cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4957
Views
5
Helpful
5
Replies

SMA migration - From M670 to M600v

We are running an old M670 appliance for our email security setup. Collecting logfiles, message tracking etc. Also hosting all quarantaines. Connected to it are two clusters of each two C600v machines. (the M670 is the only physical appliance left).

We want to migrate this EOL M670 to a virtual M600v.

 

What is the recommended way of doing this? I've been searching in the community and in the documentation. So far I've come up with this:

  • create new virtual SMA, with new ip addresses.
  • create firewall rules functional identical to the old physical.
  • disable all central services on all ESA's
  • remove all ESA's from the old SMA
  • backup from old SMA to new SMA (with all data)
  • attach all ESA's to the new SMA
  • enable all central services on all ESA's
  • update DNS for endusers accessing the new quarantaine.

Any remarks?

 

Henk Fictorie - Ulrich

2 Accepted Solutions

Accepted Solutions

ppreenja
Cisco Employee
Cisco Employee
Hello Henk Fictorie - Ulrich,

You would be required to do migration of the configuration on both SMAs. Moving the configuration file involves the same process as between two physical appliances.

Both appliances would need to be on the same Async OS version.

The configuration file would need to be exported with passwords unmasked to that the import can be performed.

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117841-technote-esareplace-00.html

You may need to remove the interface and Ethernet parts from the configuration file if there are any errors at the time of importing the configuration due to the difference in the number of ports/interfaces between the two models. Please find below few high level steps:

SMA Migration High Level Steps:
===========================

i. Build Virtual SMA
a. DNS Name resolution
i. Get DNS record created (A + PTR)
ii. Get Certificate
b. Ensure AsyncOS version of the source and target Security Management appliances must be the same.
c. Deploy virtual appliance
d. Configure interface settings
e. Upgrade current SMA to Version same as of Virtual SMA
f. Prevent the target application from pulling data directly from managed appliances
i. Access the command-line interface of the target appliance
ii. Run the suspendtransfers command.
iii. Wait for the prompt to reappear.
iv. Run the suspend command.
v. Wait for the prompt to reappear.
vi. Exit the command-line interface of the target appliance.
g. Cancel scheduled configuration publishing job on backup/target appliances
i. Run the suspendtransfers and suspend commands on the backup/target appliance.
ii. Validate & Manage Disc space
a. On source machine run backupconfig and select Verify
b. Enter a name and IP address of target system and press enter
c. Review results and ensure no issues are reported
iii. Take SMA backup to Virtual SMA
- There will be minor disruption during Phase 2 of backup, at this time delta's are backed up
- During the backup, data availability reports may not work, and when viewing the message tracking results, the hostname for each message may be labeled as ‘unresolved’.
a. Initiate full backup from the old/primary/source appliance.
b. Wait for the backup to complete.
c. Run the suspendtransfers and suspend commands on the old/primary/source appliance.
d. Run a second backup to transfer last-minute data from the old/primary/source to the new/backup/target appliance.
iv. Promote Virtual SMA as Active
a. Save a copy of the configuration file from your old/primary/source appliance
b. Run the System Setup Wizard on the new/backup/target appliance.
c. Import the configuration file into the new/backup/target appliance.
d. Run the resumetransfers and resume commands on the new/backup/target appliance.
*Do NOT run this command on the old/original primary/source appliance.
e. Establish the connection between the new/backup/target appliance and the managed email security appliances:
i. Select Management Appliance > Centralized Services > Security Appliances.
ii. Click an appliance name.
iii. Click the Establish Connection button.
iv. Click Test Connection.
v. Return to the list of appliances.
vi. Repeat for each managed appliance.
v. Verify that the new/target appliance is now functioning as the primary appliance:
a. Select Management Appliance > Centralized Services > System Status and check the status of data transfers.
vi. Monitor virtual SMA for couple of weeks

I hope the above helps.

Cheers,
Pratham

View solution in original post

Hello Henk,

You can disconnect the ESA's from the old SMA, however, since for the old SMA everything is suspended and hence no data will be received at old SMA. Hence, you can directly start configuration for the new SMA and ESAs. I hope this answers the query.

Cheers,
Pratham

View solution in original post

5 Replies 5

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

    The migration is smoother than that, look in the Configuration Guide for the "Backing Up Security Management Appliance Data" section. For some examples, use the following guides:

 

https://www.cisco.com/c/en/us/support/docs/security/content-security-management-appliance/117840-problemsolution-sma-00.html

https://www.cisco.com/c/en/us/support/docs/security/content-security-management-appliance/118441-technote-sma-00.html

 

Regards,

Cristian Matei.

 

ppreenja
Cisco Employee
Cisco Employee
Hello Henk Fictorie - Ulrich,

You would be required to do migration of the configuration on both SMAs. Moving the configuration file involves the same process as between two physical appliances.

Both appliances would need to be on the same Async OS version.

The configuration file would need to be exported with passwords unmasked to that the import can be performed.

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117841-technote-esareplace-00.html

You may need to remove the interface and Ethernet parts from the configuration file if there are any errors at the time of importing the configuration due to the difference in the number of ports/interfaces between the two models. Please find below few high level steps:

SMA Migration High Level Steps:
===========================

i. Build Virtual SMA
a. DNS Name resolution
i. Get DNS record created (A + PTR)
ii. Get Certificate
b. Ensure AsyncOS version of the source and target Security Management appliances must be the same.
c. Deploy virtual appliance
d. Configure interface settings
e. Upgrade current SMA to Version same as of Virtual SMA
f. Prevent the target application from pulling data directly from managed appliances
i. Access the command-line interface of the target appliance
ii. Run the suspendtransfers command.
iii. Wait for the prompt to reappear.
iv. Run the suspend command.
v. Wait for the prompt to reappear.
vi. Exit the command-line interface of the target appliance.
g. Cancel scheduled configuration publishing job on backup/target appliances
i. Run the suspendtransfers and suspend commands on the backup/target appliance.
ii. Validate & Manage Disc space
a. On source machine run backupconfig and select Verify
b. Enter a name and IP address of target system and press enter
c. Review results and ensure no issues are reported
iii. Take SMA backup to Virtual SMA
- There will be minor disruption during Phase 2 of backup, at this time delta's are backed up
- During the backup, data availability reports may not work, and when viewing the message tracking results, the hostname for each message may be labeled as ‘unresolved’.
a. Initiate full backup from the old/primary/source appliance.
b. Wait for the backup to complete.
c. Run the suspendtransfers and suspend commands on the old/primary/source appliance.
d. Run a second backup to transfer last-minute data from the old/primary/source to the new/backup/target appliance.
iv. Promote Virtual SMA as Active
a. Save a copy of the configuration file from your old/primary/source appliance
b. Run the System Setup Wizard on the new/backup/target appliance.
c. Import the configuration file into the new/backup/target appliance.
d. Run the resumetransfers and resume commands on the new/backup/target appliance.
*Do NOT run this command on the old/original primary/source appliance.
e. Establish the connection between the new/backup/target appliance and the managed email security appliances:
i. Select Management Appliance > Centralized Services > Security Appliances.
ii. Click an appliance name.
iii. Click the Establish Connection button.
iv. Click Test Connection.
v. Return to the list of appliances.
vi. Repeat for each managed appliance.
v. Verify that the new/target appliance is now functioning as the primary appliance:
a. Select Management Appliance > Centralized Services > System Status and check the status of data transfers.
vi. Monitor virtual SMA for couple of weeks

I hope the above helps.

Cheers,
Pratham

Hi ppreenja, thanks for the extensive steps. Just one question. You mention in one of the final steps to establish the connection between the new SMA and the ESA's. Shouldn't I first disconnect the ESA's from the old SMA first?

 

kind regards Henk

Hello Henk,

You can disconnect the ESA's from the old SMA, however, since for the old SMA everything is suspended and hence no data will be received at old SMA. Hence, you can directly start configuration for the new SMA and ESAs. I hope this answers the query.

Cheers,
Pratham

Hi Ppreenja,

 

Appreciate the detailed high level steps that you provided. As I also have similar migration going on.

I just wanna check with you regarding phase 2 of the backup. Is there an option to choose to begin phase 2?

is there an estimate time on how long will the disruption caused? As we need to plan the downtime needed for the maintenance window.

 

Thank you.

 

Best regards

Raymond

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: