Migrate an On-Premises Secure Device Connector and Secure Event Connector from a CentOS 7 Virtual Machine to an Ubuntu Virtual Machine

Cisco Security Cloud Control's on-premises Secure Device Connector (SDC) has been installed on CentOS 7 virtual machines up to this point. Since CentOS 7 is now end-of-life and has been deprecated by Security Cloud Control, we have created this migration process to help you migrate all SDCs from CentOS 7 to an Ubuntu virtual machine.

Before You Migrate

  • The SDC must have full outbound access to the internet on TCP port 443.

  • The Ubuntu virtual machine running the SDC must have network access to the management interfaces of the devices it communicates with, such as ASAs and Cisco IOS devices.

  • Any networking rules created for the IP address or FQDN of the old SDC VM to reach your devices should be recreated with the IP address or FQDN of the new SDC VM.

  • The migration will take 10 to 15 minutes. During this time, your device will continue to enforce security policy and route network traffic, but you will not be able to communicate with it through the SDC.

Prerequisites

  • Ensure that you have access to the Security Cloud Control tenant to verify your SDC is online after migration is complete.

  • Have the login information for your new VM.

  • Ensure the new VM image has the following CPU and RAM allocations:

    • For one SDC:

      • CPU: 2 Cores

      • RAM: Minimum of 2 GB

    • For one SDC and one SEC:

      • CPU: 4 Cores

      • RAM: Minimum of 8 GB

  • Ensure that SSH and SCP are not disabled for your new VM.

Host Configuration

Follow this procedure if you are migrating the SDC and/or SEC:

  1. Download the new VM image here.

  2. Unzip the CDO-SDC_VM.zip file. You should see three VM files named similarly to the following:

    • CDO-SDC-VM-708cd33-2024-05-30-2031-disk1.vmdk

    • CDO-SDC-VM-708cd33-2024-05-30-2031.mf

    • CDO-SDC-VM-708cd33-2024-05-30-2031.ovf

  3. Deploy the VM you just downloaded.

  4. Note the static IP address or FQDN you assigned to the new VM.

  5. Using SSH, log in to the new VM as the CDO user.

  6. At the prompt, enter the command:

    sudo sdc host configure
    Note

    • Follow the prompts in the migration script closely. The script is well-documented and will guide you through the migration process, explaining each step.

    • At the end of the migration script, you will receive a message indicating that your SDC has been migrated to the new VM. The SDC will retain its name after the migration.

SDC Migration

Procedure:

  1. Using SSH, log in to the old (CentOS) SDC as the CDO user.

  2. Ping the new (Ubuntu) host from the old host to ensure the new host is reachable from the old host.

  3. After confirming that the old host can reach the new host over the network, run the migration script using the command:

    sudo sdc migrate now

Verification:

  1. Log in to your Security Cloud Control tenant.

  2. Select the SDC you migrated, and in the Actions pane, click Request Heartbeat.

Note

Ensure that the SDC is in the Active state.

SEC Migration

Procedure:

  1. Using SSH, log in to the old (CentOS) SDC as the CDO user.

  2. Ping the new (Ubuntu) host from the old host to ensure the new host is reachable from the old host.

  3. After confirming the old host can reach the new host over the network, run the migration script using the command: 

    sudo sdc eventing migrate

  4. You can configure your devices to point to the new IP address of the SEC or you can shut down the old host and assign the new host the same IP address that the old host had so that the devices do not need to be updated.

    Verification:

    For information on the state of the SEC, see Use Health Check to Learn the State of your Secure Event Connector.

Additional Instructions

Do Not Restart Your Old SDC

After the migration is complete, do not restart your old SDC on the original virtual machine.

Revert Failed Migration

If the migration fails for any reason, or the result is not what you are expecting and you want to revert to the old SDC, follow the instructions below:

  1. Log in to the new VM and switch to the SDC user.

  2. Ensure the SDC is not currently running on the new VM using the command:

    docker ps

  3. If the SDC is running, run the command:

    sdc stop

  4. Confirm that the SDC has stopped running by executing docker ps again.

  5. Log in to the old VM and run the command:

    sdc migrate revert

  6. When the old SDC is active and visible in the UI, return to the new VM and execute the command:

    sdc delete <your-tenant-name-here>

  7. Refresh the browser completely, click on the SDC, and verify that the IP of the old host appears in the sidebar.

    If the new IP still appears despite following these steps, request a new health check, refresh the browser, and check again.

  8. To revert the SEC migration,run the command: 
    sdc eventing revert