Replacing Cisco Ironport ESA In Cluster Mode

Step by step guide on how to replace a Cisco Ironport ESA in cluster mode.

1. Remove the device which is to be replaced from the cluster by SSH using putty into either ironport device.
2. Enter your credentials and issue the command "clusterconfig"
3. You will be prompted to switch to cluster mode. This command is restricted to “cluster” mode. Would you like to switch to “cluster” mode? [Y]>Y
4. You will then be presented with the following : Choose the operation you want to perform:
   – ADDGROUP – Add a cluster group.
   – SETGROUP – Set the group that machines are a member of.
   – RENAMEGROUP – Rename a cluster group.
   – DELETEGROUP – Remove a cluster group.
   – REMOVEMACHINE – Remove a machine from the cluster.
   – SETNAME – Set the cluster name.
   – LIST – List the machines in the cluster.
   – CONNSTATUS – Show the status of connections between machines in the cluster.
   – COMMUNICATION – Configure how machines communicate within the cluster.
   – DISCONNECT – Temporarily detach machines from the cluster.
   – RECONNECT – Restore connections with machines that were previously detached.
   – PREPJOIN – Prepare the addition of a new machine over CCS.
5. Choose "Removemachine"
6. Enter the number of the machine you want to remove from the list. (note this is only a configuration cluster, it wont stop any mail flow at this point).
7. Log into the GUI of the ironport device removed and take a backup of the configuration file with the mask passwords option unticked.
8. SSH into the device removed and enter the command "suspendlistener", and choose all to stop mail flow through the device.
9. Power up new device upgrade the AsyncOS to the same version as the device to be replaced.
10. Restore the configuration file exported from the old device.
11. Transfer the license keys from the old device to the new one. The joining of a cluster process requires the centralised management key which is not included by default on the new device. This can be done from the cisco licensing portal: https://sso.cisco.com/autho/forms/CDClogin.html
12. Once the keys have been transferred and you have the centralised management key installed, you can SSH into the new device, and issue the command "clusterconfig prepjoin print"
13. Then issue "commit" command to save the key to the device.
14. SSH into the ESA still in cluster mode and issue the command "clusterconfig".
15. Switch to "clustermode" when prompted as before.
16. Choose "prepjoin".
17. Prepare Cluster Join Over CCS
18. Choose new
19. Enter the hostname of the system you want to add e.g. ironport.domain.com
20. Enter the serial number of the system you want to add.
21. Enter the user key obtained from the other ironport device, and commit.
22. Go back to the new ironport device CLI and issue the "clusterconfig" command.
23. Choose "join existing cluster over CSS"
24. Enter the IP address, hostname, port and key of the new device when prompted.
25. Once added there is no need to commit.
26. To confirm the device eneter "clusterconfig", "list", this should now show both Ironport devices are now in the cluster.