Validate and Troubleshoot an AsyncOS Upgrade on ESA

Available Languages

Download Options

  • PDF     (26.1 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (82.0 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (68.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:May 28, 2026
Document ID:118547

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes post-upgrade steps to validate a successful AsyncOS upgrade and troubleshoot common issues on the Cisco Secure Email Gateway (SEG).

Prerequisites

note-icon

Note: Cisco Secure Email Gateway was formerly know as Email Security Appliance.

Requirements

  • The appliance RAID status must be READY or OPTIMAL in the System Status output; do not initiate an upgrade if the status is DEGRADED and contact Cisco TAC for a Return Material Authorization (RMA).
  • Confirm no significant errors exist, specifically network connectivity or DNS issues, by reviewing system alerts in the GUI under System Administration > Alerts or by running the displayalerts command in the CLI.
  • Identify if the ESA operates as a stand-alone appliance or in a cluster and review the Cluster Upgrade section of this document for clustered environments.
  • Verify a functional DNS server configuration and ensure internet connectivity on ports 80 and 443 without packet inspection.
note-icon

Note: When firewall access is based on Fully Qualified Domain Names (FQDNs), ensure both Email Security Appliance (ESA) and firewall use the same DNS server for correct hostname-to-IP mapping. The upgrade and update URLs including downloads.ironport.com, upgrades.ironport.com, updates.ironport.com, and manifest URLs are hosted on the Akamai CDN network.

caution-icon

Caution: Cisco Smart Software Licensing usage is mandatory starting with AsyncOS 15.5.x and all future versions for Cisco Secure Email Gateway.

Components Used

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Compatibility Between ESA and SMA

You must review the compatibility matrix between ESA and SMA before starting the upgrade. Some versions require multiple upgrades to reach the latest release. For upgrade path confirmation and appliance provisioning, contact Cisco TAC.

Preparing and Completing an AsyncOS Upgrade

For AsyncOS upgrade requirements and steps, please refer to the User Guide. Please familiarize yourself with these steps before proceeding. 

Perform Post-Upgrade Checks

  • If appliances are managed by SMA:
    • Navigate to Management Appliance > Centralized Services > Security Appliances to ensure all services are up.
    • Check Email > Message Tracking > Message Tracking Data Availability for OK status on all ESAs.
  • On each appliance, run status and confirm Online status.
  • Run displayalerts to view any new alerts after the upgrade.
  • In a cluster, clustercheck must show no inconsistencies and connstatus must show all appliances connected.
  • To verify mail flow, use the CLI command tail mail_logs to watch real-time processing.

Troubleshoot Upgrade Issues

  1. Run tail updater_logs and tail upgrade_logs from the CLI for upgrade issue details.
  2. If the image download or antispam/antivirus update fails, check network connectivity to update servers.
  3. If the upgrade fails due to network interruptions, errors can appear:
Reinstalling AsyncOS... 66% 01:05ETA.
/usr/local/share/doc/jpeg/libjpeg.doc: Premature end of gzip compressed data: Input/output error
tar: Error exit delayed from previous errors.
Upgrade failure.
  1. This typically results from network interruptions during data transmission between ESA and update servers.
  2. Check firewall logs or monitor packet traffic for issues.
  3. To capture network packets on the ESA, use the packet capture tool in the GUI or CLI.
note-icon

Note: Firewalls must allow idle connections to remain active during the upgrade process.

For hardware appliances, test connectivity to dynamic servers using these commands:

  • telnet updates.ironport.com 80
  • telnet downloads.ironport.com 80

For virtual appliances, test connectivity to these servers using these commands:

  • telnet update-manifests.sco.cisco.com 443
  • telnet updates.ironport.com 80
  • telnet downloads.ironport.com 80

Refer to the User Guide for firewall and port requirements.

Related Information

Revision History

Revision Publish Date Comments
7.0
28-May-2026
Updated Formatting to Comply with Cisco's Guidelines for Externalization.
6.0
24-Feb-2026
Updating article using KCS methodology and new AsyncOS process.
5.0
17-Apr-2025
Added Note Smart License is mandatory for versions 15+ and Components Used section. Updated SMA Compatibility and Related Info Links, and Formatting.
3.0
14-Sep-2023
Updated PII, SEO, Introduction, Machine Translation, Style Requirements and Formatting.
2.0
28-Jul-2022
2022 Update
1.0
09-Oct-2014
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Dennis McCabe Jr
    Cisco Technical Leader
  • Udupi Krishna
    Cisco Technical Leader

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products