topic Re: ASA 5525 FTD Upgrade from 6.2.2 to 6.3 in Network Security

ASA 5525 FTD Upgrade from 6.2.2 to 6.3

jhontoc24 — Fri, 21 Feb 2020 16:38:59 GMT

Dear Team:

is there any Cisco documentation for Upgrade Procedures on ASA 5525-x from 6.2.2 to the last release 6.3?

I've seen int the web page a file name but with a different extension ".tar"

https://software.cisco.com/download/home/286271172/type/286306337/release/6.3.0

best regards,

Jhon

Re: ASA 5525 FTD Upgrade from 6.2.2 to 6.3

Marvin Rhoads — Fri, 11 Jan 2019 03:18:53 GMT

1. Download the tar file to your workstation.

2. If you are managing the device with FMC, upload the tar file to FMC (via System > Updates) and then select and install it.

3. If you are managing the device via FDM, do a similar process via Updates > System Upgrade.

Re: ASA 5525 FTD Upgrade from 6.2.2 to 6.3

Abheesh Kumar — Fri, 11 Jan 2019 07:24:11 GMT

Hi,

Upgrade Procedure Doc

HTH

Abheesh

Re: ASA 5525 FTD Upgrade from 6.2.2 to 6.3

Muhammad Abubakar — Fri, 21 Jun 2019 06:13:44 GMT

Hi,

We have two ASA 5525 with FTD version 6.2.3.3 (active/strandby) - both are registered with FMC.

Now I want to upgrade FTDs to 6.3 and wanted to do it without FMC. Is there any way we can upgrade the devices without FMC and then register in FMC again ?

Re: ASA 5525 FTD Upgrade from 6.2.2 to 6.3

Marvin Rhoads — Fri, 21 Jun 2019 11:58:47 GMT

It can be done but it's a LOT more work. It's not a recommended path nor is it strictly supported.

The cli procedure is referenced in this thread:

https://community.cisco.com/t5/firepower/fmc-upgrade-from-cli/td-p/3401740

What's your reason for wanting to use the cli method?

Re: ASA 5525 FTD Upgrade from 6.2.2 to 6.3

Muhammad Abubakar — Fri, 05 Jul 2019 08:35:58 GMT

Hi Marvin,

Thank you for the reply, the link is helpful. Sorry for returning late here I was busy with many things together.. 🙂

Our reason to do it manually is that the location where these FTDs are, have bandwidth limitations. So if I push the package and start the upgrade from FMC I'm afraid it'll take the bandwidth and will effect other services on the link. we are upgrading the SFRs manually for the same reason on other sites. But since this is first time I'm upgrading the FTDs hence the question.

Currently I'm ding PoC for FTD upgrade in my LAB. I'll update here once done.

But meanwhile another questions, Since the FTDs are in cluster I wonder if I need to remove it from FMC ?? (since I'm upgrading the FTDs with out FMC) and then add them back when they are upgraded.. If not, then I wonder what will be the cluster status in FMC once I start upgrading the secondary box .. As I know If we upgrade it from FMC the cluster goes into maintenance state.

Thanks & have a very nice weekend.

Re: ASA 5525 FTD Upgrade from 6.2.2 to 6.3

Marvin Rhoads — Fri, 05 Jul 2019 11:43:51 GMT

Your FMC should detect the new version even if it is installed manually on the ASA appliance running FTD. Your HA should remain intact. I'd recommend following a similar procedure to what is done when you upgrade a plain ASA HA pair (get image on both, upgrade Secondary - Standby, verify success, wait for return to Standby - Ready state, make it Active and repeat of the Primary unit.

Most of the underlying failover operations and associated code is inherited from ASA as the LINA subsystem on FTD.

Of course it would be nice to lab that all in advance.

Note that once you are on 6.2.3, you will have the option to push an update to the device from FMC prior to upgrade.

Re: ASA 5525 FTD Upgrade from 6.2.2 to 6.3

Muhammad Abubakar — Fri, 13 Sep 2019 14:09:43 GMT

finally I got time to do this in the lab.

Hi Mervin,

yes, you are right. I followed the same process. download upgrade and patch versions to devices and than upgrade secondary first then wait for the HA status OK (in FMC) and switch peer active<->standby, upgrade the second unit .. All went smooth.but after the patch upgrade on second unit it doesn't show the HA active and standby ready.. Instead second unit is now in disabled state. with following logs from "sh fail hist" command. on secondary (disabled) unit

==========================================================================
From State To State Reason
==========================================================================
11:27:28 UTC Sep 13 2019
Not Detected Negotiation No Error

11:28:03 UTC Sep 13 2019
Negotiation Cold Standby Detected an Active mate

11:28:04 UTC Sep 13 2019
Cold Standby App Sync Detected an Active mate

11:33:57 UTC Sep 13 2019
App Sync Disabled CD App Sync error is app sync failure with error code device_failure_configuration
==========================================================================

Its strange. even when first unit was upgraded and the FTD version was different on both devices the HA was OK. but now when both devices are with same version, secondary unit went disabled.

I tried reboot the secondary unit but no luck..

Re: ASA 5525 FTD Upgrade from 6.2.2 to 6.3

Marvin Rhoads — Fri, 13 Sep 2019 23:18:54 GMT

You may need to remove and then re-add it onto the HA configuration from FMC.

Opening a TAC case might be the best course of action given the current state of the unit.