Firepower 1140 upgrade fails on FDM

MXUser · ‎05-06-2023

Hi

Upgrading to 7.3.1 from 7.0.1 fails with the below error, any clue?

this is a restored system from backup, I suspect the ssl certificate might need to be reimported?

FTD Onbox Upgrade failed java.lang.IllegalStateException: key type extraction failed com.cisco.ngfw.onbox.utils.security.OpenSSLCertificateConversionTools.getKeyType(OpenSSLCertificateConversionTools.java:218) com.cisco.ngfw.onbox.importer.upgrader.upgradehandlers.CertificateBaseUpgradeHandler.transformObject(CertificateBaseUpgradeHandler.java:111) com.cisco.ngfw.onbox.importer.upgrader.upgradehandlers.ExternalCACertificateUpgradeHandler.transformObject(ExternalCACertificateUpgradeHandler.java:49) com.cisco.ngfw.onbox.importer.upgrader.upgradehandlers.ExternalCACertificateUpgradeHandler$$FastClassBySpringCGLIB$$8dd74bb3.invoke(<generated>) org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:793) Reporting error : FTD Onbox Upgrade failed Fatal error: FTD Onbox Upgrade failed

Rollback reason: fatal error on 38% upgrade process with message:
" FTD Onbox Upgrade failed."

MHM Cisco World · ‎05-06-2023

Upgrading to 7.3.1 from 7.0.1 fails<<- you mean downgrade?

MXUser · ‎07-24-2023

Hi No upgrade to 7.3.1, how come it is downgrade..

Marvin Rhoads · ‎07-25-2023

Are you using a certificate from an external CA?

Have you tried upgrading to 7.2.4 instead as an option? (7.3.1 is a short term release and not as thoroughly tested as 7.2.4 = the current suggested release.)

MXUser · ‎08-06-2023

Hi

Yeah, we went troubleshooting with Cisco TAC and it seems the initial Cisco intermediate certificate was somehow deleted after the failed upgrade, .. he tried to fix it by deleting the VPN profiles then another error occurred regarding a missing package not installed.. it was escalated to level 2 then the developers still w/o any luck.. likely we will have to reimage the box.. or dump the whole FDM thing and move to FMC

Marvin Rhoads · ‎08-07-2023

I always strongly encourage my customers to use FMC instead - even for a single device deployment.

Also, 7.3.1 is a short term release. Unless you have a hard requirement for a feature only available in 7.3.x, I would recommended 7.2.4/7.2.5 at this time.

MXUser · ‎08-07-2023

Hi Marvin

We moved to a 7.2.4 FMX managed firewall.. for now no drops.. but we are facing issues with a S2S ipsec tunnel tearing down after one hour and not establishing again, the configurations of the tunnel are identical as on the old firewall.. I did open a topic/question in the forum for that.. and we tried to apply a workaround by SSHing into the management IF and force a tunnel reset via clear crypto ikev2 sa [remote IP] but now the SSH went down after a day of script running.. Frankly Cisco firewalls are more buggy nowadays compared to competitors or Meraki that they acquired..

AHack210 · ‎07-25-2023

Can you make sure that your management TLS certificate is valid? This will cause a rollback. I can't see the full text in your message, but I do see a reference to SSL.