topic Re: Update FTD Devices in Network Security

Update FTD Devices

moskalevas — Thu, 04 Jun 2020 08:47:16 GMT

Hello, after trying to upgrade ftd 2130 from version 6.2.2 to 6.3.0 in a pair of high availability, one device was successfully updated, the second showed an error.
entries from the update log on a failed device:

admin@firepower:/ngfw/var/log/sf/Cisco_FTD_SSP_FP2K_Upgrade-6.3.0$ more status.log
state:running
ui:Upgrade has begun.
ui:[ 1%] Running script 000_start/000_check_update.sh...
ui:[ 2%] Running script 000_start/100_start_messages.sh...
ui:[ 3%] Running script 000_start/105_check_model_number.sh...
ui:[ 4%] Running script 000_start/106_check_HA_sync.pl...
ui:[ 4%] Running script 000_start/107_version_check.sh...
ui:[ 5%] Running script 000_start/109_check_HA_MDC_status.pl...
ui:[ 7%] Running script 000_start/113_EO_integrity_check.pl...
ui:[ 7%] Fatal error: Error running script 000_start/113_EO_integrity_check.pl. For more details see /ngfw/var/log/sf/Cisco_FTD_SSP_FP2K_Upgrade-6.3.0/000_start/113_EO_integrity_check.pl.log on the devic
e being upgraded.

At the end of the log 113_EO_integrity_check.pl.log entry:

Total errors: 1
EOIC failed

One error was found in the text of the log 113_EO_integrity_check.pl.log:

Checking type: CustomServiceDecoderModule
Checking 972dd32e-81f9-46a4-ac9a-c5a98347ba33
ERROR found!

Before updating, the device was checked install_update.pl --detach --readiness-check /var/sf/updates/upgrade_package_name:

admin@firepower:/ngfw/var/log/sf/Cisco_FTD_SSP_FP2K_Upgrade-6.3.0$ more status.log.202005290651
state:running
ui:Upgrade has begun.
ui:[ 0%] Running script 000_start/000_check_platform_support.sh...
ui:[ 3%] Running script 000_start/000_check_sign_type.sh...
ui:[ 7%] Running script 000_start/100_start_messages.sh...
ui:[10%] Running script 000_start/101_run_pruning.pl...
ui:[14%] Running script 000_start/102_check_sru_install_running.pl...
ui:[17%] Running script 000_start/105_check_model_number.sh...
ui:[21%] Running script 000_start/106_check_HA_updates.pl...
ui:[24%] Running script 000_start/107_version_check.sh...
ui:[28%] Running script 000_start/108_check_sensors_ver.pl...
ui:[31%] Running script 000_start/109_check_HA_MDC_status.pl...
ui:[34%] Running script 000_start/110_DB_integrity_check.sh...
ui:[38%] Running script 000_start/111_FS_integrity_check.sh...
ui:[41%] Running script 000_start/112_CF_check.sh...
ui:[45%] Running script 000_start/113_EO_integrity_check.pl...
ui:[48%] Running script 000_start/250_check_system_files.sh...
ui:[52%] Running script 000_start/410_check_disk_space.sh...
ui:[55%] Running script 200_pre/001_check_reg.pl...
ui:[59%] Running script 200_pre/002_check_mounts.sh...
ui:[62%] Running script 200_pre/003_check_health.sh...
ui:[66%] Running script 200_pre/005_check_manager.pl...
ui:[69%] Running script 200_pre/006_check_snort.sh...
ui:[72%] Running script 200_pre/007_check_sru_install.sh...
ui:[76%] Running script 200_pre/009_check_snort_preproc.sh...
ui:[79%] Running script 200_pre/011_check_self.sh...
ui:[83%] Running script 200_pre/015_verify_rpm.sh...
ui:[86%] Running script 200_pre/100_log_version.sh...
ui:[90%] Readiness Check completed successfully.
ui:Upgrade has completed.
state:finished

What should be our next steps for a successful update?

Re: Update FTD Devices

Marvin Rhoads — Thu, 04 Jun 2020 11:48:41 GMT

I'd recommend opening a TAC case. There could be file or database corruption on the failed unit.

Re: Update FTD Devices

moskalevas — Thu, 04 Jun 2020 12:43:55 GMT

Marvin, thx fo answer, Im opened tac case, but his answer very slow, last recomendation :
- Try the upgrade again, sometimes some process gets stuck. (FAILED again)
- check the database integrity. (HOW?)
- Remove the firewall from the FMC and put it back again. (How it do correctly, if ftd devices in HA pair, and i forget old key registartion? )
Same questions i ask to tac, but on this forum answer going very fast 🙂

Re: Update FTD Devices

Marvin Rhoads — Thu, 04 Jun 2020 13:19:48 GMT

Since your production environment is degraded you might want to raise your TAC case priority to P2. That will get you quicker assistance and, if necessary, requeue to an available engineer.

Re: Update FTD Devices

i.leridant — Thu, 04 Jun 2020 14:44:28 GMT

Hello,
Are you FDM or FMC ?
Every time I launched a readiness check on FMC for a HA it failed...
You can also try to break the HA with the updated sensor in production, then try again the update on the failed

Re: Update FTD Devices

moskalevas — Fri, 05 Jun 2020 12:11:48 GMT

Hello! i want break ha pair, but i not understand what happen with second device (failure device), how behavior my traffic? Is it hard return back device in HA pair?

Re: Update FTD Devices

moskalevas — Tue, 16 Jun 2020 05:54:39 GMT

Reimage the System with a New Software Version

https://www.cisco.com/c/en/us/td/docs/security/firepower/2100/troubleshoot_fxos/b_2100_CLI_Troubleshoot/b_2100_CLI_Troubleshoot_chapter_011.html

Re: Update FTD Devices

kapydan88 — Mon, 25 Jan 2021 09:42:45 GMT

Hello for everybody.

Can you share your guide or describe how did you update the software on your HA 2130? We are going to try to update firmware from 6.4.0 to 6.6.1 on HA Firepower 1140. But on youtube and cisco.com i found only instructions for updating 4100/9300 devices... If i understood correctly, ftd 1000 series is the same like ftd 2100.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200896-Upgrading-an-FTD-HA-pair-on-Firepower-ap.html#anc9

Re: Update FTD Devices

moskalevas — Mon, 25 Jan 2021 13:11:55 GMT

Hi! Im updated my ftd device through FMC:

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/213269-upgrade-procedure-through-fmc-for-firepo.html

Re: Update FTD Devices

kapydan88 — Mon, 25 Jan 2021 15:14:06 GMT

Devices were updated in this order:

1) update secondary ftd

2) make updated secondary device active

3) update the remaining device

or simultaneously?