Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9211
Views
0
Helpful
3
Replies

How to replace C370 Email IronPort appliance?

jonathan_shaw
Level 1
Level 1

‎06-20-2011 08:16 AM

One of our email IronPort appliances has stopped working and we have now been sent the replacement device - so far this process has taken over a week - fortunately - we have a pair of these devices and we are able to run on just one - unfortunately, we have now been running at risk for over a week.

The first appliance that got sent us arrived in a state whereby we could not attach to it by either of the Management ports.

The second appliance appears to be ok but I am now left with the problem of loading up a recent copy of the configuration file.

Has anyone else had to go through this process?

The appliance that we have been sent has arrived with version 6.5 of the Async OS installed.

The latest copy of the configuration file that I have is from version 7.1.3.

From what I have been able to garner, we need to get the appliance up to the same version of OS before we can load the config on.

Is that correct?

In that case, I presume the method is to perform a partial configuration of the appliance, enough to get the connected and then perform an upgrade so that the OS versions match between appliance and config file.

Then the process will be simply to load the config file from the backup location.

Can anyone tell me if we need to connect all the network interfaces or can the OS upgrade just be done via the management interface.

Many Thanks

Jonathan

Labels:
0 Helpful
3 Replies 3

Christopher Smith
Level 4
Level 4

‎06-20-2011 12:05 PM

Hi Jonathan,

Depending on your current configuration there are 2 different methods for replacing an appliance. I will include both processes below. In either case you will need to upgrade the appliance so that it is on the same version. You can not transfer a configuration file to another appliance unless they are on the same version nor can you join a new appliance to a cluster configuration unless it is on the same version as those already in the cluster.

You can do an initial configuration using the setup wizard to get your IP address and hostname configured so you have network access, or you can simply connect to 192.168.42.42 and log in as admin to start the upgrade on the replacement appliance.

Notes:

  • The old appliance and the new appliance MUST have the same exact AsyncOS version and build.
  • This only applies to a stand-alone appliance, not one that is in a cluster.
  • This document assumes the use of the Web Interface (GUI) for all steps.

Instructions:

1)   Save the configuration from the old appliance to your local  machine.  From the GUI -> System Administration -> Configuration  File -> Download file to local computer to view or save. Be sure to  un-check the box “Mask passwords in the Configuration Files”.

2)   Get the new appliance up and running on your network. For access  by Ethernet, connect to the Management Network Port. Use a browser to  access the web-based interface on the default IP address 192.168.42.42  (username: admin, password: ironport). You can also access the command  line interface by SSH or terminal emulation software on the same IP  address. (The netmask is /24).  For Serial access, connect to the Serial  Port. Access the command line interface by a terminal emulator using  9600 bits, 8 bits, no parity, 1 stop bit (9600, 8, N, 1), flowcontrol =  Hardware.

Run the system set up wizard (SSW).  If your old appliance is dead or  already off the network, then you can use the same IP information.  If  your old appliance is still on the network, then give the new appliance a  temporary IP address.

3)   Check to make sure the new appliance is on the same version and  build of AsyncOS. From the GUI -> Monitor -> System Status.  If  they are the same, move on to step 5.  If they are not the same,  continue to step 4.

4)   If the appliances are not on the same build, upgrade the new  appliance to match the version of the old one.  From the GUI ->  System Administration -> System Upgrade -> Available Upgrades.  If  you see it in the list, please select it.  If it is not listed, the  specific version may need to be provisioned by Cisco IronPort Customer  Support - please call before proceeding.

Note: If the old appliance is at a version that is older than the  replacement appliance, you will need to upgrade it (if possible) to  match the new appliance.

5)   Once the appliances are verified to be at the same version, load  the configuration file to the new appliance.  From the GUI -> System  Administration -> Configuration File -> Load a configuration file  from local computer.

6)   If the configuration file loads without any errors, then you can  proceed to decommission the old appliance and edit the IP settings of  the new appliance as desired. From the GUI -> Network -> IP  Interfaces.  You may also need to edit the routing information as well  (Network -> Routing).

7)   If you get any errors when loading the new configuration file,  you can try and edit the configuration file with an XML editor and look  for the section that the error refers to.  However, if you are not  comfortable with this, please call in for support.

You should expect to receive the return shipping information in your  email within 5 business days. Please see the documentation to return the  defective unit: http://tinyurl.com/mkr2k

For cluster based appliances:::::::::::::::::::::::::::::

There are two methods to replace an appliance that is in a cluster.

The first method is to upload configuration file from the old machine to new machine and then adding back to cluster.

  1. Log  into the old appliance.   Type "clusterconfig > removemachine" to  pull the machine completely out of the existing cluster.   The  "administrative disconnect" may not suffice and may require a  "removemachine" command.
  2. Once the old machine is removed from the cluster, follow either of these steps:
    -  From the GUI interface, go to "System Administration >Configuration  File", save the configuration file to your local desktop and uncheck the  mask password box
    - Or email yourself configuration file with the passwords unmasked also.
    WARNING:    If you don't unmask the password,  the system  will not allow you to  import the configuration file into the new appliance.
  3. Proceed with going through the system setup wizard and bringing the new  appliance up with the basic configuration setup.
  4. Bring  the new system online and upgrade to the same AsyncOS as the existing  machine in the cluster.   To see the version of the existing machine,  type "version" from the command line. 
    WARNING: Before a machine can be joined to an existing cluster, it needs to be on the same AsyncOS version  and build.
  5. After  the new appliance is finished   upgrading, you can load the  configuration file from the old device that was saved earlier.   This is  done on the System Administration >Configuration File page in the  GUI.
  6. Commit your changes.
  7. Add the new machine to the  cluster and it will inherit the cluster settings while retaining any  specific machine setting that it needs (i.e   network interface)

The  second method is to add the new machine to the existing cluster to  inherit the cluster settings while retaining any specific machine  setting that it needs (i.e network interface).

  1. Log  into any appliance still in the cluster.   Type "clusterconfig >  removemachine" to remove the faulty machine completely out of the  existing cluster.   The "administrative disconnect" may not suffice and   may require a "removemachine" command.
  2. Shutdown old appliance that needs replacement.
  3. Bring  the new appliance up with the basic configuration setup by going  through the system setup wizard and make sure it has same IP as the old  appliance.
  4. Also, make sure the interface and listener names same as the ones in the cluster.
  5. From  the new appliance, issue the “clusterconfig” command to join the  existing cluster. You can choose to join the cluster over SSH or over  CCS (cluster communication service).

ironport.example.com> clusterconfig

Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3

In order to join a host to an existing cluster, you must:

  • Be able to validate the SSH host key of a machine in the cluster
  • Know  the IP address of a machine in the cluster and be able to connect to  this machine in the cluster (for example, via SSH or CCS)
  • Know the administrator password for the admin user on a machine belonging to the cluster.
  • Host should  be able to resolve  forward and reverse DNS lookup

Contact support if you have any questions/concerns.

Christopher C Smith

CSE
Cisco IronPort Customer Support

0 Helpful

jonathan_shaw
Level 1
Level 1
In response to Christopher Smith

‎06-21-2011 04:49 AM

Hi Christopher

Thanks for that very informative and helpful reply.

I have been able to load the config file on to the replacement appliance now.

Just one more question relating to License Keys.

Somewhere in our communications with Cisco Support, there has been mention of sending us some Appliance License Keys and that these should be with us within three days of shipping.

Do we need these keys?  Are they tied in with the appliance in some way and do we need to install them before we can start to use the IronPort appliance again?

Regards

Jonathan

0 Helpful

Sebastian Amting
Cisco Employee
Cisco Employee
In response to jonathan_shaw

‎06-21-2011 05:06 AM

Hi Jonathan,

the appliance should automatically apply the feature keys.

You can check the feature key status under 'System Administration' -> 'Feature Keys' on the GUI

I checked the feature key status of your C370 appliances in our database and they have been transferred to your replacement unit.

If the appliance did not automatically load the correct feature keys, please let me know and we can send you a copy to apply manually.

edit: Looks like Mark just sent you the keys via the ticket we currently have open

Cheers

Sebastian

--

Sebastian Amting

Team Lead

Cisco IronPort Customer Support

0 Helpful
Customers Also Viewed These Support Documents