25/11/2020 ESA AsyncOS Upgrade and Troubleshoot Procedure - Cisco

ESA AsyncOS Upgrade and Troubleshoot Procedure

Updated: March 24, 2020 Document ID: 118547

Contents

Introduction

Requirements

Compatibility Between ESA/SMA

Prepare to Upgrade

Download and Install the Upgrade

Upgrade on the CLI

Upgrade on the GUI

Cluster Upgrade

Troubleshoot

Related Information

Introduction
This document provides additional insight and steps associated with the upgrade process of AsyncOS for
Email Security on the Cisco Email Security Appliance (ESA).

Requirements
Ensure the appliance RAID status is READY or OPTIMAL in the System Status output. Do not initiate an
upgrade on an appliance with a RAID status of DEGRADED. Contact Cisco TAC to initiate a Return
Material Authorization (RMA) case for your appliance.
Verify if the ESA is a stand-alone appliance or in a clustered environment. If clustered, be sure to
properly review the Cluster Upgrade section of this document.
Ensure there is Internet connectivity from the ESA on port 80 and 443 with no packet inspections.
A functional DNS server(s) is required.

Compatibility Between ESA/SMA

Review the compatibility of the ESA and SMA systems before you upgrade. Older versions of AsyncOS
for Email Security might require more than one upgrade in order to get to the latest version. For
conrmation of the upgrade path and appliance provisioning, contact Cisco TAC.

Prepare to Upgrade
1. Save the XML conguration le o-box. If you need to revert to the pre-upgrade release for any
reason, you will need this le.
2. If you use the Safelist/Blocklist feature, export the list o-box.
3. Suspend all listeners. If you perform the upgrade from the CLI, use the suspendlistener command. If
you perform the upgrade from the GUI, listener suspension occurs automatically.
4. Wait for the queue to empty. You can use the workqueue command to view the number of
messages in the work queue or the rate command in the CLI to monitor the message throughput on

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118547-technote-esa-00.html 1/5
25/11/2020 ESA AsyncOS Upgrade and Troubleshoot Procedure - Cisco

your appliance.

Download and Install the Upgrade

As of AsyncOS for Email Security version 8.0, the upgrade options are updated to now include
DOWNLOADINSTALL in addition to DOWNLOAD. This gives the administrator exibility to download and
install in a single operation, or download in the background and install later.

C370.lab> upgrade

Choose the operation you want to perform:

- DOWNLOADINSTALL - Downloads and installs the upgrade image (needs reboot).
- DOWNLOAD - Downloads the upgrade image.
[]> download

Upgrades available.
1. AsyncOS 9.5.0 build 035 upgrade For Email, 2015-04-04
2. AsyncOS 9.5.0 build 067 upgrade For Email, 2015-04-22
3. AsyncOS 9.5.0 build 201 upgrade For Email, 2015-05-26 This release is for Lim
4. AsyncOS 9.6.0 build 042 upgrade For Email, 2015-07-15 this release is for Gen
[4]>

Refer to the User Guide for complete information.

Upgrade on the CLI

1. Enter the status command and make sure the listener is suspended. You should see “System status:
Receiving suspended".
2. Enter the upgrade command.
3. Choose an option for DOWNLOADINSTALL or DOWNLOAD.
4. Choose the appropriate number associated with the upgrade version desired.
5. Complete the needed questions to save the current conguration and approve the reboot when the
upgrade is applied.
6. Post-upgrade, log in to the CLI and enter resume to resume the listeners and ensure operation.
Enter the status command and conrm "System status: Online".

Upgrade on the GUI

1. Choose System Administration > System Upgrade.
2. Click Upgrade Options...
3. Choose an option for Download and install or Download.
4. Click and highlight the upgrade version desired.
5. Choose the appropriate options for Upgrade Preparation.
6. Proceed, to begin the upgrade and display the progress bar for your monitoring.
7. Post-upgrade, log in to the CLI and enter resume to resume the listeners and ensure operation:
Choose System Administration > Shutdown/Suspend > Resume (Check All).
8. In the Mail Operations section, choose Commit.

Cluster Upgrade
ESAs in a cluster will follow the same upgrade process from the CLI or the GUI as in the previous
sections, with the one exception that there will be a prompt to disconnect devices o the cluster.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118547-technote-esa-00.html 2/5
25/11/2020 ESA AsyncOS Upgrade and Troubleshoot Procedure - Cisco

Note: You can perform the upgrade with the CLI or the GUI, but the reconnect clustercon g
commands are only available via the CLI. This document describes how to upgrade the machines
via the CLI.

Example as seen from CLI:

(Cluster my_cluster)> upgrade

This command is restricted to run in machine mode of the machine you are logged
Do you want to switch to "Machine applianceA.local" mode? [Y]> y

Example as seen from GUI:

Note:  This is an administrative disconnect only. This will stop the appliances from only syncing
conguration at the cluster level. This does not remove or alter the appliance conguration.

Complete these steps in order to upgrade ESAs that run in a cluster via the CLI:

1. Enter the upgrade command into the CLI in order to upgrade AsyncOS to a later version. When you
are asked whether you wish to disconnect the cluster, respond with the letter Y in order to proceed:

(Machine host1.example.com)> upgrade

You must disconnect all machines in the cluster in order to upgrade them. Do y
to disconnect all machines in the cluster now? [Y]> Y

2. Follow all of the upgrade prompts (reboot prompt included).

3. After all of the machines in the cluster are upgraded and rebooted, log onto one of the machines in
the cluster via the CLI and enter the clustercon g command. Reconnect them at the cluster level to
allow conguration sync and resume cluster operation.
4. Respond Yes in order to reconnect. It is not necessary to commit.

Choose the machine to reattach to the cluster. Separate multiple machines with
or specify a range with a dash.

1. host2.example.com (group Main)

2. host3.example.com (group Main)
3. host4.example.com (group Main)

[1]> 1-3

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118547-technote-esa-00.html 3/5
25/11/2020 ESA AsyncOS Upgrade and Troubleshoot Procedure - Cisco

5. Issue the command connstatus to conrm all devices are in the cluster. Also, issue the command
clustercheck to conrm there is no inconsistency.
Cluster upgrade recommendations are:

Do not reconnect ESAs to the cluster until ALL appliances are upgraded to a matching version.
If needed, once one ESA has completed an upgrade, resume the listener, if previously suspended, and
allow it to function as a stand-alone appliance.
Do not make conguration changes or modications when ESAs are disconnected from a cluster. This
will avoid conguration inconsistencies when reconnected to cluster-level post-upgrade.
Once ALL appliances are upgraded to the same version, reconnect them at the cluster level to allow
conguration sync and resume cluster operation.

Post Checks:
If the appliances are managed by the SMA then:
Navigate to Management appliance > Centralized services > Security appliances and make sure
all services are up and the connection shows "Established".
Navigate to Email > Message tracking > Message tracking data availability and check if the status
shows OK for all ESAs.
On each appliance, enter the status command and it should show online.
Enter the displayalerts command and check for any new alerts seen after the upgrade.
If in a cluster, then the clustercheck command should not show an inconsistency and the
connstatus command should show appliances are properly congured in a cluster.
In order to verify the mail-ow, enter the tail mail_logs command into the CLI.

Troubleshoot
1. Tail updater_logs and tail upgrade_logs will also give information if there is an issue with the
upgrade.
2. If there is an issue when you download the image or when you update the antispam or antivirus it is
probably because the processes are not able to reach out and update the service engine or rulesets.
Follow the steps provided in vESA Is Not Able to Download and Apply Updates for Antispam or
Antivirus.
3. Should the upgrade fail due to network interruptions, similar errors might be seen during the
upgrade process output:

Reinstalling AsyncOS... 66% 01:05ETA.

/usr/local/share/doc/jpeg/libjpeg.doc: Premature end of gzip compressed data&col
Input/output error
tar: Error exit delayed from previous errors.
Upgrade failure.

This is typically due to a network interruption that might have occurred during the transmission of data
between the ESA and the update servers. Investigate any network rewall logs or monitor packet trac
from the ESA to update servers.
If needed, refer to ESA Packet Capture Procedures to enable packet capture on the ESA, and then re-
attempt the upgrade process.

Note: Firewalls need to allow idle connections to stay active, especially for the upgrade process.

For strict network rewalls that require static upgrade servers, refer to Content Security Appliance
Upgrades or Updates with a Static Server for setting up static update and upgrade servers.
For hardware appliances, test connections to these dynamic servers:
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118547-technote-esa-00.html 4/5
25/11/2020 ESA AsyncOS Upgrade and Troubleshoot Procedure - Cisco

telnet update-manifests.ironport.com:443
telnet updates.ironport.com:80
telnet downloads.ironport.com:80

For virtual appliances you will need to use these dynamic servers:
telnet update-manifests.sco.cisco.com:443
telnet updates.ironport.com:80
telnet downloads.ironport.com:80  

Refer to the User Guide for complete rewall information and port requirements.

Related Information
Compatibility Matrix for Cisco Content Security Management Appliances
ESA Upgrade Procedures
ESA Packet Capture Procedures
Content Security Appliance Upgrades or Updates with a Static Server
Technical Support & Documentation - Cisco Systems

© 2020 Cisco and/or its a liates. All rights reserved.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118547-technote-esa-00.html 5/5