简介

本文档介绍在升级因小型Nextroot分区而失败时更换虚拟邮件安全设备(vESA)和虚拟安全管理设备(vSMA)的过程。 

ESA的相关缺陷:CSCvy69068和SMA:CSCvy69076

背景

最初，虚拟ESA和虚拟SMA映像的Nextroot分区大小小于500M。多年来，随着AsyncOS版本的更新（包含其他功能），升级在整个升级过程中必须使用越来越多的此分区。现在，我们开始看到升级因此分区大小而失败，我们想提供有关该解决方案的详细信息，该解决方案是部署一个新的虚拟映像，该虚拟映像的Nextroot分区大小为4GB。 

症状

Nextroot分区大小小于500M的旧映像vESA或vSMA可能无法升级，出现以下错误。 

...
...
...
Finding partitions... done.                                                    
Setting next boot partition to current partition as a precaution... done.      
Erasing new boot partition... done.                                            
Extracting eapp done.                                                          
Extracting scanerroot done.                                                    
Extracting splunkroot done.                                                    
Extracting savroot done.                                                       
Extracting ipasroot done.                                                      
Extracting ecroot done.                                                        
Removing unwanted files in nextroot done.                                      
Extracting distroot                                                            
/nextroot: write failed, filesystem is full
./usr/share/misc/termcap: Write failed
./usr/share/misc/pci_vendors: Write to restore size failed
./usr/libexec/getty: Write to restore size failed
./usr/libexec/ld-elf.so.1: Write to restore size failed
./usr/lib/libBlocksRuntime.so: Write to restore size failed
./usr/lib/libBlocksRuntime.so.0: Write to restore size failed
./usr/lib/libalias.so: Write to restore size failed
./usr/lib/libarchive.so: Write to restore size failed

解决方案

为确保虚拟ESA/SMA可以升级，您需要首先使用CLI命令ipcheck检查下一个根分区大小是否为4GB。

(lab.cisco.com) > ipcheck

<----- Snippet of relevant section from the output ----->

  Root                  4GB 7%
  Nextroot 4GB 1%
  Var                   400MB 3%
  Log                   172GB 3%
  DB                    2GB 0%
  Swap                  6GB
  Mail Queue            10GB

<----- End of snippet ----->

如果下一个根分区小于4GB，请执行后续步骤，将当前VM模板迁移到更新的映像。

步骤1:

部署新vESA/vSMA

从前提条件下，下载虚拟ESA/SMA映像并根据《思科内容安全虚拟设备安装指南》进行部署。

注意：安装指南提供有关DHCP(接口配置)的信息，在虚拟主机上设置默认网关(setgateway)，并加载虚拟设备许可证文件。确保您已按照指示进行读取和部署。

第二步：

许可新vESA/vSMA

部署新的虚拟ESA或SMA后，就应该加载许可证文件。对于虚拟，许可证将包含在XML文件中，必须使用CLI加载。在CLI中，您将使用loadlicense命令，然后按照提示完成许可证导入。

如果您需要有关加载许可证文件或获取许可证文件的更多详细信息，则可以查看以下文章：虚拟ESA、虚拟WSA或虚拟SMA许可证的最佳实践。

第三步：

确保新vESA/vSMA与原始vESA/vSMA的版本相同，如果不是这种情况，您需要将vESA/vSMA升级为较旧版本，以使两台设备都使用相同版本。使用命令upgrade并按照提示操作，直到获得所需的版本。

步骤4. [仅适用于vESA，跳过适用于vSMA]

注意：在此步骤中，假设您没有现有群集，在当前配置中已存在群集的情况下，只需将新vESA添加到群集以复制当前配置，然后删除该新计算机以启动升级过程。

创建新集群

在原始vESA中，运行命令clusterconfig 以创建新集群。

OriginalvESA.local> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 2

Enter the name of the new cluster.
[]> OriginalCluster.local

Should all machines in the cluster communicate with each other by hostname or by IP address?
1. Communicate by IP address.
2. Communicate by hostname.
[2]> 1

What IP address should other machines use to communicate with Machine C170.local?
1. 10.10.10.58 port 22 (SSH on interface Management)
2. Enter an IP address manually
[]> 1

Other machines will communicate with Machine C195.local using IP address 10.10.10.58 port 22. You can change this by using the COMMUNICATION subcommand of the clusterconfig command.
New cluster committed: Sat Jun 08 11:45:33 2019 GMT
Creating a cluster takes effect immediately, there is no need to commit.

Cluster OriginalCluster.local

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster OriginalCluster.local)>

步骤5. [仅适用于vESA，跳过适用于vSMA]

将新vESA加入原始ESA集群

从新vESA的CLI中，运行命令clusterconfig > Join an existing... 将新vESA添加到原始vESA上配置的新集群。

NewvESA.cisco.com> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3

While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining.  To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig -> fingerprint.

WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig settings)

Exception:Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster.  These settings on this machine will remain intact.

Do you want to enable the Cluster Communication Service on ironport.example.com? [N]> n

Enter the IP address of a machine in the cluster.
[]> 10.10.10.58

Enter the remote port to connect to.  This must be the normal admin ssh port, not the CCS port.
[22]>

Would you like to join this appliance to a cluster using pre-shared keys? Use this option if you have enabled two-factor authentication on the appliance. [Y]> n

Enter the name of an administrator present on the remote machine
[admin]>

Enter passphrase:
Please verify the SSH host key for 10.10.10.56:
Public host key fingerprint: 80:11:33:aa:bb:44:ee:ee:22:77:88:ff:77:88:88:bb
Is this a valid key for this host? [Y]> y

Joining cluster group Main_Group.
Joining a cluster takes effect immediately, there is no need to commit.
Cluster OriginalCluster.local

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster OriginalCluster.local)>

连接并同步后，您的新vESA现在将具有与现有vESA相同的配置。

运行命令clustercheck以验证同步，并验证升级的计算机之间是否存在任何不一致。

步骤6. [仅适用于vSMA，跳过适用于vESA]

查看此处列出的SMA数据备份的先决条件。

在必须更换以安排备份到新部署的vSMA的设备上使用CLI命令backupconfig。

启动立即备份

1. 以管理员身份登录到原始SMA CLI。
2. 输入backupconfig。
3. 选择计划。
4. 输入要将数据传输到的新计算机的IP地址。
5. “源”SMA验证“目标”SMA的存在，并确保目标SMA有足够的空间接受数据。
6. 选择3（立即启动单个备份）。
7. 输入vieworstatus以验证备份是否已成功计划。

注意：数据备份完成所花的时间会因数据大小、网络带宽等而异。

备份完成后，新vSMA将收到来自前一SMA的所有数据。

要将新计算机配置为主设备，请参阅此处概述的步骤。

步骤 7.

如果您需要部署多个ESA/SMA，请执行步骤1-6。

相关信息

思科内容安全虚拟设备安装指南

ESA集群要求和设置

SMA最终用户指南