Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
654
Views
0
Helpful
3
Replies

ASA with Firepower version 5.4 - Upgrade Paths

ROBBY HARRELL
Level 1
Level 1

‎06-15-2017 12:49 PM - edited ‎03-12-2019 02:35 AM

I installed an ASA 5515x with Firepower services version 5.4 about 2 years ago at a customer location.   Also installed is a Firesight Management Center VM version 5.4.   I have read the release notes on ugrading the FMC (version 6.2), and it states that the FMC must go through each release to get to 6.2.  I think it was 5.4 > 6.0>6.01>6.1>6.2.  

My question is, can I leave the Firepower module in the ASA at 5.4 as I upgrade the FMC to 6.2 through the various upgrade versions, then remove the Firepower version 5.4 in the ASA, and install Firepower module version 6.2, and reconfigure the Firepower module to connect back to the FMC.

Or do I have to upgrade the FMC one version, then repeat the upgrade on the Firepower module to same version? Repeat, again and again ?

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-15-2017 11:03 PM

You can and should migrate the FMC step-by-step up to 6.1. You cannot move to 6.2 until all managed devices are on 6.1.

However, if you are going to remove and then re-add the ASA FirePOWER module you could:

1. Remove the ASA as a managed device.

2. Take your FMC all the way to 6.2 (current patch level is 6.2.0.2).

3. Re-image the module on the ASA directly to 6.2.0 (NOTE - you will lose FirePOWER services during this time as the module will reload and all deployed policies will be deleted.

4. Re-add the module into FMC and set it as a target for your policies and deploy them.

5. Patch the module to the latest release.

0 Helpful

JRDIAZ758
Level 1
Level 1
In response to Marvin Rhoads

‎05-04-2018 06:03 AM

im trying to upgrade to 6.2.3.1  from 6.1.0.3

 

the upgrade path is 6.1.0.3>6.2.0>6.2.3>6.2.3.1

 

but it said that in 6.2.0 they recommend a hot-fix  6.2.0.5 ..  do i need to install the update or can i ignore it and go to 6.2.3 ?

0 Helpful

Florin Barhala
Level 6
Level 6
In response to Marvin Rhoads

‎05-07-2018 01:17 AM

Hi Marvin,
Can you help me with some tips of this upgrade process:

However, if you are going to remove and then re-add the ASA FirePOWER module you could:
1. Remove the ASA as a managed device.
Remove it from where? FMC or ASA SFR configuration?
Let's say I have service policy config ON and I decide to reboot the Firepower module? What's the traffic impact?

2. Take your FMC all the way to 6.2 (current patch level is 6.2.0.2).
I am good here.
3. Re-image the module on the ASA directly to 6.2.0 (NOTE - you will lose FirePOWER services during this time as the module will reload and all deployed policies will be deleted.
I will probably need to ready how to do this.

4. Re-add the module into FMC and set it as a target for your policies and deploy them.
What happens with production traffic when I am applying new policies to the module?

5. Patch the module to the latest release.
Same question about production traffic? Should just take care of steps 2-5 by removing the SFR inspection, then add it back on the ASA service policy configuration?

Thanks!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card