Migrate an On-Premises Secure Device Connector and Secure Event Connector from a CentOS 7 Virtual Machine to an Ubuntu Virtual Machine
Cisco Security Cloud Control's on-premises Secure Device Connector (SDC) has been installed on CentOS 7 virtual machines up to this point. Since CentOS 7 is now end-of-life and has been deprecated by Security Cloud Control, we have created this migration process to help you migrate all SDCs from CentOS 7 to an Ubuntu virtual machine.
Before You Migrate
-
The SDC must have full outbound access to the internet on TCP port 443.
-
The Ubuntu virtual machine running the SDC must have network access to the management interfaces of the devices it communicates with, such as ASAs and Cisco IOS devices.
-
Any networking rules created for the IP address or FQDN of the old SDC VM to reach your devices should be recreated with the IP address or FQDN of the new SDC VM.
-
The migration will take 10 to 15 minutes. During this time, your device will continue to enforce security policy and route network traffic, but you will not be able to communicate with it through the SDC.
Prerequisites
Deploy a new host by following the instructions on Deploy a VM for Running the Secure Device Connector and Secure Event Connector.
Host Configuration
Follow this procedure if you are migrating the SDC and/or SEC:
-
Download the new VM image here.
-
Unzip the CDO-SDC_VM.zip file. You should see three VM files named similarly to the following:
-
CDO-SDC-VM-708cd33-2024-05-30-2031-disk1.vmdk
-
CDO-SDC-VM-708cd33-2024-05-30-2031.mf
-
CDO-SDC-VM-708cd33-2024-05-30-2031.ovf
-
-
Deploy the VM you just downloaded.
-
Note the static IP address or FQDN you assigned to the new VM.
-
Using SSH, log in to the new VM as the
CDO
user. -
At the prompt, enter the command:
sudo sdc host configure
Note-
Follow the prompts in the migration script closely. The script is well-documented and will guide you through the migration process, explaining each step.
-
At the end of the migration script, you will receive a message indicating that your SDC has been migrated to the new VM. The SDC will retain its name after the migration.
-
SDC Migration
Procedure:
-
Using SSH, log in to the old (CentOS) SDC as the
CDO
user. -
Install the CLI using the command:
curl -O https://s3.us-west-2.amazonaws.com/download.defenseorchestrator.com/sdc-cli/sdc-cli-package-latest.tgz && tar -xvf sdc-cli-package-latest.tgz && chmod +x ./install.sh && ./install.sh
-
Run the following command and follow the prompts:
sudo sdc migrate now
Verification:
-
Log in to your Security Cloud Control tenant.
-
Select the SDC you migrated, and in the Actions pane, click Request Heartbeat.
Note | Ensure that the SDC is in the Active state. |
SEC Migration
Procedure:
-
Using SSH, log in to the old (CentOS) SDC as the
CDO
user. -
Install the CLI using the command:
curl -O https://s3.us-west-2.amazonaws.com/download.defenseorchestrator.com/sdc-cli/sdc-cli-package-latest.tgz && tar -xvf sdc-cli-package-latest.tgz && chmod +x ./install.sh && ./install.sh
-
Run the following command and follow the prompts:
sudo sdc eventing migrate
-
You can configure your devices to point to the new IP address of the SEC or you can shut down the old host and assign the new host the same IP address that the old host had so that the devices do not need to be updated.
Verification:
For information on the state of the SEC, see Use Health Check to Learn the State of your Secure Event Connector.
Additional Instructions
Do Not Restart Your Old SDC
After the migration is complete, do not restart your old SDC on the original virtual machine.
Revert Failed Migration
If the migration fails for any reason, or the result is not what you are expecting and you want to revert to the old SDC, follow the instructions below:
-
Log in to the new VM and switch to the SDC user.
-
Ensure the SDC is not currently running on the new VM using the command:
docker ps
-
If the SDC is running, run the command:
sdc stop
-
Confirm that the SDC has stopped running by executing
docker ps
again. -
Log in to the old VM and run the command:
sdc migrate revert
-
When the old SDC is active and visible in the UI, return to the new VM and execute the command:
sdc delete <your-tenant-name-here>
-
Refresh the browser completely, click on the SDC, and verify that the IP of the old host appears in the sidebar.
If the new IP still appears despite following these steps, request a new health check, refresh the browser, and check again.
-
To revert the SEC migration,run the command:
sdc eventing revert