This document describes how to load the configuration onto a replacement Email Security Appliance (ESA) and how to migrate the configuration.
Cisco recommends that the AsyncOS version and revision on both the old ESA and new or replacement ESA be the same. For example, 10.0.1-087.
In order to verify version information of the appliance from the CLI, enter the version command. In the GUI, select Monitor > System Status.
The information in this document is based on all ESA hardware models and virtual appliances. The process described might also be applied towards the Cisco Security Management Appliance (SMA).
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
How to Load ESA Configuration on a Replacement ESA
Tip: See the Managing the Configuration File section of the ESA User Guide for complete details on how to save, load, and manage the configuration file.
Note: If you do not need to change the IP address(es) or the host name of the ESA, and it will be used to replace your current unit, you will not need to complete steps five and six. Keep in mind that once you load the configuration on the new or replacement ESA, and commit the configuration changes, the new or replacement ESA will be live on your network with the existing IP address(es) and host name. The old ESA should be removed from the network, or powered off, prior to the commit of configuration changes on the new or replacement ESA.
Save the Configuration
Choose System Administration > Configuration File.
Before downloading the current configuration, with-in the Current Configuration section:
(AsyncOS 11.0.x and older) select either the Plain passphrases in the Configuration Files, or the Encrypt passphrases in the Configuration Files option.
Note: Older versions of AsyncOS may reference as Plain passwords in the Configuration Files.
Note: Configuration files with masked passwords cannot be used with the Load Configuration step.
Click the Download file to local computer to view or save radio button.
Alternatively, you can also select the Email file to option to have the configuration sent via email.
Click Submit. This automatically downloads the appliance configuration in XML format to your local computer. Based on your local computer and browser, ensure that you save the file to a known location or your desktop.
With a local editor/application, edit the XML file. In the Network Configuration section, remove the ethernet, port, and routing tables entries from the configuration file:
The ethernet entry starts with <ethernet_settings> and ends with </ethernet_settings>
The port entry starts with <ports> and ends with </ports>
The routing tables starts with <routing_tables> and ends with </routing_tables>
Save the XML file locally before you load the configuration.
Load the Configuration
On the new or replacement ESA, choose System Administration > Configuration File.
In the Load Configuration section, click the Load a configuration file from local computer radio buttonand then click Browse.
Locate the file you saved from the previous instructions and click Open.
You will see a pop-up notification that states, Loading a configuration will permanently remove all of your current configuration settings. You should save your configuration prior to loading a new one.
Click Continue in order to proceed.
You should see the Success — Configuration file was loaded. Changes will not take effect until you Commit. Please review network settings before committing the changes. message at the top of the Configuration File screen.
From the upper right-hand corner, click Commit Changes.
Enter in any comment for changes and click Commit Changes.
Your configuration is now loaded on your new appliance. If you receive errors on the Configuration File screen after you click Continue, see the next section. It is possible that you might need to make manual edits to the XML file in order to successfully load the configuration to the new or replacement ESA.
How to Migrate ESA Configuration on a Replacement ESA
It is possible to migrate the configuration from one ESA to another, or migrate the configuration from the hardware to a virtual appliance. As stated earlier in the document, both ESAs must have the same AsyncOS revision loaded on each of the appliances.
Since the differences in configuration values might vary and many scenarios can occur, it is not possible to cover all of the possibilities within this document.
If you downgrade from a larger appliance (example, X1070) to a smaller appliance (example, C680), the quarantine sizes must be adjusted.
If you migrate from a smaller appliance (example, C170) to any other appliance, the number of interfaces will need to be manually adjusted in the XML. For migration from C360/C660 to a C370/C670, the number of interfaces increases and must be manually corrected in the configuration.
If at the time of a loadconfig, there is an alert about the quarantine size, manually edit the XML file with a local editor/application. You will need to search the XML for the quarantine area and adjust the size of the quarantine part.
Example errors you might encounter that will require you to manually edit the XML:
"Configuration file was not loaded. Parse Error on element "ethernet_settings" line number 91 column 22 with value "Data 3": Ethernet interface Data 3 not configured."
"Configuration file was not loaded. Parse Error on element "db_environment_actual_size" line number 2133 column 35 with value "36507222016": The db_environment_actual_size for reporting DB should not be modified."
"Configuration file was not loaded. Parse Error on element "tracking_global_max_db_size" line number 2311 column 36 with value "25769803776": The tracking_global_max_db_size for tracking DB should not be modified."