Hi,

We have two ASA 5525 with FTD version 6.2.3.3 (active/strandby) - both are registered with FMC.

Now I want to upgrade FTDs to 6.3 and wanted to do it without FMC. Is there any way we can upgrade the devices without FMC and then register in FMC again ?

It can be done but it's a LOT more work. It's not a recommended path nor is it strictly supported.

The cli procedure is referenced in this thread:

https://community.cisco.com/t5/firepower/fmc-upgrade-from-cli/td-p/3401740

What's your reason for wanting to use the cli method?

Hi Marvin,

Thank you for the reply, the link is helpful. Sorry for returning late here I was busy with many things together.. :)

Our reason to do it manually is that the location where these FTDs are, have bandwidth limitations. So if I push the package and start the upgrade from FMC I'm afraid it'll take the bandwidth and will effect other services on the link. we are upgrading the SFRs manually for the same reason on other sites. But since this is first time I'm upgrading the FTDs hence the question.

Currently I'm ding PoC for FTD upgrade in my LAB. I'll update here once done. 

But meanwhile another questions, Since the FTDs are in cluster I wonder if I need to remove it from FMC ?? (since I'm upgrading the FTDs with out FMC) and then add them back when they are upgraded.. If not, then I wonder what will be the cluster status in FMC once I start upgrading the secondary  box .. As I know If we upgrade it from FMC the cluster goes into maintenance state.

Thanks & have a very nice weekend.

Your FMC should detect the new version even if it is installed manually on the ASA appliance running FTD. Your HA should remain intact. I'd recommend following a similar procedure to what is done when you upgrade a plain ASA HA pair (get image on both, upgrade Secondary - Standby, verify success, wait for return to Standby - Ready state, make it Active and repeat of the Primary unit.

Most of the underlying failover operations and associated code is inherited from ASA as the LINA subsystem on FTD.

Of course it would be nice to lab that all in advance.

Note that once you are on 6.2.3, you will have the option to push an update to the device from FMC prior to upgrade.

finally I got time to do this in the lab.

Hi Mervin,

yes, you are right. I followed the same process. download upgrade and patch versions to devices and than upgrade secondary first then wait for the HA status OK (in FMC) and switch peer active<->standby, upgrade the second unit .. All went smooth.but after the patch upgrade on second unit it doesn't show the HA active and standby ready.. Instead second unit is now in disabled state. with following logs from "sh fail hist" command.  on secondary (disabled) unit

==========================================================================
From State                To State                 Reason
==========================================================================
11:27:28 UTC Sep 13 2019
Not Detected         Negotiation              No Error

11:28:03 UTC Sep 13 2019
Negotiation         Cold Standby        Detected an Active mate

11:28:04 UTC Sep 13 2019
Cold Standby     App Sync               Detected an Active mate

11:33:57 UTC Sep 13 2019
App Sync        Disabled CD          App Sync error is app sync failure with error code device_failure_configuration
==========================================================================

Its strange. even when first unit was upgraded and the FTD version was different on both devices the HA was OK. but now when both devices are with same version, secondary unit went disabled.

I tried reboot the secondary unit but no luck..

You may need to remove and then re-add it onto the HA configuration from FMC.

Opening a TAC case might be the best course of action given the current state of the unit.