Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1043
Views
5
Helpful
2
Replies

4110 FTD 6.4 - Active Standby HA ISSUE with upraging FXOS to From 2.6(1.174) to 2.8.(1.143)

Behzad Sharifi
Level 1
Level 1

‎02-27-2021 03:50 PM

I am about to uprade two FTD 4110 FXOS. The first upgrade has been succeced on the Secondary and then I tried do run the same steps on the primery FTD. I has been runing upgrade in more than 2 hours on the primery FTD now and I am soure that some thing is wrong. When I connect the chassie from the GUI, I is showing that the runing version is 2.8.(1.143) but if I check the CLI, I seems to be the upgrade process still runing after two hours. Is there any one that has seen this issue before. I am not sure if I have to reboot the chassie. 

 

FTD01 /system # show firmware monitor
FPRM:
Package-Vers: 2.8(1.143)
Upgrade-Status: Ready

Fabric Interconnect A:
Package-Vers: 2.8(1.143)
Upgrade-Status: Ready

Chassis 1:
Server 1:
Package-Vers: 2.8(1.143),2.6(1.174)
Upgrade-Status: Upgrading

 

*****

FTD01 /chassis # show version
Chassis 1:
Server 1:
CIMC:
Running-Vers: 4.1(30b)
Package-Vers: 2.8(1.143)
Update-Status: Ready
Activate-Status: Ready

Adapter 1:
Running-Vers: 5.6(1.10)
Package-Vers: 2.6(1.174)
Update-Status: Updating
Activate-Status: Activating
Bootloader-Update-Status: Ready
BIOS:
Running-Vers: FXOSSM1.1.2.1.18.052320191712
Package-Vers: 2.8(1.143)
Update-Status: Ready
Activate-Status: Ready

SSP OS:
Running-Vers: 2.6(1.156)
Package-Vers: 2.6(1.174)
Update-Status: Updating
Activate-Status:

RAID Controller 1:
Running-Vers:
Package-Vers:
Activate-Status:

BoardController:
Running-Vers: 14.0
Package-Vers: 2.8(1.143)
Activate-Status: Ready

Local Disk 1:
Running-Vers:
Package-Vers:
Activate-Status:

C2DC01FTD01 /chassis #

0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-28-2021 03:07 AM

You should not have to perform a manual reboot. 2 hours is excessive for an upgrade - my experience is that they should take about 30-40 minutes total per chassis.

I would recommend opening a TAC case (and not performing a manual reboot). Rebooting unexpectedly in the middle of an ongoing upgrade (even a "hung" one) could leave the system in an unstable state.

Behzad Sharifi
Level 1
Level 1
In response to Marvin Rhoads

‎03-02-2021 02:06 PM

Hi Marvin 
Thank you for response. As I mentioned abow here  the chassie has been reboded. You are right 2 hours is excessive for an upgrade. It took almost 45 min for ograding the first FTD  4110 chassie. Actuly I did open a TAC case and I am trynig to explain below here and I hope it can help some one else in the same situation.

  • One of the thing that I verified, was that when I logged to the  Firepower chassie manager it shows that I was runing with the new FXOS 2.8 and chassie seems to be updated
  • Then I tried to check the Security Engine state on the Firepower chassie manager and it was down pand Powered " OFF". I tried to change the state and power it on but It dosen't work.
  • When I got the Cisco TAC enginner on the case. He did the same thing. He tried to " Power on " the Security Engine. But still the same problem.
  • Then he told me that he can try  somthing else from CLI for "Power on " the Security Engine. But before that he would check the firmware debug utility  power status on the moduel 
  • He tried the following command:

    FTD01# connect cimc 1/1

    Trying 127.5.1.1...

    Connected to 127.5.1.1.

    Escape character is '^]'.

    CIMC Debug Firmware Utility Shell [ support ]

    [ help ]# power

    OP:[ status ]

    Power-State:                 [ off ]

    Master-State:                [ Master ]

    VDD-Power-Good:              [ inactive ]

    Power-On-Fail:               [ inactive ]

    Power-Ctrl-Lock:             [ permanent lock ]

    Power-System-Status:         [ Bad ]

    Front-Panel Power Button:    [ Disabled ]

    Front-Panel Reset Button:    [ Disabled ]

    Source of Last Power Change: [ No Transition ]

    OP-CCODE:[ Success ]

    [ power ]#

  • Regarding to Cisco TAC engineer " Power-Ctrl-Lock:             [ permanent lock ] " means that you can not do any  thing to " power on " the Module and the only solution will be Hardware Replacment.
    According TAC Engineer, For alle FTD 4110 you need to RMA whole the chassie but if this the same issue happning for FTD 9300 chassie you don't need to do hardware replacment. You just need to do RMA for that faulty moduel.
    So in my case we did RMA for FTD 4100. I hope my explenation is good enough :). 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card