Guidelines for Out-of-Band Configuration

Supported Feature Areas in Recovery-Config Mode

You can configure the following feature areas at the diagnostic CLI in recovery-config mode:

  • Interfaces

  • Static Routes

  • Dynamic Routing: BGP and OSPF

  • Prefilters

  • Site-to-site VPN

Like other diagnostic CLI commands, refer to the ASA command reference for more information about each command.

Unsupported Features

  • Not supported in multi-instance mode.

  • You cannot add or delete EtherChannels.

  • Some platform-dependent interface commands such as speed, duplex, and shutdown are not supported.

High Availability and Clustering

  • Recovery-config mode is only available on the active/control node.

  • If a failover or cluster switchover occurs before you exit the recovery-config-mode session, the management center will not detect the change on the new active/control node. We recommend re-entering recovery-config mode on the new active/control node and making a small change to trigger discovery of all of your previous changes. Otherwise, if you do not manually match the changes in the management center, they will be overwritten at deployment without any notification.

  • If you make out-of-band-configuration changes on the active/control node, but then, prior to a configuration sync, the high availability/cluster ends up in "split brain" mode (where multiple nodes become active/control because of a failover/cluster-control-link failure), then when the high availability/cluster returns to a healthy state, and a different node becomes active/control, then the configuration changes will be lost.

  • If you have an active recovery-config-mode session, then new nodes cannot join or rejoin the high availability/cluster until the session is exited.

Additional Guidelines

  • To modify an existing rule or route, you should delete the existing command using the no form of the command and then re-add the modified rule. This method avoids conflicts and errors. For example:

    Incorrect:

    
firepower# show running-config route
route outside 10.0.0.0 255.0.0.0 20.1.1.1 1
firepower# configure recovery-config

 CAUTION: The config CLI is for emergency use only. Use the config CLI if the management center is
unreachable, and use it only under exceptional circumstances, such as loss of connectivity or
to restore manager access. Do not change management center's auto-generated configurations.

 After your management center is reachable, manually make the same configuration changes in the
management center. The management center cannot implement them automatically. When you deploy
from the management center, out-of-band configuration changes will be overwritten. Also, node join
will be blocked till config CLI session is active, so make sure to exit from the config CLI after
changes are made.

Would you like to proceed ? [Y]es/[N]o: y
firepower(recovery-config)# route outside 10.0.0.0 255.0.0.0 30.1.1.1
firepower(recovery-config)# exit
Unsaved changes are not kept if you reboot.Save changes to memory ? [Y]es/[N]o: y
Cryptochecksum: ccfc11a8 4e46d55e 0c99b5ae 3b18a8f1 

3939 bytes copied in 0.70 secs
firepower# show running-config route                  
route outside 10.0.0.0 255.0.0.0 20.1.1.1 1
route outside 10.0.0.0 255.0.0.0 30.1.1.1 1
firepower#

    In this case, a second route is added instead of replacing the first route.

    Correct:

    
firepower# show running-config route
route outside 10.0.0.0 255.0.0.0 20.1.1.1 1
firepower# configure recovery-config

 CAUTION: The config CLI is for emergency use only. Use the config CLI if the management center is
unreachable, and use it only under exceptional circumstances, such as loss of connectivity or
to restore manager access. Do not change management center's auto-generated configurations.

 After your management center is reachable, manually make the same configuration changes in the
management center. The management center cannot implement them automatically. When you deploy
from the management center, out-of-band configuration changes will be overwritten. Also, node join
will be blocked till config CLI session is active, so make sure to exit from the config CLI after
changes are made.

Would you like to proceed ? [Y]es/[N]o: y
firepower(recovery-config)# no route outside 10.0.0.0 255.0.0.0 20.1.1.1
firepower(recovery-config)# route outside 10.0.0.0 255.0.0.0 30.1.1.1
firepower(recovery-config)# exit
Unsaved changes are not kept if you reboot.Save changes to memory ? [Y]es/[N]o: y
Cryptochecksum: 81bcc51d 43771bbd 15b6dde6 afeb3442 

3945 bytes copied in 0.70 secs
firepower# show running-config route                  
route outside 10.0.0.0 255.0.0.0 30.1.1.1 1
firepower#

  • If you have auto rollback enabled (see Edit Deployment Settings), and you lose management connectivity because of a deployment, you should not start an out-of-band configuration. Instead, either wait 20 minutes for auto rollback to the previous deployment to occur or manually roll back at the CLI using the configure policy rollback command (see Manually Roll Back the Configuration if the Management Center Loses Connectivity). Auto rollback will overwrite out-of-band configuration changes if the management connection is still down.

  • For prefilter rules, we don't recommend adding completely new rules (the access-control advanced command); integration of prefilter rules with the intrusion policy and logging requires the management center, which generates the rule ID and integrates it with other policies.

  • All recovery-config-mode sessions will be logged in syslog with the username “enable_15”.