Under normal operation, the Firepower system automatically boots up the correct images at runtime so the user does not have to worry about locating the correct image. However, this can create a problem if the current image is corrupt or if the user wants to upgrade to a new image. This document shows how to correctly boot up a new image on the Firepower 9300 system. There are two methods discussed in this document: downloading the new bundle image from the CLI and booting the new images separately from rommon. Loading from the CLI is easier, but if the system cannot reach the normal CLI prompt or is in a reboot loop, booting from rommon may be necessary.
Booting from the CLI (bundle image)
1. Scope to firmware and download the new image using the 'download image' command. There are a number of options to download the image such as scp, tftp, and ftp. After issuing the download image command, use the 'show download-task' command to monitor the download, and if there are any issues you can find more information from the 'show download-task fsm status' command. Downloading an image takes about seven minutes depending on the connection.
# scope firmware /firmware # download image scp://firstname.lastname@example.org/fxos-k18.104.22.168.1.SPA /firmware # show download-task Download task: File Name Protocol Server Userid State --------- -------- --------------- --------------- ----- fxos-k22.214.171.124.1.SPA Scp 10.1.1.1 user Downloading /firmware # show download-task Download task: File Name Protocol Server Userid State --------- -------- -------------- -------------- ----- fxos-k126.96.36.199.1.SPA Scp 10.1.1.1 user Downloaded /firmware # show package Name Version --------------------------------------------- ------- fxos-k188.8.131.52.1.SPA 1.1(1.1)
2. After the image is finished downloading, you can install it by scoping to auto-install and then installing the image:
/firmware # scope auto-install /firmware/auto-install # install platform platform-vers 1.1(1.1) This operation upgrades firmware and software on Security Platform Components Here is the checklist of things that are recommended before starting Auto-Install (1) Review current critical/major faults (2) Initiate a configuration backup Do you want to proceed? (yes/no):yes /firmware/auto-install #
3. Once the upgrade is started, it should be monitored to be sure everything upgrades successfully. The first component to be upgraded is the UCSM, and can be monitored from scope system. After this component is completely upgraded, you will be logged out and will have to log in again (which should happen in about five minutes). Note that if you are upgrading from a R2.2.1 or older image to a R2.3.1 or newer image this step is skipped.
4. The next component to be upgraded is the fabric-interconnect. It can be monitored from scope fabric-interconnect a. Issue a 'show version' command and notice that the new images are different from the ones above (although they may have different versions from the bundle you downloaded in step 1, this is okay). Also notice that the status is Updating. If the status goes to Failed it indicates a problem.
# scope fabric-interconnect a /fabric-interconnect # show version Fabric Interconnect A: Running-Kern-Vers: 5.0(3)N2(0.00.000) Running-Sys-Vers: 5.0(3)N2(0.00.000) Package-Vers: 0.0(0.0) Startup-Kern-Vers: 5.0(3)N2(1.01.100) Startup-Sys-Vers: 5.0(3)N2(1.01.100) Act-Kern-Status: Activating Act-Sys-Status: Activating Bootloader-Vers: 1.1(1.1)
5. After the fabric-interconnect is finished upgrading (in about ten minutes) the system will reboot. At the rommon prompt the correct image will automatically auto-boot and should require no user interaction. Once bootup is complete, log back in.
6. Next, the security modules will upgrade with new firmware. You can monitor their progress by scoping to chassis 1 and running the 'show server' command (or 'show server fsm status' for more information). The modules will go from 'Discovery' state to 'Config' and finally 'Ok'. It is also helpful to open a separate window and connect to the modules as they are being upgraded (although note that the module reboots several times as it is being upgraded). After upgrade, you can see which images are running on the blade using the 'show version' command after scoping to a server, but note that the package version specified for each image may not be the same as the image you downloaded. After the modules are finished, the upgrade is complete.
Booting from Rommon
These steps are more complicated, and need to be followed exactly, as there are multiple images that need to be downloaded.
1. Reboot the system to get to rommon. The system will automatically attempt to load an image using autoboot and display a countdown timer; press escape to prevent the autoboot and go to the rommon prompt.
Cisco System ROMMON, version 1.0.09, RELEASE SOFTWARE Copright (c) 1994-2015 by Cisco Systems, Inc. Compiled Sun 01/01/1999 23:59:59:59.99 by user Current image running: Boot ROM0 Last reset cause: LocalSoft DIMM Slot 0 : Present DIMM Slot 1 : Present No USB drive !! Platform FPR9K-SUP with 16384 Mbytes of main memory MAC Address aa:aa:aa:aa:aa:aa find the string ! boot bootflash:/installables/switch/fxos-k9-kickstart.5.0.3.N2.0.00.00.SPA bootflash:/installables/switch/fxos-k9-system.5.0.3.N2.0.00.00.SPA Use BREAK, ESC or CTRL+L to interrupt boot. use SPACE to begin boot immediately. Boot interrupted. rommon 1 >
2. At the rommon prompt, type set and fill in the required fields to boot from a TFTP server, then boot the new (kickstart) image. Alternatively, you can boot an image from a USB drive if needed.
rommon 1 > set ADDRESS= NETMASK= GATEWAY= SERVER= IMAGE= PS1="ROMMON ! > " rommon 2 > address 10.0.0.2 rommon 3 > netmask 255.255.255.0 rommon 4 > gateway 10.0.0.1 rommon 5 > boot tftp://184.108.40.206/fxos-k9-kickstart.5.0.3.N220.127.116.11.SPA ADDRESS: 10.0.0.2 NETMASK: 255.255.255.0 GATEWAY: 10.0.0.1 SERVER: 18.104.22.168 IMAGE: fxos-k9-kickstart.5.0.3.N22.214.171.124.SPA TFTP_MACADDR: aa:aa:aa:aa:aa:aa ............................................................................
3. Once the kickstart image is booted, you need to set network parameters to copy the system and manager images from a TFTP server (or via scp, ftp, etc.). After copying the manager image, change the name to the reserved manager image name. Please be warned that you cannot copy the image from a USB drive. Follow the steps below:
switch(boot)# configure terminal switch(boot)(config)# interface mgmt 0 switch(boot)(config-if)# ip address 10.0.0.2 255.255.255.0 switch(boot)(config-if)# no shut switch(boot)(config-if)# exit switch(boot)(config)# ip default-gateway 10.0.0.1 switch(boot)# copy tftp://126.96.36.199/fxos-k9-system.5.0.3.N188.8.131.52.SPA bootflash: Trying to connect to tftp server..... Connection to server Established. Copying Started..... \ TFTP get operation was successful Copy complete, now saving to disk (please wait)... switch(boot)# copy tftp://184.108.40.206/fxos-k9-manager.220.127.116.11.SPA bootflash: Trying to connect to tftp server..... Connection to server Established. Copying Started..... \ TFTP get operation was successful Copy complete, now saving to disk (please wait)... swtich(boot)# copy bootflash:fxos-k9-manager.18.104.22.168.SPA bootflash:nuova-sim-mgmt-nsg.0.1.0.001.bin Copy complete, now saving to disk (please wait)... switch(boot)# load bootflash:fxos-k9-system.5.0.3.N22.214.171.124.SPA
You may also want to copy the kickstart image before loading in case there are any problems.
4. After the system image is finished booting, log in and set the platform bundle to the empty string as soon as possible. If this is not done, the system will reboot with the old image and you will have to start over again.
# scope org /org # scope fw-platform-pack default /org/fw-platform-pack # set platform-bundle-version "" Warning: Set platform version to empty will result software/firmware incompatibility issue. /org/fw-platform-pack* # commit-buffer
5. The previous step will result in error messages displayed on the console about an empty bundle version (as the warning indicates). To permanently solve this problem, follow the steps in "booting from the CLI" above.