topic Re: 4110 FTD 6.4 - Active Standby HA ISSUE with upraging FXOS to From 2.6(1.174) to 2.8.(1.143) in Network Security

4110 FTD 6.4 - Active Standby HA ISSUE with upraging FXOS to From 2.6(1.174) to 2.8.(1.143)

Behzad Sharifi — Sat, 27 Feb 2021 23:50:04 GMT

I am about to uprade two FTD 4110 FXOS. The first upgrade has been succeced on the Secondary and then I tried do run the same steps on the primery FTD. I has been runing upgrade in more than 2 hours on the primery FTD now and I am soure that some thing is wrong. When I connect the chassie from the GUI, I is showing that the runing version is 2.8.(1.143) but if I check the CLI, I seems to be the upgrade process still runing after two hours. Is there any one that has seen this issue before. I am not sure if I have to reboot the chassie.

FTD01 /system # show firmware monitor
FPRM:
Package-Vers: 2.8(1.143)
Upgrade-Status: Ready

Fabric Interconnect A:
Package-Vers: 2.8(1.143)
Upgrade-Status: Ready

Chassis 1:
Server 1:
Package-Vers: 2.8(1.143),2.6(1.174)
Upgrade-Status: Upgrading

*****

FTD01 /chassis # show version
Chassis 1:
Server 1:
CIMC:
Running-Vers: 4.1(30b)
Package-Vers: 2.8(1.143)
Update-Status: Ready
Activate-Status: Ready

Adapter 1:
Running-Vers: 5.6(1.10)
Package-Vers: 2.6(1.174)
Update-Status: Updating
Activate-Status: Activating
Bootloader-Update-Status: Ready
BIOS:
Running-Vers: FXOSSM1.1.2.1.18.052320191712
Package-Vers: 2.8(1.143)
Update-Status: Ready
Activate-Status: Ready

SSP OS:
Running-Vers: 2.6(1.156)
Package-Vers: 2.6(1.174)
Update-Status: Updating
Activate-Status:

RAID Controller 1:
Running-Vers:
Package-Vers:
Activate-Status:

BoardController:
Running-Vers: 14.0
Package-Vers: 2.8(1.143)
Activate-Status: Ready

Local Disk 1:
Running-Vers:
Package-Vers:
Activate-Status:

C2DC01FTD01 /chassis #

Re: 4110 FTD 6.4 - Active Standby HA ISSUE with upraging FXOS to From 2.6(1.174) to 2.8.(1.143)

Marvin Rhoads — Sun, 28 Feb 2021 11:07:00 GMT

You should not have to perform a manual reboot. 2 hours is excessive for an upgrade - my experience is that they should take about 30-40 minutes total per chassis.

I would recommend opening a TAC case (and not performing a manual reboot). Rebooting unexpectedly in the middle of an ongoing upgrade (even a "hung" one) could leave the system in an unstable state.

Re: 4110 FTD 6.4 - Active Standby HA ISSUE with upraging FXOS to From 2.6(1.174) to 2.8.(1.143)

Behzad Sharifi — Tue, 02 Mar 2021 22:06:17 GMT

Hi Marvin
Thank you for response. As I mentioned abow here the chassie has been reboded. You are right 2 hours is excessive for an upgrade. It took almost 45 min for ograding the first FTD 4110 chassie. Actuly I did open a TAC case and I am trynig to explain below here and I hope it can help some one else in the same situation.

One of the thing that I verified, was that when I logged to the Firepower chassie manager it shows that I was runing with the new FXOS 2.8 and chassie seems to be updated
Then I tried to check the Security Engine state on the Firepower chassie manager and it was down pand Powered " OFF". I tried to change the state and power it on but It dosen't work.
When I got the Cisco TAC enginner on the case. He did the same thing. He tried to " Power on " the Security Engine. But still the same problem.
Then he told me that he can try somthing else from CLI for "Power on " the Security Engine. But before that he would check the firmware debug utility power status on the moduel
He tried the following command:
FTD01# connect cimc 1/1
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '^]'.
CIMC Debug Firmware Utility Shell [ support ]

[ help ]# power
OP:[ status ]
Power-State:                 [ off ]
Master-State:                [ Master ]
VDD-Power-Good:              [ inactive ]
Power-On-Fail:               [ inactive ]
Power-Ctrl-Lock:             [ permanent lock ]
Power-System-Status:         [ Bad ]
Front-Panel Power Button:    [ Disabled ]
Front-Panel Reset Button:    [ Disabled ]
Source of Last Power Change: [ No Transition ]
OP-CCODE:[ Success ]
[ power ]#
Regarding to Cisco TAC engineer " Power-Ctrl-Lock: [ permanent lock ] " means that you can not do any thing to " power on " the Module and the only solution will be Hardware Replacment.
According TAC Engineer, For alle FTD 4110 you need to RMA whole the chassie but if this the same issue happning for FTD 9300 chassie you don't need to do hardware replacment. You just need to do RMA for that faulty moduel.
So in my case we did RMA for FTD 4100. I hope my explenation is good enough :).