is there any Cisco documentation for Upgrade Procedures on ASA 5525-x from 6.2.2 to the last release 6.3?
I've seen int the web page a file name but with a different extension ".tar"
1. Download the tar file to your workstation.
2. If you are managing the device with FMC, upload the tar file to FMC (via System > Updates) and then select and install it.
3. If you are managing the device via FDM, do a similar process via Updates > System Upgrade.
We have two ASA 5525 with FTD version 18.104.22.168 (active/strandby) - both are registered with FMC.
Now I want to upgrade FTDs to 6.3 and wanted to do it without FMC. Is there any way we can upgrade the devices without FMC and then register in FMC again ?
It can be done but it's a LOT more work. It's not a recommended path nor is it strictly supported.
The cli procedure is referenced in this thread:
What's your reason for wanting to use the cli method?
Thank you for the reply, the link is helpful. Sorry for returning late here I was busy with many things together.. :)
Our reason to do it manually is that the location where these FTDs are, have bandwidth limitations. So if I push the package and start the upgrade from FMC I'm afraid it'll take the bandwidth and will effect other services on the link. we are upgrading the SFRs manually for the same reason on other sites. But since this is first time I'm upgrading the FTDs hence the question.
Currently I'm ding PoC for FTD upgrade in my LAB. I'll update here once done.
But meanwhile another questions, Since the FTDs are in cluster I wonder if I need to remove it from FMC ?? (since I'm upgrading the FTDs with out FMC) and then add them back when they are upgraded.. If not, then I wonder what will be the cluster status in FMC once I start upgrading the secondary box .. As I know If we upgrade it from FMC the cluster goes into maintenance state.
Thanks & have a very nice weekend.
Your FMC should detect the new version even if it is installed manually on the ASA appliance running FTD. Your HA should remain intact. I'd recommend following a similar procedure to what is done when you upgrade a plain ASA HA pair (get image on both, upgrade Secondary - Standby, verify success, wait for return to Standby - Ready state, make it Active and repeat of the Primary unit.
Most of the underlying failover operations and associated code is inherited from ASA as the LINA subsystem on FTD.
Of course it would be nice to lab that all in advance.
Note that once you are on 6.2.3, you will have the option to push an update to the device from FMC prior to upgrade.
finally I got time to do this in the lab.
yes, you are right. I followed the same process. download upgrade and patch versions to devices and than upgrade secondary first then wait for the HA status OK (in FMC) and switch peer active<->standby, upgrade the second unit .. All went smooth.but after the patch upgrade on second unit it doesn't show the HA active and standby ready.. Instead second unit is now in disabled state. with following logs from "sh fail hist" command. on secondary (disabled) unit
From State To State Reason
11:27:28 UTC Sep 13 2019
Not Detected Negotiation No Error
11:28:03 UTC Sep 13 2019
Negotiation Cold Standby Detected an Active mate
11:28:04 UTC Sep 13 2019
Cold Standby App Sync Detected an Active mate
11:33:57 UTC Sep 13 2019
App Sync Disabled CD App Sync error is app sync failure with error code device_failure_configuration
Its strange. even when first unit was upgraded and the FTD version was different on both devices the HA was OK. but now when both devices are with same version, secondary unit went disabled.
I tried reboot the secondary unit but no luck..
You may need to remove and then re-add it onto the HA configuration from FMC.
Opening a TAC case might be the best course of action given the current state of the unit.