Migrating a Configuration from an Older HW Model (Cx70) to a New HW Model (Cx95)

Introduction

During a hardware (HW) life cycle, customers may have an older model appliance that is later replaced by newer HW.  As AsyncOS versions update, the supported version will reach an End-of-Life (EoL) and End-of-Support (EoS) status.  There is a time where the EoL/EoS and HW life cycle reach a point where the version of AsyncOS cannot be upgraded in order to match the version of AsyncOS shipped and installed on the newer HW. (I.e., Cisco Email Security Cx70 > Cisco Email Security Cx95.)

This document will provide administrator options to bridge the gap between versions in order to migrate their existing configuration from their older HW to their new HW.

Overview

Prerequisites

1. Review the Cisco End-of-Sale and End-of-Life Products page
2. Determine the version of AsyncOS running on both existing HW and new HW:
   • Cx70 (or other HW model) [This is the EXISTING production ESA.]
   • Cx95 (or other HW model) [This is the ESA REPLACING the production ESA.]
     • Steps:
       • CLI, run the command version
       • UI, navigate to Monitor > System Info

3. A basic understanding of clustering for Cisco Email Security Appliances
4. Determine if existing HW is already in a cluster
   • CLI, run the command clusterconfig
   • UI, navigate to Monitor > any
     • If you see “Mode – Cluster: cluster_name”, your appliances are running in a clustered configuration

5. Download Cisco Email Security Virtual Appliance (vESA):
   • In order to match Cx70 supported versions, download 11.0.0-274:
     • https://software.cisco.com/download/home/284900944/type/282975113/release/11.0.0

6. Obtain a license for vESA by one of two methods:
   1. 45-day temp key from the license manager
   2. Request XML for existing HW from the license manager

Upgrade Older HW (Cx70) to Latest AsyncOS

This document will use Cx70 as the base appliance that is being replaced.  All Cx70 models have an EoS at AsyncOS 11.0.x.  In order to bridge any gap between AsyncOS revisions, you will need to migrate your existing configuration into a vESA and then utilize that vESA to sync the configuration to the new appliance(s).

In order to migrate your existing configuration to new hardware, upgrade the appliance(s) to the latest AsyncOS General Deployment (GD) or Maintenance Deployment (MD) release for your appliance.

Upgrade Existing Cx70/HW to 11.0.3-238 (MD)

From the Release Notes for AsyncOS 11.0 for Cisco Email Security Appliances, use the following instructions to upgrade your Email Security appliance:

1. Save the XML configuration file of the appliance.
2. If you are using the Safelist/Blocklist feature, export the Safelist/Blocklist database off the appliance.
3. Suspend all listeners.
4. Wait for the queue to empty.
5. From the System Administration tab, select the System Upgrade
6. Click the Available Upgrades The page refreshes with a list of available AsyncOS upgrade versions.
7. Click the Begin Upgrade button and your upgrade will begin. Answer the questions as they appear. When the upgrade is complete, click the Reboot Now button to reboot your appliance.
8. Resume all listeners.

Post-reboot, validate the version of AsyncOS running:

• CLI, run the command version
• UI, navigate to Monitor > System Info

Note: If you have multiple appliances already running in a cluster configuration you can skip the next section.

Create a Cluster (on Existing Cx70/HW)

Creating a cluster allows you to share an existing configuration.  Please refer to the User Guide for information on Centralized Management Using Clusters.  Use the clusterconfig > Create a new cluster command, similar to the following:

C170.local> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 2

Enter the name of the new cluster.
[]> migration.local

Should all machines in the cluster communicate with each other by hostname or by IP address?
1. Communicate by IP address.
2. Communicate by hostname.
[2]> 1

What IP address should other machines use to communicate with Machine C170.local?
1. 10.10.10.56 port 22 (SSH on interface Management)
2. Enter an IP address manually
[]> 1

Other machines will communicate with Machine C170.local using IP address 10.10.10.56 port 22. You can change this by using the COMMUNICATION subcommand of the clusterconfig command.
New cluster committed: Sat Jun 08 07:47:59 2019 GMT
Creating a cluster takes effect immediately, there is no need to commit.

Cluster migration.local

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster migration.local)

Utilizing a vESA to Bridge Configuration to New HW (Cx95)

This document will use Cx70 as the base appliance that is being replaced.  All Cx70 models have an EoS at AsyncOS 11.0.x.  In order to bridge any gap between AsyncOS revisions, you will need to migrate your existing configuration into a vESA and then utilize that vESA to sync the configuration to the new appliance(s).

Deploy Your vESA

From the pre-requisites, download the vESA image and deploy per the Cisco Content Security Virtual Appliance Installation Guide.

Note: The installation guide provides information regarding DHCP (interfaceconfig) and set the default gateway (setgateway) on your virtual host, and also loading the virtual appliance license file.  Please be sure that you have read and deployed as instructed.

Upgrade Your vESA to Match Cx70

Once the vESA is deployed, validate the version of AsyncOS running:

• CLI, run the command version
• UI, navigate to Monitor > System Info

As you have upgraded the version of AsyncOS for our Cx70 to 11.0.3-238, you will need to also have the vESA running the same, matching version of AsyncOS for Email Security. (I.e., 11.0.3-238 : 11.0.3-238, not 11.0.0-274 : 11.0.3-238.)

1. From the System Administration tab, select the System Upgrade
2. Click the Available Upgrades The page refreshes with a list of available AsyncOS upgrade versions.
3. Click the Begin Upgrade button and your upgrade will begin. Answer the questions as they appear. When the upgrade is complete, click the Reboot Now button to reboot your appliance.

Post-reboot, validate the version of AsyncOS running:

• CLI, run the command version

UI, navigate to Monitor > System Info

Join Your vESA to Your ESA Cluster

From the CLI on the vESA, run clusterconfig > Join an existing... to add your vESA into your cluster, similar to the following:

vESA.local> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3

While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining.  To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig -> fingerprint.

WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig settings)

Exception:Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster.  These settings on this machine will remain intact.

Do you want to enable the Cluster Communication Service on ironport.example.com? [N]> n

Enter the IP address of a machine in the cluster.
[]> 10.10.10.56

Enter the remote port to connect to.  This must be the normal admin ssh port, not the CCS port.
[22]>

Would you like to join this appliance to a cluster using pre-shared keys? Use this option if you have enabled two-factor authentication on the appliance. [Y]> n

Enter the name of an administrator present on the remote machine
[admin]>

Enter passphrase:
Please verify the SSH host key for 10.10.10.56:
Public host key fingerprint: 80:22:44:aa:cc:55:ff:ff:11:66:77:ee:66:77:77:aa
Is this a valid key for this host? [Y]> y

Joining cluster group Main_Group.
Joining a cluster takes effect immediately, there is no need to commit.
Cluster migration.local

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster migration.local)>

At this time your vESA now has the same configuration that your existing Cx70/HW is running.

Run the clustercheck command to validate sync and verify if there are any inconsistencies between the existing vESA and your Cx95.  (See "Cluster Inconsistencies" for more information.)

Note: Your vESA is NOT processing mail.  Just to reassure, you would have had to add the vESA into your DNS records as an additional MX or have included in any load balancing pool external to the ESA. 

Remove Your vESA From Your ESA Cluster

From the CLI on the vESA, please run clusterconfig and remove the appliance from the cluster using the removemachine operation:

(Cluster migration.local)> clusterconfig

Cluster migration.local

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]> removemachine

Choose the machine to remove from the cluster.
1. C170.local (group Main_Group)
2. vESA.local (group Main_Group)
[1]> 2

Warning:
- You are removing the machine you are currently connected to, and you will no longer be able to access the cluster.
- This change will happen immediately without a commit.
Are you sure you want to continue? [N]> y

Please wait, this operation may take a minute...
Machine vESA.local removed from the cluster.

Upgrade Your vESA and Cx95 to 12.5.x

At this time in your configuration migration, you will need to upgrade the vESA to match the revision of your new HW/Cx95.  This document will assume you are using a Cx95 as the appliance that is replacing the Cx70. 

Cx95 HW is shipped running AsyncOS 11.5.x.  Cisco recommends upgrading from 11.5.x to 12.5.x.

The vESA will need to be running the same, matching version of AsyncOS for Email Security. (I.e., 12.5.0-059 : 12.5.0-059, not 11.0.3-238 : 12.5.0-059.)

Prior to upgrading, you will need to change the dynamic host setting on the vESA.  [Explanation of why this is needed: when vESA was joined to the Cx70 cluster, it assumed the cluster config for HW updater (update-manifests.ironport.com 443).  At this time, in order to upgrade the vESA, it needs to be re-pointed to the VM updater.].

To complete this, from the CLI run the following:

1. updateconfig
2. dynamichost (*This is a hidden command ONLY at this point of the updateconfig)
3. Enter in the following: update-manifests.sco.cisco.com 443
4. Press Enter one time to return to the main CLI prompt
5. Run Commit to save your configuration changes.

To upgrade the vESA and Cx95:

1. From the System Administration tab, select the System Upgrade
2. Click the Available Upgrades The page refreshes with a list of available AsyncOS upgrade versions.
3. Click the Begin Upgrade button and your upgrade will begin. Answer the questions as they appear. When the upgrade is complete, click the Reboot Now button to reboot your appliance.

Post-reboot, validate the version of AsyncOS running:

• CLI, run the command version
• UI, navigate to Monitor > System Info

Complete the Configuration Migration to New HW/Cx95

For this document, it is assumed that you have already received, racked, powered, and completed basic network configuration of your new HW (I.e., Cx95).  For further information on the Cx95, please see the Cisco Email Security Appliance C195, C395, C695, and C695F Getting Started Guide.

Create a New Cluster (on vESA)

If you wish to re-use the same cluster name, create using the same cluster name from Cx70 cluster.  Or, create a new cluster with a new cluster name.  This is a repeat of the steps from earlier, just now on the vESA:

vESA.local> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 2

Enter the name of the new cluster.
[]> newcluster.local

Should all machines in the cluster communicate with each other by hostname or by IP address?
1. Communicate by IP address.
2. Communicate by hostname.
[2]> 1

What IP address should other machines use to communicate with Machine C170.local?
1. 10.10.10.58 port 22 (SSH on interface Management)
2. Enter an IP address manually
[]> 1

Other machines will communicate with Machine C195.local using IP address 10.10.10.58 port 22. You can change this by using the COMMUNICATION subcommand of the clusterconfig command.
New cluster committed: Sat Jun 08 11:45:33 2019 GMT
Creating a cluster takes effect immediately, there is no need to commit.

Cluster newcluster.local

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster newcluster.local)>

Join Your Cx95 to Your ESA Cluster

From the CLI on the Cx95, run clusterconfig > Join an exisiting... to add your Cx95 into your new cluster configured on your vESA, similar to the following:

C195.local> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3

While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining.  To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig -> fingerprint.

WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig settings)

Exception:Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster.  These settings on this machine will remain intact.

Do you want to enable the Cluster Communication Service on ironport.example.com? [N]> n

Enter the IP address of a machine in the cluster.
[]> 10.10.10.58

Enter the remote port to connect to.  This must be the normal admin ssh port, not the CCS port.
[22]>

Would you like to join this appliance to a cluster using pre-shared keys? Use this option if you have enabled two-factor authentication on the appliance. [Y]> n

Enter the name of an administrator present on the remote machine
[admin]>

Enter passphrase:
Please verify the SSH host key for 10.10.10.56:
Public host key fingerprint: 80:11:33:aa:bb:44:ee:ee:22:77:88:ff:77:88:88:bb
Is this a valid key for this host? [Y]> y

Joining cluster group Main_Group.
Joining a cluster takes effect immediately, there is no need to commit.
Cluster newcluster.local

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster newcluster.local)>

Repeat the process to join additional Cx95 to your cluster. 

At this time your Cx95 now has the same configuration that your existing Cx70/HW and vESA are running.

Run the clustercheck command to validate sync and verify if there are any inconsistencies between the existing vESA and your Cx95.  (See "Cluster Inconsistencies" for more information.)

Similar to the steps from Part Two for the vESA, you will need to set updateconfig to point to the HW updater.  To complete this, from the CLI run the following:

1. updateconfig
2. dynamichost (*This is a hidden command ONLY at this point of the updateconfig)
3. Enter in the following: update-manifests.ironport.com 443
4. Press Enter one time to return to the main CLI prompt
5. Run Commit to save your configuration changes.

Configuration Migration is Complete!

Post Migration Cleanup and Options

Cx70 > Cx95

At this time, you will need to make decisions for powering down the Cx70 appliances and migrating your existing IP addresses and associated hostnames to the Cx95.  Items to review during this process are:

• UI:
  • Network > IP Interface [step through each interface that is active, and any associated Hostname assigned to each interface]
• CLI:
  • setgateway
  • sethostname

Cx00V

You will also wish to decide how to proceed with your virtual ESA.  To remove this from the existing cluster by running clusterconfig > removemachine and choose the number of the virtual appliance to remove from the cluster:

(Cluster newcluster.local)> clusterconfig

Cluster cluster

Choose the operation you want to perform:

- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]> removemachine

Choose the machine to remove from the cluster.
1. vESA.local (group Main_Group)
2. C195.local (group Main_Group)
[1]> 1

Warning:
- This is the last machine in the cluster.  Removing it from the cluster will destroy the cluster.
- This change will happen immediately without a commit.
Are you sure you want to continue? [N]> y

Please wait, this operation may take a minute...
Machine vESA.local removed from the cluster.

Ideas for post-migration use of the virtual appliance:

• Used a lab or test appliance
• Used to demo future versions/releases of AsyncOS prior to any deployments for the production environment
• Spare ESA for redundancy or future growth

Licensing for vESA

Create a Demo License

1. Go to the Cisco License Registration Portal (LRP): cisco.com/go/license
2. Log in with your Cisco account ID
3. Click Licenses
4. From the Get Licenses drop-down, choose Demo and evaluation...
5. From the pop-up, choose the Product Family: Security Products and Product: Cisco Email/Web/Content Security Virtual Demo License
6. You will then select the Product for one of the following:

• ESA Virtual Appliance 45 Day Demo License
• WSA Virtual Appliance 45 Day Demo License
• SMA Virtual Appliance 45 Day Demo License

7. Click Next
8. For SN / Virtual Device Identifier, you may enter in the serial of your existing, fully licensed appliance, or leave blank and click Next.
9. Finally, review the Send To, End User fields; click .. to include additional recipients
10. Click Submit to complete the demo license request
11. Check the email address as entered from earlier steps, as the demo license will be sent to that email address

Note: Your virtual license file will be sent in XML format and received within three hours to the email address as you have specified.

Share an Existing License

1. Go to the Cisco License Registration Portal (LRP): cisco.com/go/license
2. Log in with your Cisco account ID
3. Click Licenses
4. From the Move Licenses drop-down, choose Share License...
5. Choose the Get Activation Codes option
6. You will be presented with a pop-up window. Choose IronPort Product - SW Bundles (if you have an existing software bundle) or IronPort Product - TC (if you have individual products)
7. Enter an existing ESA/WSA/SMA serial number in the Source Serial Number/Virtual Device Identifier field. If you have multiple ESAs, WSAs, or SMAs, choose one that has the same licenses that you want to be enabled on your virtual appliance
8. For the Select Destination Appliance Type option, choose the Virtual button
9. Leave the Target Serial Number/Virtual Device Identifier field BLANK
10. In the Send To field, enter the email address to which the activation code should be sent
11. If you have previously stepped through the license request, you may be presented with existing VLN(s), choose as needed
12. Click Request Code
13. Once you receive the activation code, repeat steps #3 and #4 (listed above). Once you reach step #5, choose the Use Activation Codes option
14. Paste in the provided activation code and click Next
15. Choose the Cisco ESA/WSA software SKUs that should be embedded on the Cisco virtual ESA/virtual WSA/virtual SMA license. Click Next
16. Enter the email address to which the license should be sent
17. Finally, click Get License

Note: Your virtual license file will be sent in XML format and received within three hours to the email address as you have specified.

Qualified Upgrade Paths

Cluster Inconsistencies

After upgrading to AsyncOS 12.x, if your appliances are in the cluster mode and DLP is configured, inconsistency in the DLP settings is seen when you run the clustercheck command using the CLI.

To resolve this inconsistency, force the entire cluster to use the DLP configuration of any of the other machines in the cluster. Use the following prompt “How do you want to resolve this inconsistency?” in the clustercheck command as shown in the following example:

(Cluster)> clustercheck
Checking DLP settings...
Inconsistency found!
DLP settings at Cluster test:
mail1.example.com was updated Wed Jan 04 05:52:57 2017 GMT by 'admin' on mail2.example.com mail2.example.com was updated Wed Jan 04 05:52:57 2017 GMT by 'admin' on mail2.example.com How do you want to resolve this inconsistency?

1. Force the entire cluster to use the mail1.example.com version.

2. Force the entire cluster to use the mail2.example.com version.

3. Ignore.
[3]>

Please be sure that you read the release notes for the version of AsyncOS that is running on your ESA.

Additional Reference: ESA Cluster Requirements and Setup