This document describes the process used to replace a Cisco Email Security Appliance (ESA) that is in a cluster.
Replace an ESA that is in a Cluster
There are two methods to replace an ESA that is in a cluster.
Upload the Configuration File
Upload the configuration file from the old machine to the new machine and then add it back to the cluster.
Log in to the old ESA. Type clusterconfig > removemachine in order to pull the machine completely out of the existing cluster. The administrative disconnect might not suffice and might require a removemachine command.
Once the old machine is removed from the cluster, follow either of these steps:
From the GUI interface, go to System Administration >Configuration File, save the configuration file to your local desktop, and uncheck the mask password box.
Or email yourself the configuration file with the passwords unmasked.
Warning: If you do not unmask the password, the system will not allow you to import the configuration file into the new appliance.
Proceed with the system setup wizard and bring the new appliance up with the basic configuration setup.
Bring the new system online and upgrade to the same AsyncOS version as the existing machine in the cluster. In order to see the version of the existing machine, type version from the command line.
Warning: Before a machine can be joined to an existing cluster, it must be on the same AsyncOS version and build.
After the new appliance is upgraded, load the configuration file from the old device that was saved earlier. This is done on the System Administration >Configuration File page in the GUI.
Commit your changes.
Add the New Machine to the Existing Cluster
The second method is to add the new machine to the existing cluster in order to inherit the cluster settings while retaining any specific machine setting that it needs (such as the network interface).
Log in to any ESA still in the cluster. Type clusterconfig > removemachine in order to remove the faulty machine from the existing cluster. The administrative disconnect might not suffice and it might require a removemachine command.
Shut down the old ESA that needs replacement.
Go through the system setup wizard and make sure it has same IP address as the old ESA in order to bring the new ESA up with the basic configuration setup.
Ensure the interface and listener names are the same as the ones in the cluster.
From the new appliance, enter the clusterconfig command in order to join the existing cluster. Choose to join the cluster over secure shell (SSH) or cluster communication service (CCS).
ironport.example.com> clusterconfigDo you want to join or create a cluster? 1. No, configure as standalone. 2. Create a new cluster. 3. Join an existing cluster over SSH. 4. Join an existing cluster over CCS. > 3>
In order to join a host to an existing cluster, you must:
Be able to validate the SSH host key of a machine in the cluster.
Know the IP address of a machine in the cluster and be able to connect to this machine in the cluster (for example, via SSH or CCS).
Know the administrator password for the admin user on a machine that belongs to the cluster.
Be able to resolve forward and reverse DNS lookup.
Contact support if you have any questions/concerns.