing the following command:
   
   Note: You may skip this step if you are using versions 9.4.2 and later. As of version 9.4.2, the tw_activate_keys command is not used.
   
   tw_activate_keys ntp.timezone
   

Note: If the system you have restored contains the FIPS 140 HSM, you must configure the FIPS 140 HSM Security World after completing this procedure.

Note: For additional information about recovering FIPS information after a system recovery, refer to the Recovering FIPS information after a system failure section in Configuring and Maintaining a FIPS Security Domain.

Installing the operating system and restoring the configuration data to a new system

To install the operating system and restore configuration data to a new system, perform the following procedure:

1. Network boot the system software from the CD-ROM drive.
   
   Note: For instructions, refer to SOL4411: Reinstalling BIG-IP or 3-DNS system software from a network boot server.
2. After the system software installs, reboot the system by typing the following command:
   
   reboot
3. Connect to the serial port.
4. From the command line, type the following command:
   
   config
5. Follow the prompts to configure the system with an IP address.
6. Copy the UCS archive file to the system.
   
   Note: For specific instructions about copying files to and from BIG-IP, refer to SOL175: Transferring files to or from an F5 Networks system.
7. Set the hostname of the system to match the hostname of the system on which the UCS archive was created, by typing one of the following commands:
   
   • BIG-IP systems version 9.4.2 and later, type the following command:
     
     bigpipe system hostname
   • BIG-IP systems versions 9.4.1 and earlier, type the following command:
     
     hostname
   Important: If you do not set the hostname to match the original hostname, the configuration restoration will fail.
8. Restore the configuration from the UCS archive, by typing the following command, replacing with the name of your UCS archive file:
   
   Important: Installing a UCS archive containing configurations for an add on module, such as BIG-IP WebAccelerator or ASM will fail if the system is not licensed for the module. If you are restoring a UCS archive containing configurations for a module, such as BIG-IP WebAccelerator or ASM, you must ensure the system has a valid license before installing the UCS archive. For information about licensing, refer to SOL7752: Overview of licensing the BIG-IP system.
   
   bigpipe config install
   
   Note: You may need to type the absolute filename if the UCS archive is not located in the default directory. For more information, refer to SOL9446: Explicit pathname to UCS archive is required with the 'bigpipe config install' command
   
   Important: If you are restoring the backup on a different device than the system on which the backup was created, such as an RMA system, the configuration load may fail with a license error. As a result, a BigDB.dat load error message similar to the following will display:
   

   b config install /var/local/ucs/backup.ucs
   Installing full configuration on host bigip1.askf5.com
   Saving active configuration...
   Creating UCS for config save request...
   Dec 8 12:00:00 bigip1 mcpd[2395]: 01070608:0: License is not operational
   (expired or digital signature does not match contents).
   Loading the new /config/BigDB.dat failed.
   01080023:3: Error return while getting reply from mcpd: 0x1070370,
   01070370:3: Failover (redundant mode) is not licensed.
   After updating your license, run
   loaddb -local /config/BigDB.dat.cs

   Note: If you did not receive the above error when installing the UCS archive, you can skip Step 12 below.
   
   Important: If you are restoring a backup from version 9.4.5 or later after reinstalling the operating system, replacing a failed system with a new system, or otherwise moving an existing configuration to a new system), the encrypted passphrase(s) for SSL private keys used in the configuration cannot be decrypted, and an error message similar to the following will display:
   
   BIGpipe client SSL profile creation error:
   01070937:3: Master Key decrypt failure - decrypt failure
   
   Note: If you receive the above error when installing the UCS archive, refer to SOL9420: Installing a UCS file containing an encrypted passphrase.
9. If you are running BIG-IP version 9.x software on a 1500, 3400, 4100, 6400, 6800, or 8400 hardware platform, type the following command to verify that the new or replaced SSH keys from the UCS file are synchronized between the BIG-IP and the SCCP:
   
   keyswap.sh sccp
   
   Note: For more information, refer to SOL3759: Synchronizing SSH keys between the BIG-IP host system and the SCCP.
10. Reboot the system by typing the following command:
    
    reboot
    
    If you installed this system on the same device on which the backup was created, after the system reboots, it will load the restored configuration; however, if you restored the backup on a different device, and received the errors noted in Step 8, then perform Steps 11 through 13.
11. Relicense the system.
    
    Note: For more information about licensing, refer to SOL7752: Overview of licensing the BIG-IP system.
12. Finish loading the BigDB.dat information by typing the following command
    
    Note: You can skip this step if you did not receive the license error listed in Step 8.
    
    loaddb -local /config/BigDB.dat.cs
13. Synchronize the BIG-IP system clock with the restored timezone configuration, by typing the following command:
    
    tw_activate_keys ntp.timezone

Note: As of version 9.4.2, the tw_activate_keys command is not used and this step can be skipped for those using versions 9.4.2 and later.

Note: If the system you have restored contains the FIPS 140 HSM, you must now configure the FIPS 140 HSM Security World.

Note: For additional information about recovering FIPS information after a system recovery, refer to the Recovering FIPS information after a system failure section in Configuring and Maintaining a FIPS Security Domain.