Cisco Email Security Appliance

ESA Upgrade Procedures

Document ID: 117793

Updated: Aug 15, 2014

Contributed by Fraidoon Sarwary and Robert Sherwin, Cisco TAC Engineers.



This document describes how to upgrade the Cisco Email Security Appliance (ESA) with the GUI or the CLI.

Upgrade Preparation

Cisco recommends that you review the ESA release notes and that you complete these steps in order to prepare your system for the ESA upgrade that is described in this document:

  1. Copy and save the XML configuration file from the ESA.

  2. If you use the Safelist/Blocklist feature, then export the list from the appliance.

  3. Suspend the listeners.

    Note: If you have a single ESA and you do not want to impact your mail-flow, then do not suspend the listeners. The mail-flow is impacted during the reboot.

  4. Upgrade your server via the GUI. Cisco recommends that you choose the latest available version from the list.

  5. If you suspended the listeners (Step 3), then enter Resume into the CLI in order to activate the listeners after the upgrade is complete.

Upgrade the ESA with the GUI

The GUI Online Help contains detailed instructions about the ESA upgrade methods and requirements. Simply navigate to Help > Online Help from the GUI, and use the Index tab in order to search for Upgrade AsyncOS. Use the information provided in order to upgrade the ESA.

Upgrade the ESA with the CLI

Complete these steps in order to upgrade the ESA from the CLI:

  1. Copy the ESA configuration settings into an email and send it to yourself. When you are prompted to include the passwords, choose Yes. This allows you to import the configuration file, if necessary.

    Note: If you have one ESA, it is safe to allow the mail-flow to continue while the ESA upgrade takes place. The only time the ESA does not accept mail is when it reboots.

  2. If you have multiple ESAs, then suspend the listeners on the machine that you intend to upgrade. Enter suspendlistener into the CLI and select your inbound listener. The other machine(s) handle(s) all of the mail-flow.

  3. Enter upgrade into the CLI. The ESA downloads and applies the new AsyncOS version. This process takes approximately ten to thirty minutes, dependent upon the network speed and the AsyncOS version. When the upgrade is complete, the ESA prompts you to wait up to thirty seconds before it reboots. During the reboot, you can ping the IP address in order to determine if the ESA is online.

  4. Log into the ESA and activate the listeners. Enter resumelistener into the CLI and select the listener that is suspended.

  5. In order to verify the mail-flow, enter tail mail_logs into the CLI.

Important Upgrade Notes

Once you read the ESA release notes and complete the steps that are described in this document, you can log into the CLI of your ESA as an admin user and enter upgrade.

It is important that you follow the upgrade instructions that are available in the ESA release notes. If you attempt to upgrade and your desired AsyncOS version is not available, it is likely that your ESA runs a version that does not permit a direct upgrade. Refer to the ESA release notes for qualified upgrade paths.

If your ESA system runs an AsyncOS version that does not support a direct upgrade, you must perform multiple upgrades, as specified in the release notes. Only the next step in the upgrade path is shown to you, and the next revision is shown once you are at the approved level.

Related Information

Updated: Aug 15, 2014
Document ID: 117793