Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4459
Views
25
Helpful
8
Replies

How do you downgrade a WSA?

keithsauer507
Level 5
Level 5

‎04-04-2018 10:40 AM - edited ‎03-08-2019 07:44 PM

Hello,

 

I see an option to upgrade WSA software, but how would you downgrade it?

1 person had this problem
Labels:
0 Helpful
8 Replies 8

Ken Stieers
VIP
VIP

‎04-04-2018 10:47 AM

Assuming you upgraded this box from a previous version, you go to the CLI and enter “Revert”



From the online help file:




Reverting AsyncOS for Web to a Previous Version
Caution Reverting the operating system on a Web Security appliance is a very destructive action and destroys all configuration logs and databases. Reversion also disrupts web traffic handling until the appliance is reconfigured. Depending on the initial Web Security appliance configuration, this action may destroy network configuration. If this happens, you will need physical local access to the appliance after performing the reversion.
Note If updates to the set of URL categories are available, they will be applied after AsyncOS reversion.
Before You Begin
 • Contact Cisco Quality Assurance to confirm that you can perform the intended reversion.
 • Back up the following information from the Web Security appliance to a separate machine:
 – System configuration file (with passphrases unmasked).
 – Log files you want to preserve.
 – Reports you want to preserve.
 – Customized end-user notification pages stored on the appliance.
 – PAC files stored on the appliance.
1. Log into the CLI of the appliance you want to revert.
Note When you run the revert command in the next step, several warning prompts are issued. After these warning prompts are accepted, the revert action takes place immediately. Therefore, do not begin the reversion process until after you have completed the pre-reversion steps.
2. Enter the revert command.
3. Confirm twice that you want to continue with the reversion.
4. Choose one of the available versions to revert to.
The appliance reboots twice.
Note The reversion process is time-consuming. It may take fifteen to twenty minutes before reversion is complete and console access to the appliance is available again.
The appliance should now run using the selected for Web version. You can access the web interface from a web browser.





0 Helpful

keithsauer507
Level 5
Level 5
In response to Ken Stieers

‎04-04-2018 11:33 AM

Do you know what happens to licencing when this is performed?  Have you ever done it?  Waiting on a TAC response, but your initial post was much faster.  I always love hearing from you Ken.  Your a very good asset to the community.

0 Helpful

Ken Stieers
VIP
VIP
In response to keithsauer507

‎04-04-2018 11:39 AM

The only thing that I found was that if you go back to 8.0 the virtual boxes don't give you a grace period.

I did it back when they introduced it as part of the beta, but I haven't since then. The one time I might have, I just redeployed a VM and pushed the config back on to it.





What's going on that you need to revert?






0 Helpful

keithsauer507
Level 5
Level 5
In response to Ken Stieers

‎04-04-2018 12:56 PM

Upgraded to 10.5.2-042 to hopefully fix memory consumption, L4TM, email reporting and allow management from the Google Chrome browser.

 

Well instead of fixing those things (which it did not - but haven't tested email reporting yet), it introduced this bug:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi25041

 

Symptom:

HTTP/HTTPS requests matching incorrect access/decryption policies

 

Conditions:

  1. TUI/CDA authentication configured in identities
  2. AD groups configured in access policies or decryption policies

 

So the ONE thing you would EXPECT a webfilter to do correctly, transparently identify users, group them and steer them into appropriate access policies... is broken.  The whole key fundamental piece of web filtering is broken, and has been broken for two months.  No I didn't install it immediately.  It became available in February.  Its now April.  Its still out there, haven't seen any complaints on it in this forum, so thought about giving it a go.  Nope... the cornerstone of the devices functionality is broken, and Cisco continues to leave it out there and not pull the release like they should have.

 

So guess what's added to our 2019 yearly budget?  Evaluation of other solutions.  Were just tired of Cisco's "too big to fail" mentality.

Ken Stieers
VIP
VIP
In response to keithsauer507

‎04-04-2018 01:39 PM

UGH!



10.5.x has been a freaking nightmare. I've spoken to several people in engineering about how bad these last few releases have been.






keithsauer507
Level 5
Level 5
In response to Ken Stieers

‎04-04-2018 02:02 PM

Amen Ken,  10.5 is really bad, can't believe this hasn't been pulled from download.

 

So TAC said its ok to do the revert command.  I did that, did not lose the IP address of the box, but I did lose the config.  I saved an unmasked password config file prior to the update so I have it, however it won't import.

 

I get this :

Cisco Web Security Virtual Appliance S300V (10.1.0.71) - System Administration > Configuration > Configuration File

Configuration File was not loaded. Parse Error on element "https_certificate" line number 239 column 22: Error in certificate validation: Certificates signature verification failed.

 

 

Now its in Cisco TAC's hands.  They better do everything they can to smooth this s*show over.

0 Helpful

keithsauer507
Level 5
Level 5
In response to keithsauer507

‎04-05-2018 06:23 AM

Cisco TAC was able to massage my previous config and get it imported.

 

A few manual steps after the revert:

Rejoin it back to the domain.

kick the proxy service

in the CLI go through certconfig and choose the management certificate again.

Close browsers, reopen them back to the wsa management site... it should now be trusted.

Test going to some sites and in the CLI use grep, access-logs, put in your IP address and monitor that you are correctly identified and steered into the proper access group.

 

The licencing and IP addresses stayed intact after performing the revert.

We are back on 10.5.1-296.

Do NOT be tempted to take the upgrade that's been out since Feb.  Yes it will bug you "Upgrade available" in the upper right corner in the WSA management web gui, however ignore that little temptation.  Its a very bad release and breaks the one fundamental cornerstone of web filtering.... transparently identifying users correctly.  Since it doesn't do that, access is all over the place.  Things get blocked that shouldn't be... things get allowed that shouldn't be.  People are just randomly thrown into different access policies with no regard to their AD membership and IP to AD link defined in the CDA.

 

Lessened learned.

 

jmhouse96
Level 1
Level 1
In response to keithsauer507

‎10-05-2018 07:39 AM

Just an FYI, we had an issue with 10.5.1-296 where on reboot the device would have issues finding the raid controller and then it would attempt to revert back to a 10.1.x code and that is not possible. I do not remember the details on that, but it was bricking our S690 proxy servers over and over. We were forced to upgrade to 10.5.2.x and have had issue after issue. 

 

One thing to mention is we were asked to attempt to roll back one of the boxes to 10.1.x and this worked great until I needed to SSH to the box or attach it to the SMA and due to SSH keys changing in 10.5 and beyond I am now awaiting a RMA of this S690 once again. 

0 Helpful
Customers Also Viewed These Support Documents