topic Re: FPR1140 in HA firmware update in Network Security

FPR1140 in HA firmware update

peat — Thu, 30 Oct 2025 11:25:06 GMT

I went to update a pair of FPR1140 that are in HA yesterday using FDM.

I had read conflicting instructions online. Ciscos instructions were saying log on to the standby unit (which i cant as its in HA) so I went with some other instructions that said the whole process is automated. It said run the update on the active and that will then run a process starting with updating the standby first then switch over and update the active (now standby unit). That all sounded good.

I pressed update and got warnings straight off saying the internal and web certificates had expired. I only installed these 2 FWs last year and didnt do anything with certs so had to look online what that was about. Found instructions how to update the certs which said i had to suspend the HA or I could lose Gui access!

I carefully followed those instructions but after i suspended HA and then tried to add a new internal self signed cert (not even having applied it to anything) I got a warning saying I cant do that as the device isnt Active so I cant make any changes. Assuming because the HA was suspended.

So my question is how do i sort this out as it feels like I'm in a loop here. I cant update the certs in HA as I will lose gui access and i cant update the certs out of HA as the (suspended active) firewall says its not the active firewall so i cant make any changes.

Re: FPR1140 in HA firmware update

Marvin Rhoads — Thu, 30 Oct 2025 15:39:20 GMT

You should be able to login to the standby unit in an FDM-managed HA pair - you just cannot make configuration changes from there.

Then, just follow these official instructions:

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/upgrade/device-manager/740/upgrade-device-manager-74/upgrade-threat-defense.html#task_AE850BD023684725BBA13AEC03BFE1DF

Re: FPR1140 in HA firmware update

peat — Thu, 30 Oct 2025 15:42:55 GMT

How do I log in to the standby unit? It doesn't have an IP address on it. I could get on the cli but not sure how that would help me.

Re: FPR1140 in HA firmware update

Marvin Rhoads — Fri, 31 Oct 2025 17:20:28 GMT

The standby unit should have an address on its management interface. You can see it in the cli with "show network". But it should also present the FDM GUI via that same address you use for ssh. If you are using console for cli access, you may need to flip from fxos to clish by using "connect ftd" command.

Re: FPR1140 in HA firmware update

peat — Mon, 03 Nov 2025 16:58:52 GMT

this is what show network shows on the active fw.

===============[ System Information ]===============
Hostname : FTxxxxxxx
DNS Servers : 2xxxxxxxxx
xxxxxxxxxxxx
xxxxxxxxxxxxxxxx
DNS from router : disabled
Management port : 8xxx
IPv4 Default route
Gateway : data-interfaces
IPv6 Default route
Gateway : data-interfaces

==================[ management0 ]===================
Admin State : enabled
Admin Speed : 1gbps
Operation Speed : indeterminate
Link : link-down
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : D4:xxxxxxxxxxx
----------------------[ IPv4 ]----------------------
Configuration : DHCP
----------------------[ IPv6 ]----------------------
Configuration : DHCP

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled

Re: FPR1140 in HA firmware update

Aref Alsouqi — Tue, 04 Nov 2025 10:05:33 GMT

What do you mean by saying the standby unit doesn't have an IP on it? the secondary device would have a management port and that port would be configured with a management IP address similar to what you have on the primary unit. If you didn't configure these devices and you don't know which IP the standby unit has then probably you can connect to the switch where the standby management port is connected to and try to lookup its MAC address and then try to look at the switch ARP table.

Re: FPR1140 in HA firmware update

davidmubarak — Tue, 04 Nov 2025 10:10:11 GMT

That’s a tough loop to be stuck in. The best way out is to temporarily break the HA pair instead of just suspending it. Once the primary is running standalone, renew or replace the internal and web certificates there. After confirming access and stability, rebuild the HA pair the updated certs will sync automatically. Cisco’s HA update via FDM can get messy with expired certs, so doing it manually like this keeps GUI access safe and avoids getting locked out.

Re: FPR1140 in HA firmware update

peat — Tue, 04 Nov 2025 10:23:00 GMT

Thanks. To temp break the HA will physically disconnecting the HA link do it or do I have to do it in the Gui?

Whilst they are both standalone I'm guessing I should get the management interfaces setup with IP's cus it looks like neither the primary or secondary have an IP on the management interfaces.

Re: FPR1140 in HA firmware update

executordelta933 — Tue, 04 Nov 2025 10:26:44 GMT

Curious how others handle this — do you use spreadsheets, in-house scoring systems, or something else to make project decisions faster?

Re: FPR1140 in HA firmware update

peat — Mon, 10 Nov 2025 10:26:28 GMT

I take it I can set this command to give me mgmt IPs on the 2 firewalls (the HA port is on 8 so I think i'm safe to do this, these Ciscos make me very wary of making any changes as there always seems to be some weird caveat I wasn't expecting for what is normally a straight forward job)

Then I will be safe to start the process of breaking ha, adding certs, then updating the firewalls...

configure terminal
interface management
nameif management
security-level 0
ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2
management-only

Re: FPR1140 in HA firmware update

Marvin Rhoads — Mon, 10 Nov 2025 12:41:26 GMT

You don't configure FTD with the "configure terminal" and subsequent commands you listed.

Instead you would use "configure network ipv4 manual..." and related commands.

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/c_3.html#wp3839275562

Re: FPR1140 in HA firmware update

peat — Mon, 10 Nov 2025 14:45:47 GMT

Thanks for that info. I couldnt find anywhere in there where it says how to setup the standby IP unfortunately.

I just checked on the FDM on the management interface and if i change it to static again there is nowhere to put in the standby IP.

Whilst I was on there I looked at the HA setup and can see ips on the failover link on port 8. so could i in theory disconnect port 8 on the standby firewall (breaking the HA) then use the IP 10.10.1.2 on port 8 to get into the standby firewall?

Or should I just console into the standby firewall and set 10.10.2.2 on the mgmt interface there. and set 10.10.2.1 on the primary mgmt interface in mdm. I am guessing I would need to disconnect HA for that though?

Re: FPR1140 in HA firmware update

Marvin Rhoads — Mon, 10 Nov 2025 15:05:07 GMT

The management interface address does not replicate in an HA pair. It is set individually on each unit. Changing it via cli using the "configure network " command does not affect the HA configuration or require any down time. You will need to have the physical management interfaces properly connected to a switch and assigned to the VLAN that is associated with that subnet.