Re: Upgrading vFMC and FTD

zulqurnain · ‎04-24-2019

Hi Experts

Ran into a scenario as following and was hoping I could get some guidance on the process of upgrading the vFMC and FTD.

Currently we have 5525-X in HA mode registered on the vFMC running FMC version 6.2.0 with FTD version 6.2.0 as well.

I am suppose to upgrade these to 6.2.3.10 and due to some other past network architectural issues all traffic manually gets routed to Primary 5525-X , YES I know !!

Q1. Can I jump directly to 6.2.3.10 from 6.2.0 or do I need to first jump to 6.2.3 and than jump to 6.2.3.10 (as per cisco document I can go to 6.2.3 from current version but does not specifically say I can jump directly to 6.2.3.10 -https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide/plan_upgrade_path.html)

Q2. Do I need to upgrade the vFMC first to 6.2.3.10 or I should be doing the FTD devices first ? same concern applies as above from intermediate release or direct jump

Q3. Because of the business issues , we cannot ask or afford downtime. Therefore I was thinking as following

1. Disable the HA, that will unregister the devices from FMC.

2. Than register them back in FMC

3. Upgrade each devices standalone

4. Upgrade the FMC

5. Create an HA

Thanks in Advance

Abheesh Kumar · ‎04-24-2019

Hi,

1. You cannot go directly to 6.2.3.10, you need to first upgrade to 6.2.3 then install the patch 6.2.3.10

2. upgrade the vFMC first then FTD.

3. Disabling HA will not unregister the devices from FMC. Unregistering/Registering the FTD will get erase the configurations in FTD. Break HA so the devices will be standalone then you can upgrade appliances individually.

Hope This Helps

Abheesh

zulqurnain · ‎04-25-2019

Hi Abheesh

Based on this documentation (https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html#anc11)

It says , If Disable the HA following will happen:

Main points to note for disabling the HA:

Primary FTD

Secondary FTD

The device is removed from the FMC.

No configuration is removed from the FTD device

The device is removed from the FMC.

No configuration is removed from the FTD device

Step 6. After you finish the task, register the devices to the FMC and enable HA pair.

and, if Break the HA following will happen:

Main points to note for breaking the HA:

Primary FTD

Secondary FTD

All failover configuration is removed

Standby IP's remain

All configuration is removed

Step 5. After you finish this task, recreate the HA pair.

sort of opposite to what you said !! or did I read that wrong ?

Anyways, my question would be that if I Disable the HA and keep the configuration , does it mean that the devices will now become standalone and I can upgrade them individually or I have to go with Break HA option and get device config erased completely from Secondary Node, meaning I would need to have physical access to it , just to be able to configure it to a state where I can register it back on FMC ?

Abheesh Kumar · ‎04-26-2019

Hi,

If you disable HA the configuration will remain in FTD and it will be removed from FMC.

While adding back to FMC you need reconfigure all(map the ACP, Interface configuration, route etc.)

If you break HA, Configuration will remain in Primary FTD only fail over will get removed from primary and the configurations in secondary will be erased but still you will be able to mange it via FMC.

So you will get both the FTD as individual firewall and start upgrading the secondary FTD and then configure it and switch traffic to secondary FTD. Then proceed with Primary.

Once upgraded both, you can switch the traffic to primary and then enable HA.

Hope This Helps

Abheesh