https://community.cisco.com/t5/network-security/upgrading-an-ha-ftd-pair/m-p/3712807#M995777 <P>No you cannot pause the HA upgrade (short of some drastic and unsupported cli surgery).</P> <P>&nbsp;</P> <P>It may change in future releases but that's the state of things as of 6.2.3.5.</P> Tue, 25 Sep 2018 13:07:46 GMT Marvin Rhoads 2018-09-25T13:07:46Z https://community.cisco.com/t5/network-security/upgrading-an-ha-ftd-pair/m-p/3712432#M995772 <P>Hello,</P> <P>&nbsp;</P> <P>in the ASA world, when you had to upgrade a failover pair, you would upgrade the Standby unit, once the upgrade is complete and everything looks fine in the "show failover" command, you would failover to that unit, do all your testing and if everything is successful, upgrade the remaining unit.</P> <P>&nbsp;</P> <P>In the FTD world (I am referring to FTDs managed by an FMC and not running FDM), when you upgrade a failover pair of FTDs you no longer have the option to actually test everything out after the first unit gets upgraded, takes over the active role and BEFORE upgrading the remaining unit. So if during testing of the new OS you find that many things are broken, you don't have a quick back out (the second unit upgrade starts right after the first unit upgrade finishes).</P> <P>&nbsp;</P> <P>My question is, if there is a way to "pause" the upgrade once you finish the upgrade of the first unit.</P> <P>thank you</P> Fri, 21 Feb 2020 16:16:38 GMT https://community.cisco.com/t5/network-security/upgrading-an-ha-ftd-pair/m-p/3712432#M995772 arisgiannakopoulos 2020-02-21T16:16:38Z https://community.cisco.com/t5/network-security/upgrading-an-ha-ftd-pair/m-p/3712807#M995777 <P>No you cannot pause the HA upgrade (short of some drastic and unsupported cli surgery).</P> <P>&nbsp;</P> <P>It may change in future releases but that's the state of things as of 6.2.3.5.</P> Tue, 25 Sep 2018 13:07:46 GMT https://community.cisco.com/t5/network-security/upgrading-an-ha-ftd-pair/m-p/3712807#M995777 Marvin Rhoads 2018-09-25T13:07:46Z https://community.cisco.com/t5/network-security/upgrading-an-ha-ftd-pair/m-p/3712834#M995787 <P>Hi Marvin,</P> <P>&nbsp;</P> <P>thank you for the reply.</P> <P>&nbsp;</P> <P>I hope that in a future release they will introduce a timer that you can leverage in order to have some time to do some thorough testing before upgrading the next unit. As it stands right now, if your network is broken because of the upgrade, you don't have a quick roll back as to downgrade a unit takes the same amount of time as for the upgrade.</P> Tue, 25 Sep 2018 13:45:57 GMT https://community.cisco.com/t5/network-security/upgrading-an-ha-ftd-pair/m-p/3712834#M995787 arisgiannakopoulos 2018-09-25T13:45:57Z https://community.cisco.com/t5/network-security/upgrading-an-ha-ftd-pair/m-p/3712842#M995802 <P>I agree - even simple policy deployments can take 6-7 minutes (if not longer). Break something with your policy change and you're looking at having to wait that long again to redeploy before it's fixed.</P> <P>&nbsp;</P> <P>Cisco really needs to address that issue.</P> Tue, 25 Sep 2018 13:53:09 GMT https://community.cisco.com/t5/network-security/upgrading-an-ha-ftd-pair/m-p/3712842#M995802 Marvin Rhoads 2018-09-25T13:53:09Z