cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2902
Views
0
Helpful
15
Replies

Can't login to Cisco ESA C370 after upgrade

az
Level 1
Level 1

Hi all,

yesterday we recieved RMA-ed Cisco ESA C370 which came with version 7.1.5 -104 and i decided to upgrade to a 8.0.1 version ( this was the latest version available). After the upgrade i'm unable to login into device. The error i'm recieving is:

 

"AsyncOS 8.0.1 for Cisco IronPort C370 build 023

Welcome to the Cisco IronPort C370 Messaging Gateway(tm) Appliance
ERROR: "'displayalerts'" is not in the permissions dictionary in the config file system.users/data.cfg.
Please re-update your configuration files. " 

 

and after a few attpemts to log in , getting this error:

 

AsyncOS 8.0.1 for Cisco IronPort C370 build 023

Welcome to the Cisco IronPort C370 Messaging Gateway(tm) Appliance
ERROR: "'outbreakconfig'" is not in the permissions dictionary in the config file system.users/data.cfg.
Please re-update your configuration files.

 

I have ping to device, but not SSH and WEB. Only console is working. Any ideas what to do ? 

15 Replies 15

balaji.bandi
Hall of Fame
Hall of Fame

If this is a production and you have service outage, raise a TAC case as P1 to investigate and fix as soon as possible.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

This is a RMA device send from Cisco and It's in lab environment now, because i need to upgrade it to 11.0.0 version and then to replace the production device.

So can you explain more to assists here.

 

what is the the production verison, and what is the backup config taken from which version ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

The version of the production device is 11.0.0-105. The device in my lab environment has basic configuration ( default address 192.168.42.42). I have a production configuration, but i will not put it on the new device, before upgrade to 11.0.0-105.

Here is steps you need to follow to upgrade and put back in to production.

 

 

 

You can do an initial configuration using the setup wizard to get your IP address and hostname configured so you have network access, or you can simply connect to 192.168.42.42 and log in as admin to start the upgrade on the replacement appliance.

 

Notes:

 

  • The old appliance and the new appliance MUST have the same exact AsyncOS version and build.
  • This only applies to a stand-alone appliance, not one that is in a cluster.
  • This document assumes the use of the Web Interface (GUI) for all steps.

 

Instructions:

 

1)   Save the configuration from the old appliance to your local  machine.  From the GUI -> System Administration -> Configuration  File -> Download file to local computer to view or save. Be sure to  un-check the box “Mask passwords in the Configuration Files”.

 

2)   Get the new appliance up and running on your network. For access  by Ethernet, connect to the Management Network Port. Use a browser to  access the web-based interface on the default IP address 192.168.42.42  (username: admin, password: ironport). You can also access the command  line interface by SSH or terminal emulation software on the same IP  address. (The netmask is /24).  For Serial access, connect to the Serial  Port. Access the command line interface by a terminal emulator using  9600 bits, 8 bits, no parity, 1 stop bit (9600, 8, N, 1), flowcontrol =  Hardware.

 

Run the system set up wizard (SSW).  If your old appliance is dead or  already off the network, then you can use the same IP information.  If  your old appliance is still on the network, then give the new appliance a  temporary IP address (which has internet access to get updates).

 

3)   Check to make sure the new appliance is on the same version and  build of AsyncOS. From the GUI -> Monitor -> System Status.  If  they are the same, move on to step 5.  If they are not the same,  continue to step 4.

 

4)   If the appliances are not on the same build, upgrade the new  appliance to match the version of the old one.  From the GUI ->  System Administration -> System Upgrade -> Available Upgrades.  If  you see it in the list, please select it.  If it is not listed, the  specific version may need to be provisioned by Cisco IronPort Customer  Support - please call before proceeding.

 

Note: If the old appliance is at a version that is older than the  replacement appliance, you will need to upgrade it (if possible) to  match the new appliance.

Some case you will not able to get updates due to some issue, make sure cisco register this device in their inventory to get updates. - if keep failing you need to contact cisco TAC for this.

 

5)   Once the appliances are verified to be at the same version, load  the configuration file to the new appliance.  From the GUI -> System  Administration -> Configuration File -> Load a configuration file  from local computer.

 

6)   If the configuration file loads without any errors, then you can  proceed to decommission the old appliance and edit the IP settings of  the new appliance as desired. From the GUI -> Network -> IP  Interfaces.  You may also need to edit the routing information as well  (Network -> Routing).

 

7)   If you get any errors when loading the new configuration file,  you can try and edit the configuration file with an XML editor and look  for the section that the error refers to.  However, if you are not  comfortable with this, please call in for support.

 

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118547-technote-esa-00.html

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117854-technote-esa-00.html

 

compare the config and you happy with the configuration, put the ESA in to production under change/maintenance  windows and do some test, keep monitor until it stable and working as expected in the working environment.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Im guessing something in the config file didn't convert correctly. I'd try a factory reset of the config.

Ok, but how to perform factory reset of the config, when i cannot login .. ?

Sorry. Missed that in your first message.

I fear you may have to RMA this one too... ugh!

As per your description we are impression, you have access to device.

 

Only console is working - if so below document will help you to reset to factory.

 

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118392-technote-csa-00.html

 

You do not have access console login also, then open TAC for the same.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yes i have console connection to the device, but i'm stucked on login phase, so i cannot execute commands, that's why i cannot perform factory reset. Is there a way, by pressing a button to reset it ? I'm really frustrated, that cannot find Hardware Guide for this platform.

Suggest to raise an a TAC case to resolve soon.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ook, thank you. I will open a case and will update here. 

Problem solved - new RMA. 

Hello again, i'm trying to upgrade the NEW device to version 11.0.0-105 LD from 10.0.0-203 ( i checked the release notes and it says that i can upgrade from my version to 11.0.0-105) but from the available upgrades i don't see it. Why is that ?  

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: