簡介

本文檔介紹在升級因小Nextroot分割槽而失敗時替換虛擬郵件安全裝置(vESA)和虛擬安全管理裝置(vSMA)的過程。 

ESA的相關缺陷:CSCvy69068和SMA:CSCvy69076

背景

最初，虛擬ESA和虛擬SMA映像構建的Nextroot分割槽大小小於500M。多年以來，隨著包含其他功能的較新AsyncOS版本的推出，升級在整個升級過程中必須越來越多地使用此分割槽。現在，我們開始看到由於此分割槽大小而導致升級失敗，並希望提供有關解決方案的詳細資訊，此解決方案是部署一個新的Nextroot分割槽大小大於4GB的虛擬映像。 

症狀

Nextroot分割槽大小小於500M的較舊映像vESA或vSMA可能無法升級，但會出現以下錯誤。 

...
...
...
Finding partitions... done.                                                    
Setting next boot partition to current partition as a precaution... done.      
Erasing new boot partition... done.                                            
Extracting eapp done.                                                          
Extracting scanerroot done.                                                    
Extracting splunkroot done.                                                    
Extracting savroot done.                                                       
Extracting ipasroot done.                                                      
Extracting ecroot done.                                                        
Removing unwanted files in nextroot done.                                      
Extracting distroot                                                            
/nextroot: write failed, filesystem is full
./usr/share/misc/termcap: Write failed
./usr/share/misc/pci_vendors: Write to restore size failed
./usr/libexec/getty: Write to restore size failed
./usr/libexec/ld-elf.so.1: Write to restore size failed
./usr/lib/libBlocksRuntime.so: Write to restore size failed
./usr/lib/libBlocksRuntime.so.0: Write to restore size failed
./usr/lib/libalias.so: Write to restore size failed
./usr/lib/libarchive.so: Write to restore size failed

解決方案

要確保虛擬ESA/SMA可以升級，您需要首先使用CLI命令ipcheck檢查下一個根分割槽大小是否為4GB。

(lab.cisco.com) > ipcheck

<----- Snippet of relevant section from the output ----->

  Root                  4GB 7%
  Nextroot 4GB 1%
  Var                   400MB 3%
  Log                   172GB 3%
  DB                    2GB 0%
  Swap                  6GB
  Mail Queue            10GB

<----- End of snippet ----->

如果下一個根分割槽小於4GB，請按照後續步驟將當前虛擬機器模板遷移到更新的映像中。

步驟1.

部署新的vESA/vSMA

根據前提條件，下載虛擬ESA/SMA映像，並根據思科內容安全虛擬裝置安裝指南進行部署。

附註：安裝指南提供有關DHCP(interfaceconfig)的資訊，並設定虛擬主機上的預設網關(setgateway)，同時載入虛擬裝置許可證檔案。確保已按照指示讀取和部署。

步驟2.

許可新的vESA/vSMA

部署新的虛擬ESA或SMA後，就應該載入許可證檔案。對於虛擬，許可證將包含在XML檔案中，並且必須使用CLI載入。在CLI中，您將使用loadlicense命令，然後按照提示完成許可證匯入。

如果您需要有關載入許可證檔案或獲取許可證檔案的更多詳細資訊，則可以檢視以下文章：虛擬ESA、虛擬WSA或虛擬SMA許可證的最佳實踐。

步驟3.

確保新的vESA/vSMA與原始版本具有相同的版本，如果這不是這種情況，您需要使用舊版本升級vESA/vSMA，以使兩台裝置具有相同的版本。使用命令upgrade並按照提示操作，直至獲得所需的版本。

步驟4. [僅適用於vESA，適用於vSMA跳過]

附註：在此步驟中，假定您沒有現有群集，如果當前配置中已存在群集，則只需將新的vESA新增到群集以複製當前配置，然後刪除新電腦以啟動升級過程。

建立新群集

在原始vESA中，運行命令clusterconfig以建立新群集。

OriginalvESA.local> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 2

Enter the name of the new cluster.
[]> OriginalCluster.local

Should all machines in the cluster communicate with each other by hostname or by IP address?
1. Communicate by IP address.
2. Communicate by hostname.
[2]> 1

What IP address should other machines use to communicate with Machine C170.local?
1. 10.10.10.58 port 22 (SSH on interface Management)
2. Enter an IP address manually
[]> 1

Other machines will communicate with Machine C195.local using IP address 10.10.10.58 port 22. You can change this by using the COMMUNICATION subcommand of the clusterconfig command.
New cluster committed: Sat Jun 08 11:45:33 2019 GMT
Creating a cluster takes effect immediately, there is no need to commit.

Cluster OriginalCluster.local

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster OriginalCluster.local)>

步驟5. [僅適用於vESA，適用於vSMA跳過]

將您的新vESA加入您的原始ESA集群

從新vESA上的CLI運行命令clusterconfig > Join an existing... 將新vESA新增到原始vESA上配置的新集群中。

NewvESA.cisco.com> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3

While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining.  To get the public host key fingerprint of the remote host, connect to the cluster and run: logconfig -> hostkeyconfig -> fingerprint.

WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig settings)

Exception:Centralized Policy, Virus, and Outbreak Quarantine settings are not inherited from the cluster.  These settings on this machine will remain intact.

Do you want to enable the Cluster Communication Service on ironport.example.com? [N]> n

Enter the IP address of a machine in the cluster.
[]> 10.10.10.58

Enter the remote port to connect to.  This must be the normal admin ssh port, not the CCS port.
[22]>

Would you like to join this appliance to a cluster using pre-shared keys? Use this option if you have enabled two-factor authentication on the appliance. [Y]> n

Enter the name of an administrator present on the remote machine
[admin]>

Enter passphrase:
Please verify the SSH host key for 10.10.10.56:
Public host key fingerprint: 80:11:33:aa:bb:44:ee:ee:22:77:88:ff:77:88:88:bb
Is this a valid key for this host? [Y]> y

Joining cluster group Main_Group.
Joining a cluster takes effect immediately, there is no need to commit.
Cluster OriginalCluster.local

Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.
[]>

(Cluster OriginalCluster.local)>

連線並同步後，您的新vESA將具有與現有vESA相同的配置。

運行命令clustercheck以驗證同步並驗證升級後的電腦之間是否存在任何不一致。

步驟6. [僅適用於vSMA，適用於vESA跳過]

檢視此處列出的SMA資料備份的先決條件。

在必須替換的裝置上使用CLI命令backupconfig安排對新部署的vSMA的備份。

啟動立即備份

1. 以admin身份登入到原始SMA CLI。
2. Enterbackupconfig。
3. 選擇計劃。
4. 輸入要向其傳輸資料的新電腦的IP地址。
5. 「源」SMA驗證「目標」SMA的存在，並確保目標SMA有足夠的空間來接受資料。
6. 選擇3（立即啟動單個備份）。
7. 輸入vieworstatus以驗證備份是否已成功計畫。

附註：完成資料備份所需的時間因資料大小、網路頻寬等而異。

一旦備份完成，新的vSMA將接收來自前一個SMA的所有資料。

要將新電腦配置為主要裝置，請參閱此處概述的步驟。

步驟7.

如果您需要部署多個ESA/SMA，請執行步驟1至6。

相關資訊

思科內容安全虛擬裝置安裝指南

ESA集群要求和設定

SMA最終使用手冊