01-10-2019 07:03 PM - edited 02-21-2020 08:38 AM
Dear Team:
is there any Cisco documentation for Upgrade Procedures on ASA 5525-x from 6.2.2 to the last release 6.3?
I've seen int the web page a file name but with a different extension ".tar"
https://software.cisco.com/download/home/286271172/type/286306337/release/6.3.0
best regards,
Jhon
01-10-2019 07:18 PM
1. Download the tar file to your workstation.
2. If you are managing the device with FMC, upload the tar file to FMC (via System > Updates) and then select and install it.
3. If you are managing the device via FDM, do a similar process via Updates > System Upgrade.
01-10-2019 11:24 PM
06-20-2019 11:13 PM
Hi,
We have two ASA 5525 with FTD version 6.2.3.3 (active/strandby) - both are registered with FMC.
Now I want to upgrade FTDs to 6.3 and wanted to do it without FMC. Is there any way we can upgrade the devices without FMC and then register in FMC again ?
06-21-2019 04:58 AM
It can be done but it's a LOT more work. It's not a recommended path nor is it strictly supported.
The cli procedure is referenced in this thread:
https://community.cisco.com/t5/firepower/fmc-upgrade-from-cli/td-p/3401740
What's your reason for wanting to use the cli method?
07-05-2019 01:35 AM
Hi Marvin,
Thank you for the reply, the link is helpful. Sorry for returning late here I was busy with many things together.. :)
Our reason to do it manually is that the location where these FTDs are, have bandwidth limitations. So if I push the package and start the upgrade from FMC I'm afraid it'll take the bandwidth and will effect other services on the link. we are upgrading the SFRs manually for the same reason on other sites. But since this is first time I'm upgrading the FTDs hence the question.
Currently I'm ding PoC for FTD upgrade in my LAB. I'll update here once done.
But meanwhile another questions, Since the FTDs are in cluster I wonder if I need to remove it from FMC ?? (since I'm upgrading the FTDs with out FMC) and then add them back when they are upgraded.. If not, then I wonder what will be the cluster status in FMC once I start upgrading the secondary box .. As I know If we upgrade it from FMC the cluster goes into maintenance state.
Thanks & have a very nice weekend.
07-05-2019 04:43 AM
Your FMC should detect the new version even if it is installed manually on the ASA appliance running FTD. Your HA should remain intact. I'd recommend following a similar procedure to what is done when you upgrade a plain ASA HA pair (get image on both, upgrade Secondary - Standby, verify success, wait for return to Standby - Ready state, make it Active and repeat of the Primary unit.
Most of the underlying failover operations and associated code is inherited from ASA as the LINA subsystem on FTD.
Of course it would be nice to lab that all in advance.
Note that once you are on 6.2.3, you will have the option to push an update to the device from FMC prior to upgrade.
09-13-2019 07:09 AM
finally I got time to do this in the lab.
Hi Mervin,
yes, you are right. I followed the same process. download upgrade and patch versions to devices and than upgrade secondary first then wait for the HA status OK (in FMC) and switch peer active<->standby, upgrade the second unit .. All went smooth.but after the patch upgrade on second unit it doesn't show the HA active and standby ready.. Instead second unit is now in disabled state. with following logs from "sh fail hist" command. on secondary (disabled) unit
==========================================================================
From State To State Reason
==========================================================================
11:27:28 UTC Sep 13 2019
Not Detected Negotiation No Error
11:28:03 UTC Sep 13 2019
Negotiation Cold Standby Detected an Active mate
11:28:04 UTC Sep 13 2019
Cold Standby App Sync Detected an Active mate
11:33:57 UTC Sep 13 2019
App Sync Disabled CD App Sync error is app sync failure with error code device_failure_configuration
==========================================================================
Its strange. even when first unit was upgraded and the FTD version was different on both devices the HA was OK. but now when both devices are with same version, secondary unit went disabled.
I tried reboot the secondary unit but no luck..
09-13-2019 04:18 PM
You may need to remove and then re-add it onto the HA configuration from FMC.
Opening a TAC case might be the best course of action given the current state of the unit.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide