Upgrade path for Ironports

shaun.smith1 · ‎09-18-2015

Hi,

I am looking for some documentation to support an upgrade for our Ironport C370's from 7.1.5-102 to 8.5.6.113

As this is a fairly old version I'm not sure if we can upgrade directly, also will there be issues with any of the existing data and settings during the upgrade?

Please could you point out the link to download the appropriate software?

Thanks,

Shaun.

Philippe Boeij · ‎09-18-2015

Hi Shaun,

recently I did upgrades starting with even older version.

If you have a cluster, start with 1 node, suspend the listeners. Take the most recent version from the upgrade path presented and repeat the install until the Ironport is at the desired version.

Resume the listeners and suspend the listener on the other node.Test the mailflow with the new software. If all is working fine, upgrade the first node too. When finished upgrading, resume the mailfow and reconnect both to the cluster.

Up until now I never had issues with upgrading the firmware this way.

regards,

Philippe

shaun.smith1 · ‎09-20-2015

Hi Guys,

Thank you very much for the useful info, I will follow the upgrade path and report back, we have quiet a lengthy change management process so could take some time!

Thanks again!

Shaun.

shaun.smith1 · ‎10-01-2015

Hi All,

As of yesterday I have upgraded one of our Ironports from phoebe-7-1-5-102 --> phoebe-7-6-3-019 --> phoebe-8-5-6-106 and so far the only issue is the graphs not displaying correctly as of upgrading to 8-5-6-106 this seems to only be in I.E so not sure if its a java issue or something along those lines?

I still need to complete our upgrade by going to phoebe-8-5-6-113 although the next available upgrade is 8-5-7 is there any way to select 8-5-6-113 as this is recommended as this is the version of our other systems?

Thanks,

Shaun.

Robert Sherwin · ‎10-01-2015

IE is known to have GUI issues - and if available, just try to use Firefox/Chrome. In later version, the GUI has an option for IE compatibility mode, which may help w/ the issues you see: System Administration > General Settings

-Robert

Cheers,
Robert Sherwin

shaun.smith1 · ‎10-01-2015

Hi Robert,

Thanks for your speedy response, I tried that setting you suggested and worked, I'll schedule our final upgrade to 8-5-7 for early next week and let you know how I get on,

Cheers,

Shaun.

shaun.smith1 · ‎10-01-2015

Hi, another question,

Is there a way to rollback any of the upgrades to a previously installed version, if we have any issues when we do our "live" systems I need to have this option, currently the upgrade path will only show later versions which is understandable,

Thanks,

Shaun.

Robert Sherwin · ‎10-02-2015

Yes - revert is the command to use. Before you would do that - I would #1) assure that you have a previously saved copy of the configuration you are rolling back to, #2) enable FTP to the appliance, and assure that you have all/any configurations, logs, etc.. Revert will wipe any/all previous configuration and log files. So, once the revert process is done - you'll need to load the old configuration manually, or you'll reconfigure from scratch.

From User Guide, 33-31:

http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-6/ESA_9-6_User_Guide.pdf

Using the revert command on a appliance is a very destructive action. This command destroys all configuration logs and databases. Only the network information for the management interface is preserved--all other network configuration is deleted. In addition, reversion disrupts mail handling until the appliance is reconfigured. Because this command destroys network configuration, you may need physical local access to the appliance when you want to issue the revert command. Caution You must have a configuration file for the version you wish to revert to. Configuration files are not backwards-compatible.

-Robert

Cheers,
Robert Sherwin

Robert Sherwin · ‎09-18-2015

You should be following this path - as it would require 3 upgrades to get to the needed 8.5.6-113 revision:

phoebe-7-1-5-102 --> phoebe-7-6-3-019 --> phoebe-8-5-6-106 --> phoebe-8-5-6-113

If you upgrade per this path, your configuration will roll forward w/ each hop without issue.

You would be just running upgrade on the CLI, or System Administration > System Upgrade and then choosing Upgrade Options...

There would not be a download point for the software, unless you are running a local upgrade server.

You can always check what your appliance sees and packages from the following:

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117806-configure-esa-00.html

Using the manifest check:

http://updates.ironport.com/fetch_manifest.html

*Note - you would need to enter in "phoebe-7-1-5-102" as the Base release tag.

For upgrade info:

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117793-technote-esa-00.html

-Robert

Cheers,
Robert Sherwin

Ben Artuso · ‎09-30-2015

What a great and timely post. I am currently in the process of looking at doing some upgraded on a clustered pair of C170 running

7.5.2-014.

So this was some great information on the upgrade path! Saves me having to research it.

I am just in the process of reviewing the release notes, but was wondering if there are any huge changes between the older 7.X releases and 8.X?

Robert Sherwin · ‎10-01-2015

GUI, background memory/CPU/resource utilization, enhancements to over all engines and ability to get newer libraries...

Worthwhile investment to upgrade off 7.x.

-Robert

Cheers,
Robert Sherwin

Michael Donaldson · ‎11-09-2015

Hi Robert,

I'm currently in the process of planning an upgrade on my pair of C170's from 7.5.2-014. Are you able to confirm my current upgrade path is accurate:

phoebe-7.5.2-014 --> phoebe-7-6-2-014 --> phoebe-7-6-3-019 --> phoebe-8-5-6-106

I'm also considering moving to 9.6.0-42, is this worth the extra upgrade step? Finally, one last question, on terminology, what is the difference between "phoebe" and "AsyncOS"?

Thanks,

Mike.

Ken Stieers · ‎11-09-2015

Phoebe = AsyncOS for Email

Coeus = AsyncOS for Web (WSA appliances)

Zeus = AsyncOS for Managment (SMA appliances)

I'd contemplate 9.7...

Robert Sherwin · ‎11-10-2015

So - depending on where you want to end up, possible paths are:

phoebe-7-5-2-014 --> phoebe-7-6-2-014 --> phoebe-8-0-1-023 --> phoebe-9-1-0-032 --> phoebe-9-7-0-125
phoebe-7-5-2-014 --> phoebe-7-6-1-022 --> phoebe-8-0-1-023 --> phoebe-9-1-0-032 --> phoebe-9-7-0-125
phoebe-7-5-2-014 --> phoebe-7-5-2-203 --> phoebe-8-0-1-023 --> phoebe-9-1-0-032 --> phoebe-9-7-0-125
phoebe-7-5-2-014 --> phoebe-7-6-2-014 --> phoebe-8-0-1-023 --> phoebe-8-5-7-043 --> phoebe-9-7-0-125
phoebe-7-5-2-014 --> phoebe-7-6-1-022 --> phoebe-8-0-1-023 --> phoebe-8-5-7-043 --> phoebe-9-7-0-125
phoebe-7-5-2-014 --> phoebe-7-5-2-203 --> phoebe-8-0-1-023 --> phoebe-8-5-7-043 --> phoebe-9-7-0-125

You would be able to stop at 9.6, if you really wanted to... 9.6.0-052 being the GD release before the current 9.7.0-0125...

(one path for that is...)

phoebe-7-5-2-014 --> phoebe-7-6-2-014 --> phoebe-8-0-1-023 --> phoebe-8-5-7-043 --> phoebe-9-6-0-051

As Ken stated in reply - the terminology of "phoebe" is just for the ESA build name... family names for each respective product.

And, yes - I would go ahead and make the hop to 9.7.0-125. Check out the release notes if you have not already.

-Robert

Cheers,
Robert Sherwin

Michael Donaldson · ‎11-10-2015

Great - thanks very much!