Introduction
This document describes how to upgrade the Cisco Email Security Appliance (ESA) with the GUI or the CLI.
Upgrade Preparation
Cisco recommends that you review the ESA release notes and that you complete these steps in order to prepare your system for the ESA upgrade that is described in this document:
- Copy and save the XML configuration file from the ESA.
- If you use the Safelist/Blocklist feature, then export the list from the appliance.
- Suspend the listeners.
Note: If you have a single ESA and you do not want to impact your mail flow, do not suspend the listeners. The mail flow is impacted during the reboot.
- Upgrade your server via the GUI. Cisco recommends that you choose the latest available version from the list.
- If you suspended the listeners (Step 3), then enter Resume into the CLI in order to activate the listeners after the upgrade is complete.
Warning: Ensure operational health of the appliance before you start any upgrade. Enter the version command in the CLI in order to ensure that RAID status is "Optimal." If there is a failed hard disk drive (HDD) on the appliance, open a support case and complete a HDD RMA and rebuild prior to the upgrade. If you upgrade an appliance with a failed HDD, it possibly leads to HDD corruption and unforeseen issues on an appliance that runs off a single HDD.
Upgrade the ESA via the GUI
Note: Cisco recommends that when you upgrade, do so via the CLI. This provides more details as to the download of the upgrade packages, and also details of the upgrade process. In case of upgrade issues or failures, the CLI output proves useful to Cisco Support when troubleshooting.
The GUI Online Help contains detailed instructions about the ESA upgrade methods and requirements. Simply navigate to Help > Online Help from the GUI, and use the Index tab in order to search for Upgrade AsyncOS. Use the information provided in order to upgrade the ESA.
Upgrade the ESA via the CLI
Complete these steps in order to upgrade the ESA from the CLI:
- Copy the ESA configuration settings into an email and send it to yourself. When you are prompted to include the passwords, choose Yes. This allows you to import the configuration file, if necessary.
Note: If you have one ESA, it is safe to allow the mail flow to continue while the ESA upgrade takes place. The only time the ESA does not accept mail is when it reboots.
- If you have multiple ESAs, suspend the listeners on the machine that you intend to upgrade. Enter suspendlistener into the CLI and select your inbound listener. The other machine(s) handle(s) all of the mail flow.
- Enter upgrade into the CLI. The ESA downloads and applies the new AsyncOS version. This process takes approximately ten to thirty minutes, dependent upon the network speed and the AsyncOS version.
- When the upgrade is complete, the ESA prompts you on the CLI to reboot, and provides up to thirty seconds before it reboots. (During the reboot, you can ping the IP address in order to determine if the ESA is online.)
- Once the reboot has completed, log into the ESA and activate the listeners. Enter resumelistener into the CLI and select the listener that is suspended.
- In order to verify the mail flow, enter tail mail_logs into the CLI.
Important Upgrade Notes
Once you read the ESA release notes and complete the steps that are described in this document, you can log into the CLI of your ESA as an admin user and enter upgrade.
It is important to adhere to the upgrade instructions that are available in the ESA release notes. If you attempt to upgrade and your desired AsyncOS version is not available, it is likely that your ESA runs a version that does not permit a direct upgrade. Refer to the ESA release notes for qualified upgrade paths.
If your ESA system runs an AsyncOS version that does not support a direct upgrade, you must perform multiple upgrades as specified in the release notes. Only the next step in the upgrade path is shown to you, and the next revision is shown once you are at the approved level.
Related Information
Feedback