How to replace C670 appliance with C690

pbabu6001 · ‎03-21-2017

I am going to replace C670 appliance with C690 IronPort appliance. Could you please provide a step by step document or video to complete this. Actually we have 4 C670 appliances in our evnironment with M1070.

-C670 appliances are running with 9.7.1-066 version and M1070 at 9.6.0-051.

Libin Varghese · ‎03-21-2017

Hi,

In order to move configuration from one appliance to another, both devices should be on the same Async OS release.

You would need to start by upgrading the appliances so that they are on the same Async OS version.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117793-technote-esa-00.html

The configuration file can be exported from the GUI System Administration -> Configuration File.

Note: Please ensure the configuration file is exported with passwords unmasked.

Alternatively, you could also add a device to an existing cluster to copy over the cluster level configuration.

Steps to import the configuration file is available below:
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117841-technote-esareplace-00.html

For appliances of different models such as x70 and x90 series in your scenario, when importing the configuration file between different models of appliances, you will frequently receive errors. These are caused by differences in available Ethernet ports, and database sizes for tracking and reporting.

You will need to make some manual modifications to the file in order for it to import:

1. Export the configuration file from both the source and destination ESAs. Be sure to uncheck the 'Mask passwords' option
2. Open both configuration files in a text editor
3. Find the following entries in both configuration files, and copy the values from the destination appliance's configuration file to the source configuration file:
<db_environment_actual_size>
<tracking_global_max_db_size>
4. If the appliances have a different number of Ethernet interfaces, you will need to completely remove the following sections from the source configuration file:
<ethernet_settings> ... </ethernet_settings>
<ports> ... </ports>
5. Save a copy of the modified source configuration file
6. Import the modified configuration file on the destination appliance
7. Commit the changes

Only configuration files are transferred between ESA's. All local logs, tracking, reports, quarantines, etc would need to be moved to the SMA or pushed to syslog/scp servers.

Thank You!
Libin Varghese

alex.schnu · ‎08-14-2017

Hi,

we almost have the same issue. We still running older ironports and would like to upgrade to our new C690. All Appliance (C670V an C600V) are running still at 8.5.7 in a Cluster. The new one (C690) was delivered with 9.1.2.

Because of all Appliances have to be at the same AsyncOS-Release, we really would like to upgrade the old ones to the same Async OS as the new C690. Unfortunatly the upgrade path of both are completly different. It seems like there is no match for between both series (C670+C600V and C690).

The table shows the provided upgrade opportunities:

C670/C600V	C690
8.5.7-043
	9.1.2-036
9.6.0-051
9.7.0-125
9.7.1-066
	9.7.2-065
	9.7.2-131
	10.0.0-203
	10.0.1-103
	11.0.0-105
	11.0.0-264

So is there any posibility to get to the same version or how can we find the right AsyncOS version for our migration?

Thanks a lot.

Alex

Ken Stieers · ‎08-14-2017

Where did you get this table?

If its just from the upgrade gui, you are only seeing the first hop. You can go to 9.7x and then upgrade again to a higher version.

10x supports the x70 appliances, as long as it's got 8gig of ram.

https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa10-0/AsyncOS_10-0_for_Cisco_Email_Security_Appliances.pdf

Libin Varghese · ‎08-14-2017

Hi Alex,

Async OS 9.7.2-131 and 9.7.2-065 are general deployment releases that appear to have an upgrade path for both x90 and x70 models and can be used for migration on configuration in your scenario.

https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-7/ESA_9-7-2_Release_Notes.pdf

ESA's have a step by step upgrade.

x90 -> 9.1.2-036 -> 9.7.2-131

x70 (8GB RAM required) -> 8.5.7-043 -> 9.7.1-066 -> 9.7.2-131

Regards,

Libin Varghese

alex.schnu · ‎08-14-2017

Hi Ken, Hi Libin,

thank you both for your quick reply. Yes right, I made the table just from upgrade gui what options the ESAs provides me.

I was just wondering, because of the big step from 8.5.7 to 9.6.0 and 9.1.2 to 9.7.2.

But if 9.7.2-131 will be available for both, I'll use it for the migration.

Thanks a lot!

Alex

pbabu6001 · ‎08-14-2017

Hi Libin,

We have almost 120 domains in our environment and would like to migrate 5 domains each time to C690. So, could you please advice on how can we import configuration file on replacement ESA?

Many thanks in advance.

Libin Varghese · ‎08-14-2017

That depends what part of the configuration you wish to migrate.

Domains are check on RAT, SMTP routes, incoming/outgoing mail policies, filters, etc.

It would be a manual process to configure this for some domains at a time.

- Libin V

pbabu6001 · ‎08-14-2017

Sure Libin, will configure manually. Could you please let us know what configurations needs to done in CLI and GUI? Many thanks.

Libin Varghese · ‎08-14-2017

That is the manual part, determining what you need to configure and then going through the end user guide to see how it is configured.

There is no one step configuration for a domain, instead domains are part of multiple configurations.

- Libin V

Ken Stieers · ‎08-14-2017

I'd do the whole config on the new ESAs. All the routing, everything. Then test them... using something like BLAT or other command line emailer, send mail through them, making sure it gets where its supposed to.

Then change how the domains mail gets routed in DNS and your email system, 5 at a time.