Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2225
Views
5
Helpful
8
Replies

Upgrade Ironport Cluster (12 Devices)

Go to solution
justinus.budi
Level 1
Level 1

‎06-13-2022 09:07 PM

Hello i want to upgrade 12 ironport devices in single cluster. The cluster have 2 group. Group A (2 member) and Group B (10 member).

are there any suggestion how to upgrade the ironport? i know that ironport will disconnect from cluster and join the cluster again after all devices os version already have same version. i just curious what happen if customer want to change some policy while the ironport disconnected from the cluster? what will happen when the ironport rejoin the cluster

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
charella
Cisco Employee
Cisco Employee
In response to justinus.budi

‎06-15-2022 07:16 AM

Question:
Thank you for you reply, what happen if after i upgrade i connect the ironport to the cluster. can the upgraded ironport rejoin to the cluster ?

Answer:
My favorite method to achieve this whole upgrade of the cluster.
I prefer cli over webui as the upgrade action gives better feedback logging progress in the cli.


1. Login to each ESA and initiate the “download only” option for the AsyncOS version you choose.

* It makes everything more efficient.
* No impact at this time.
* Save one copy of the configuration “encrypted” to your computer.
* Cli > clustercheck

i. Clustercheck checks for discrepancies within the cluster and prompts with choices.

ii. The content of these messages is very ambiguous and involve non-visible settings. They look something like this > esa1 has an invalid config at (here). Would you like to sync esa1 to the rest of the cluster. (YES)

* If you experience too many alerts for clustercheck and are confused, open a ticket.


1. The upgrade.(cli)

* Step through the upgrade command and verification stage.
* If the download is still in progress, the option ‘downloadstatus’ will share a percentage complete.
* If the download has already completed, the option “install” will be present.
* Once you type install…

i. Cluster disconnect notification

ii. Do you want to backup and mail the config y/n

iii. Start.

iv. When the upgrade is complete there will be a prompt asking if you would like to reboot.

v. Once it starts the press “enter key” 2 more times, why? People forget the step iv above and never reboot. If you do this, the system will auto-reboot when completed.

* Post upgrade

i. I like to ping the host while it reboots to know when it comes to life.

ii. Login prompt may take another minute or two to display.

iii. Login > clusterconfig

* You will receive a message stating you are disconnected, would you like to reconnect to the cluster. Y

This should be performed for each host post upgrade. All 12 hosts.

iv. As you progress 2,3,4 machines, check > clusterconfig > connstatus

v. The more machines you complete, the more machines show converged within this ‘connstatus’ view.

vi. “Post upgraded hosts,” you may run this command > cli > clusterconfig > RECONNECT

* If the post upgraded hosts have not sync’d, this command “cli > clusterconfig > RECONNECT” will display those hosts by number, you may select the host to initiate the reconnection action.

* POST upgrade final

i. Repeating from above. login to each host and execute cli > clusterconfig, accept the prompt to reconnect.

ii. Cli > clusterconfig > connstatus

iii. Cli > clusterconfig > reconnect

* Are any hosts listed?
* Select the host by number
* Repeat if there are multiple hosts.
Final Actions
Perform 2 commands:

* Clusterconfig > connstatus
* clustercheck

Problems >>> Open TAC Case.

Thank you,
Chris A.


View solution in original post

8 Replies 8

Go to solution
Ken Stieers
VIP
VIP

‎06-13-2022 09:43 PM

When machines aren't connected to the cluster, they don't get changes made to the cluster, and any changes made to them will get overwritten by the cluster config when they rejoin.


If you have to make changes in the middle of upgrading them, you'll have to make it to all of them that are disconnected, plus one that's still connected to the cluster that that all of the current cluster members gets updated. Keep in mind, you'll eventually have all of them disconnected at some point before you can connect the first one of the new version back to the cluster.


What I don't know is what happens if you have to make a change while all of them are disconnected, which config will the cluster get when you reconnect the first box? The config of the first one that reconnected to the cluster? or is there a "cluster configuration" held separately that would get applied to the first one?

The safest way would be as soon as your last box is disconnected, I'd start reconnecting the other boxes to the cluster, and THEN make any change you needed.


0 Helpful

Go to solution
justinus.budi
Level 1
Level 1

‎06-13-2022 09:48 PM

Thank you for your reply. Based on my understanding when i upgrade the first ironport, all the cluster member will be disconnected from the cluster, is that correct ?

Can i rejoin the ironport that already upgraded and keep the remaining ironport that haven't upgraded disconnect from the cluster?

Thanks

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to justinus.budi

‎06-13-2022 10:08 PM

I honestly don't remember if it disconnects all of them or not.

I'm pretty sure you can start reconnecting them after they have been upgraded...

My cluster is only 2 boxes so I haven't had a chance to play with these nuances...



0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-14-2022 12:04 AM

As i remember in the cluster it disconnects but that should not stop your traffic the flows.

 

here is some reference :

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118266-technote-esa-00.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Ken Stieers
VIP
VIP

‎06-14-2022 01:06 PM

So I'm at CiscoLive and was able stop and talk to a TAC engineer about your question

 

When you upgrade it just disconnects the box you're upgrading.

 

If you have to make a change midstream, you have to change it on each disconnected box, plus one of the still clustered boxes.  

 

Cluster config is SEPERATE from machine config, so if you have to do this, you want to pick a box that will be the last one disconnected and the first one reconnected, as the cluster copy on the first one reconnected becomes the live cluster config.

 

 

0 Helpful

Go to solution
justinus.budi
Level 1
Level 1
In response to Ken Stieers

‎06-15-2022 03:29 AM

Thank you for you reply, what happen if after i upgrade i connect the ironport to the cluster. can the upgraded ironport rejoin to the cluster ?

 

Thanks

0 Helpful

Go to solution
charella
Cisco Employee
Cisco Employee
In response to justinus.budi

‎06-15-2022 07:16 AM

Question:
Thank you for you reply, what happen if after i upgrade i connect the ironport to the cluster. can the upgraded ironport rejoin to the cluster ?

Answer:
My favorite method to achieve this whole upgrade of the cluster.
I prefer cli over webui as the upgrade action gives better feedback logging progress in the cli.


1. Login to each ESA and initiate the “download only” option for the AsyncOS version you choose.

* It makes everything more efficient.
* No impact at this time.
* Save one copy of the configuration “encrypted” to your computer.
* Cli > clustercheck

i. Clustercheck checks for discrepancies within the cluster and prompts with choices.

ii. The content of these messages is very ambiguous and involve non-visible settings. They look something like this > esa1 has an invalid config at (here). Would you like to sync esa1 to the rest of the cluster. (YES)

* If you experience too many alerts for clustercheck and are confused, open a ticket.


1. The upgrade.(cli)

* Step through the upgrade command and verification stage.
* If the download is still in progress, the option ‘downloadstatus’ will share a percentage complete.
* If the download has already completed, the option “install” will be present.
* Once you type install…

i. Cluster disconnect notification

ii. Do you want to backup and mail the config y/n

iii. Start.

iv. When the upgrade is complete there will be a prompt asking if you would like to reboot.

v. Once it starts the press “enter key” 2 more times, why? People forget the step iv above and never reboot. If you do this, the system will auto-reboot when completed.

* Post upgrade

i. I like to ping the host while it reboots to know when it comes to life.

ii. Login prompt may take another minute or two to display.

iii. Login > clusterconfig

* You will receive a message stating you are disconnected, would you like to reconnect to the cluster. Y

This should be performed for each host post upgrade. All 12 hosts.

iv. As you progress 2,3,4 machines, check > clusterconfig > connstatus

v. The more machines you complete, the more machines show converged within this ‘connstatus’ view.

vi. “Post upgraded hosts,” you may run this command > cli > clusterconfig > RECONNECT

* If the post upgraded hosts have not sync’d, this command “cli > clusterconfig > RECONNECT” will display those hosts by number, you may select the host to initiate the reconnection action.

* POST upgrade final

i. Repeating from above. login to each host and execute cli > clusterconfig, accept the prompt to reconnect.

ii. Cli > clusterconfig > connstatus

iii. Cli > clusterconfig > reconnect

* Are any hosts listed?
* Select the host by number
* Repeat if there are multiple hosts.
Final Actions
Perform 2 commands:

* Clusterconfig > connstatus
* clustercheck

Problems >>> Open TAC Case.

Thank you,
Chris A.


Go to solution
justinus.budi
Level 1
Level 1

‎07-17-2022 08:48 PM

I have another question. My cluster have 12 member. 2 member in Group 1, 10 member ini Group 2 each Group have different bounce profile and outgoing mail policies. After i reconnect the member to the cluster what will happen to the specific Group configuration?

 

Thanks

0 Helpful
Customers Also Viewed These Support Documents