topic Re: Upgrade the FTD HA pair in Network Security

Upgrade the FTD HA pair

jumperdub — Fri, 21 Feb 2020 17:21:28 GMT

Hi there,

I'm planning to upgrade FTD version from 6.3 to 6.4. Also, My FTDs is running in HA.

As I have checked from the document Upgrading an FTD HA pair on Firepower appliances.

After the first FTD was successfully upgraded, Will the upgrade of second FTD be starting automatically and active state changed also?

However, there is some manually command from the document below that I'm not sure what exactly time I have to execute it.

Switching to Standby

I concern about this because of the FTDs are in production. Customer barely to give me downtime so I'm afraid of packet loss on the FTDs while upgrading.

Thank you

Re: Upgrade the FTD HA pair

Marvin Rhoads — Wed, 31 Jul 2019 14:40:17 GMT

Yes - when you upgrade from FMC the Primary/Secondary FTD upgrades will be sequenced by FMC.

The manual failover you referenced is only needed when you also need to upgrade FX-OS - that's only necessary as a separate procedure for Firepower 4100 and 9300 series. 2100 series and below have FX-OS embedded in the FTD image so that step is not needed.

Re: Upgrade the FTD HA pair

jumperdub — Wed, 31 Jul 2019 14:56:17 GMT

Thanks @Marvin Rhoads,

I have to upgrade FX-OS also in this scenario (2.4.1.222->2.6.1) for FTD 6.4 compatibility. So, this mean I have to do manaully failover.

Just to make me understand clearly on this step, Do I have to immediately manaul failover with command "Switching to standby" via CLI once I found the stage as pic below on FMC?

Re: Upgrade the FTD HA pair

Marvin Rhoads — Mon, 06 Apr 2020 06:04:38 GMT

As noted in the article you linked earlier, the FX-OS upgrade should be done separately and not from FMC.

You upgrade FX-OS on the Secondary-Standby first. Then you issue the command:

no failover active

on the Primary-Active unit from the cli. "switching to standby" is not a command but rather the output you should see on the appliances when you enter the command above.

Then upgrade FX-OS on the Primary-(now)Standby unit.

After both units have successfully completed their FX-OS upgrades you then initiate the FTD upgrade from FMC for the HA pair. No further manual failover is required from that point - the upgrade process will do that automatically.

Re: Upgrade the FTD HA pair

jumperdub — Sat, 29 Feb 2020 00:55:27 GMT

Sorry for bring to use topic agian but I have some question for FTD HA pair upgrade

I'm planning to upgrade the FTD HA Pair from version 6.3 to 6.4.0.7 via FMC, which is major upgrade. So, I'm not sure interruptions in traffic flow maybe occur. I already have checked in the Cisco document but I'm just to make sure the upgrade will not impact the traffic. Could you guys please help me to confirm on this? Thank you

Re: Upgrade the FTD HA pair

Marvin Rhoads — Sat, 29 Feb 2020 03:02:33 GMT

If you perform the HA pair upgrade from FMC as recommended, you should not experience traffic interruption.

If you redeploy policies post upgrade, you may experience a brief interruption.

Source: https://www.cisco.com/c/en/us/td/docs/security/firepower/640/relnotes/firepower-release-notes-640/upgrade.html#id_64500

High Availability Pairs: Firepower Software Upgrade

You should not experience interruptions in traffic flow or inspection while upgrading the Firepower software on devices in high availability pairs. To ensure continuity of operations, they upgrade one at a time. Devices operate in maintenance mode while they upgrade.

The standby device upgrades first. The devices switch roles, then the new standby upgrades. When the upgrade completes, the devices' roles remain switched. If you want to preserve the active/standby roles, manually switch the roles before you upgrade. That way, the upgrade process switches them back.

Re: Upgrade the FTD HA pair

jumperdub — Tue, 03 Mar 2020 11:47:22 GMT

Thanks for your help Marvin,

If so, how FTD HA Pair can handle traffic while upgrading? Since we have to redeploy policy to FTD HA Pair again at post upgraded. Or is it just optional for redeploy policy task?

Re: Upgrade the FTD HA pair

Marvin Rhoads — Tue, 03 Mar 2020 13:35:03 GMT

It is not mandatory to redeploy policies post-upgrade but it is highly recommended. The upgrade package may have a different set of Snort rules than the FMC and redeploy will sync everything as well as ensuring all aspects of the deployment process are working as designed.

Re: Upgrade the FTD HA pair 6.2.x -> 6.4.x

NormanSmith70793 — Sun, 05 Apr 2020 20:16:42 GMT

I have a pair of FMC managing a pair of 4110s, all operating HA.

I have to upgrade from 6.2.x to 6.4.x for both.

Question:

Is there any issues going straight from 6.2 to 6.4 or do I need to do an interim 6.3?

Does the information given for 6.3 to 6.4 applies for 6.2 to 6.4?

Re: Upgrade the FTD HA pair 6.2.x -> 6.4.x

jumperdub — Mon, 06 Apr 2020 05:11:09 GMT

https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide/upgrade_firepower_management_centers.html#id_58959

As Cisco document above, I think you can do direct upgrade from 6.2.x to 6.4. Then you can do minor upgrade (patch) from 6.4 to 6.4.x

Re: Upgrade the FTD HA pair 6.2.x -> 6.4.x

Marvin Rhoads — Mon, 06 Apr 2020 06:08:21 GMT

Upgrade your FMC HA pair first. There is no need to install 6.3 as part of that. Get them to the latest patch of 6.4 (currently 6.4.0.8).

Redeploy to your Firepower 4110 HA pair after each FMC upgrade (i.e after 6.4 and then after 6.4.0.8).

Then repeat for the Firepower 4110 HA pair.

Re: Upgrade the FTD HA pair

asadali1979 — Sun, 04 Oct 2020 13:39:37 GMT

Hi Marvin,

i need your expert advise regarding upgrade of the ASA-5555-X running v 6.2.0.2 in HA active/standby pair, Managed by the FMC (6.4.0.9)

Can we upgrade directly to the 6.4.0 from FMC or we need to upgrade FXOS separetly also. need your advise please

ASA Version:

Cisco Fire Linux OS v6.2.0 (build 42)
Cisco ASA5555-X Threat Defense v6.2.0.2 (build 51)

Re: Upgrade the FTD HA pair

Marvin Rhoads — Sun, 04 Oct 2020 14:22:20 GMT

If you are running FTD image on ASA the required "Fire Linux OS" bits are bundled into the image and not installed separately. Only when running ASA image on a Firepower appliance or FTD image on a 4100 or 9300 series do we need to be concerned about tracking and upgrading the FXOS image separately.

Re: Upgrade the FTD HA pair

Mohammed al Baqari — Sun, 04 Oct 2020 14:42:20 GMT

Hi,

You can upgrade directly from FMC:

- First check from release notes if you can run 6.4 on ASA5555. It might
not be supported
- I know that 6.4 have couple of major bugs. Hence my advise is to go to
6.5 (require fmc upgrade) directly or stay at 6.3

**** please remember to rate useful posts

Re: Upgrade the FTD HA pair

asadali1979 — Mon, 05 Oct 2020 06:02:21 GMT

Thanks Marvin, for the explanation.. we have the HA running as Active/Standby, if i do the upgrade directly from the FMC and select the HA Pair to upgrade..

How upgrade will happen, can we do the upgrade first secondary and then primary or we have to select the HA pair

do we need a downtime or it can be done without downtime

Re: Upgrade the FTD HA pair

Marvin Rhoads — Mon, 05 Oct 2020 06:08:54 GMT

When an FTD HA pair is FMC-managed you simply select the HA pair to upgrade. FMC and FTD will work together to perform the individual unit upgrades in the proper order.

It will first upgrade the unit currently in Standby role, sync config and then switch it to Active role. It will then upgrade the formerly Active unit (now operating in Standby). After the HA pair upgrade is completed you should once again re-deploy policy to it to sync everything with FMC.

Re: Upgrade the FTD HA pair

asadali1979 — Mon, 05 Oct 2020 06:48:21 GMT

Hi Mohammed,

Thanks for the reply.. i've checked and 6.4.0 is supported for ASA-5555-X, also team doesn't want to upgrade to 6.5 currently. that's why we've to upgrade the ASA-FTD to 6.4.0.9

please correct me if i'm not wrong

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/relnotes/firepower-release-notes-640/welcome.html

Re: Upgrade the FTD HA pair

kamleshku — Sat, 05 Mar 2022 05:05:02 GMT

Hi Marvin,

But when we perform upgrade in HA pair, Failover is not happened , Secondary upgrade first but this unit state not change i.e even after upgrade on higher code , this in standby state , while primary with lower code still in Active state. PFB the sniff.

Re: Upgrade the FTD HA pair

clnjj — Mon, 03 Apr 2023 19:24:32 GMT

Hi Marvin,

I am preparing to update the FXOS firmware on a pair of 4125s running in a HA pair configuration. I am doing so in response to this field notice -> https://www.cisco.com/c/en/us/support/docs/field-notices/720/fn72077.html

My current FXOS chassis version is 2.10 which is compatible with the required firmware version of version 1.0.19

is the following correct:

1. update the firmware on the secondary unit first (FTD2)

2. Once the update is completed on the secondary unit switch it to the active unit in the CLI using the command

no failover active

(is it OK to to make that unit the primary in the FMC GUI or, must this be done form the CLI?)

3. run the firmware update on FTD1 (now the secondary) then once complete switch it back to the primary

thank you in advance for your expert guidance

Re: Upgrade the FTD HA pair

Marvin Rhoads — Tue, 04 Apr 2023 16:38:53 GMT

Check the job status entries in FMC to see if any error was reported.

This is definitely unusual behavior and may require a TAC case to resolve.