Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2405
Views
5
Helpful
9
Replies

How to replace C670 appliance with C690

Go to solution
pbabu6001
Level 1
Level 1

‎03-21-2017 01:18 PM

I am going to replace C670 appliance with C690 IronPort appliance. Could you please provide a step by step document or video to complete this. Actually we have 4 C670 appliances in our evnironment with M1070.

-C670 appliances are running with 9.7.1-066 version and M1070 at 9.6.0-051.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎03-21-2017 01:40 PM

Hi,

In order to move configuration from one appliance to another, both devices should be on the same Async OS release.

You would need to start by upgrading the appliances so that they are on the same Async OS version.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117793-technote-esa-00.html

The configuration file can be exported from the GUI System Administration -> Configuration File.

Note: Please ensure the configuration file is exported with passwords unmasked.

Alternatively, you could also add a device to an existing cluster to copy over the cluster level configuration.

Steps to import the configuration file is available below:
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117841-technote-esareplace-00.html

For appliances of different models such as x70 and x90 series in your scenario, when importing the configuration file between different models of appliances, you will frequently receive errors. These are caused by differences in available Ethernet ports, and database sizes for tracking and reporting.

You will need to make some manual modifications to the file in order for it to import:

1. Export the configuration file from both the source and destination ESAs. Be sure to uncheck the 'Mask passwords' option
2. Open both configuration files in a text editor
3. Find the following entries in both configuration files, and copy the values from the destination appliance's configuration file to the source configuration file:
<db_environment_actual_size>
<tracking_global_max_db_size>
4. If the appliances have a different number of Ethernet interfaces, you will need to completely remove the following sections from the source configuration file:
<ethernet_settings> ... </ethernet_settings>
<ports> ... </ports>
5. Save a copy of the modified source configuration file
6. Import the modified configuration file on the destination appliance
7. Commit the changes

Only configuration files are transferred between ESA's. All local logs, tracking, reports, quarantines, etc would need to be moved to the SMA or pushed to syslog/scp servers.

Thank You!
Libin Varghese

View solution in original post

0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to pbabu6001

‎03-21-2017 02:07 PM

Below article explains configuring scp push for mail_logs on the appliance.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200985-Configuring-SCP-push-of-mail-logs-on-ESA.html

You can choose to set this up for all available logs on the appliance or the major ones of your choice. This would require understanding and knowledge of linux servers to set up a server to receive the logs from the ESA.

You could also FTP/SCP using application such as winscp to the interface of the appliance and manually download copies of the logs to your computer of choice.

Install winscp and connect to the IP of the appliance using ftp.

Note: FTP access must be enabled on the interface under Network -> IP Interfaces for this to work.

This would allow you access to the configuration directory of the appliance which has all the logs stored.

- Libin V

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎03-21-2017 01:40 PM

Hi,

In order to move configuration from one appliance to another, both devices should be on the same Async OS release.

You would need to start by upgrading the appliances so that they are on the same Async OS version.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117793-technote-esa-00.html

The configuration file can be exported from the GUI System Administration -> Configuration File.

Note: Please ensure the configuration file is exported with passwords unmasked.

Alternatively, you could also add a device to an existing cluster to copy over the cluster level configuration.

Steps to import the configuration file is available below:
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117841-technote-esareplace-00.html

For appliances of different models such as x70 and x90 series in your scenario, when importing the configuration file between different models of appliances, you will frequently receive errors. These are caused by differences in available Ethernet ports, and database sizes for tracking and reporting.

You will need to make some manual modifications to the file in order for it to import:

1. Export the configuration file from both the source and destination ESAs. Be sure to uncheck the 'Mask passwords' option
2. Open both configuration files in a text editor
3. Find the following entries in both configuration files, and copy the values from the destination appliance's configuration file to the source configuration file:
<db_environment_actual_size>
<tracking_global_max_db_size>
4. If the appliances have a different number of Ethernet interfaces, you will need to completely remove the following sections from the source configuration file:
<ethernet_settings> ... </ethernet_settings>
<ports> ... </ports>
5. Save a copy of the modified source configuration file
6. Import the modified configuration file on the destination appliance
7. Commit the changes

Only configuration files are transferred between ESA's. All local logs, tracking, reports, quarantines, etc would need to be moved to the SMA or pushed to syslog/scp servers.

Thank You!
Libin Varghese

0 Helpful

Go to solution
pbabu6001
Level 1
Level 1
In response to Libin Varghese

‎03-21-2017 01:53 PM

Thank you Libin!

We are using SMA to save Message tracking and spam quarantine and I would like to take the backup of Mail_logs and policy,virus and outbreak quarantines. Let me know what are the other important things which I need to take backup?

Could you please explain how to move to SMA or pushed to syslog/scp servers as this is new thing to me?

0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to pbabu6001

‎03-21-2017 02:07 PM

Below article explains configuring scp push for mail_logs on the appliance.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200985-Configuring-SCP-push-of-mail-logs-on-ESA.html

You can choose to set this up for all available logs on the appliance or the major ones of your choice. This would require understanding and knowledge of linux servers to set up a server to receive the logs from the ESA.

You could also FTP/SCP using application such as winscp to the interface of the appliance and manually download copies of the logs to your computer of choice.

Install winscp and connect to the IP of the appliance using ftp.

Note: FTP access must be enabled on the interface under Network -> IP Interfaces for this to work.

This would allow you access to the configuration directory of the appliance which has all the logs stored.

- Libin V

0 Helpful

Go to solution
pbabu6001
Level 1
Level 1
In response to Libin Varghese

‎03-29-2017 12:19 PM

I would like to know on how to import End user Safelist/Blocklist file to new appliance from old appliance.  

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to pbabu6001

‎03-29-2017 12:24 PM

Go to System Administration/Configuration File menu, there's a section to back it up and restore it.

Back it up on the C670, copy it from the 670 using FTP (its in the configuration directory), then copy it to the 690 using FTP (put it in the configuration directory), then you can restore it on the 690

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to pbabu6001

‎08-29-2017 01:11 PM

You can backup the SLBL for the ESA from System Administraion -> Configuration File.

 

Scroll to the End-User Safelist/Blocklist Database (Spam Quarantine) section.

 

The appliance saves a .csv file to the /configuration directory of the appliance using the following naming convention:
slbl<serial number><timestamp>.csv

 

You can FTP to the appliance to retrieve the file and then send it to the replacement appliance over ftp as described in the beloew article.

 

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117922-technote-esa-00.html

 

Regards,

Libin Varghese

0 Helpful

Go to solution
pbabu6001
Level 1
Level 1
In response to Libin Varghese

‎08-14-2017 11:16 AM

Hi Libin,

We have almost 120 domains in our environment and would like to migrate 5 domains each time to C690. So, could you please advice on how can we import configuration file on replacement ESA?

Many thanks in advance.

0 Helpful

Go to solution
Hrvoje (Harry) Dogan
Cisco Employee
Cisco Employee
In response to pbabu6001

‎08-14-2017 08:23 PM

Hi there,

There is nothing preventing you from having all 120 domains in the configuration file on the new appliance, and redirecting Mail Exchanger records 5 domains at a time when you're ready. I would recommend to cluster the old and the new appliance, synchronise their configuration, and then gradually port MXs to new hostname.

0 Helpful

Go to solution
bsrinu001
Level 1
Level 1
In response to Hrvoje (Harry) Dogan

‎08-29-2017 10:34 AM

Hi,
Could you please suggest us, how to cluster Old and New appliance? and after synchronization need to remove the old appliance.
Please explain us in detail merits/de-merits as well. Many Thanks
0 Helpful
Customers Also Viewed These Support Documents