This document provides additional insight and steps associated with the upgrade process of AsyncOS for Email Security on the Cisco Email Security Appliance (ESA).
Ensure the appliance RAID status is READY or OPTIMAL in the System Status output. Do not initiate an upgrade on an appliance with a RAID status of DEGRADED. Contact Cisco TAC to initiate a Return Material Authorization (RMA) case for your appliance.
Verify if the ESA is a stand-alone appliance or in a clustered environment. If clustered, be sure to properly review the Cluster Upgrade section of this document.
Ensure there is Internet connectivity from the ESA on port 80 and 443 with no packet inspections.
A functional DNS server(s) is required.
Compatibility Between ESA/SMA
Review the compatibility of the ESA and SMA systems before you upgrade. Older versions of AsyncOS for Email Security might require more than one upgrade in order to get to the latest version. For confirmation of the upgrade path and appliance provisioning, contact Cisco TAC.
Prepare to Upgrade
Save the XML configuration file off-box. If you need to revert to the pre-upgrade release for any reason, you will need this file.
If you use the Safelist/Blocklist feature, export the list off-box.
Suspend all listeners. If you perform the upgrade from the CLI, use the suspendlistener command. If you perform the upgrade from the GUI, listener suspension occurs automatically.
Wait for the queue to empty. You can use the workqueue command to view the number of messages in the work queue or the rate command in the CLI to monitor the message throughput on your appliance.
Download and Install the Upgrade
As of AsyncOS for Email Security version 8.0, the upgrade options are updated to now include DOWNLOADINSTALL in addition to DOWNLOAD. This gives the administrator flexibility to download and install in a single operation, or download in the background and install later.
Choose the operation you want to perform: - DOWNLOADINSTALL - Downloads and installs the upgrade image (needs reboot). - DOWNLOAD - Downloads the upgrade image. > download
Upgrades available. 1. AsyncOS 9.5.0 build 035 upgrade For Email, 2015-04-04 2. AsyncOS 9.5.0 build 067 upgrade For Email, 2015-04-22 3. AsyncOS 9.5.0 build 201 upgrade For Email, 2015-05-26 This release is for Limited Deployment 4. AsyncOS 9.6.0 build 042 upgrade For Email, 2015-07-15 this release is for General Deployment >
Enter the status command and make sure the listener is suspended. You should see “System status: Receiving suspended".
Enter the upgrade command.
Choose an option for DOWNLOADINSTALL or DOWNLOAD.
Choose the appropriate number associated with the upgrade version desired.
Complete the needed questions to save the current configuration and approve the reboot when the upgrade is applied.
Post-upgrade, log in to the CLI and enter resume to resume the listeners and ensure operation. Enter the status command and confirm "System status: Online".
Upgrade on the GUI
Choose System Administration > System Upgrade.
Click Upgrade Options...
Choose an option for Download and install or Download.
Click and highlight the upgrade version desired.
Choose the appropriate options for Upgrade Preparation.
Proceed, to begin the upgrade and display the progress bar for your monitoring.
Post-upgrade, log in to the CLI and enter resume to resume the listeners and ensure operation: Choose System Administration > Shutdown/Suspend > Resume (Check All).
In the Mail Operations section, choose Commit.
ESAs in a cluster will follow the same upgrade process from the CLI or the GUI as in the previous sections, with the one exception that there will be a prompt to disconnect devices off the cluster.
Note: You can perform the upgrade with the CLI or the GUI, but the reconnect clusterconfig commands are only available via the CLI. This document describes how to upgrade the machines via the CLI.
Example as seen from CLI:
(Cluster my_cluster)> upgrade
This command is restricted to run in machine mode of the machine you are logged in to. Do you want to switch to "Machine applianceA.local" mode? [Y]> y
Example as seen from GUI:
Note: This is an administrative disconnect only. This will stop the appliances from only syncing configuration at the cluster level. This does not remove or alter the appliance configuration.
Complete these steps in order to upgrade ESAs that run in a cluster via the CLI:
Enter the upgrade command into the CLI in order to upgrade AsyncOS to a later version. When you are asked whether you wish to disconnect the cluster, respond with the letter Y in order to proceed:
(Machine host1.example.com)> upgrade
You must disconnect all machines in the cluster in order to upgrade them. Do you wish to disconnect all machines in the cluster now? [Y]> Y
Follow all of the upgrade prompts (reboot prompt included).
After all of the machines in the cluster are upgraded and rebooted, log onto one of the machines in the cluster via the CLI and enter the clusterconfig command. Reconnect them at the cluster level to allow configuration sync and resume cluster operation.
Respond Yes in order to reconnect. It is not necessary to commit.
Choose the machine to reattach to the cluster. Separate multiple machines with commas or specify a range with a dash.
Should the upgrade fail due to network interruptions, similar errors might be seen during the upgrade process output:
Reinstalling AsyncOS... 66% 01:05ETA. /usr/local/share/doc/jpeg/libjpeg.doc: Premature end of gzip compressed data: Input/output error tar: Error exit delayed from previous errors. Upgrade failure.
This is typically due to a network interruption that might have occurred during the transmission of data between the ESA and the update servers. Investigate any network firewall logs or monitor packet traffic from the ESA to update servers.