Showing results for 
Search instead for 
Did you mean: 

Firepower 1140 upgrade fails on FDM

Level 1
Level 1


Upgrading to 7.3.1 from 7.0.1 fails with the below error, any clue?

this is a restored system from backup, I suspect the ssl certificate might need to be reimported?

FTD Onbox Upgrade failed java.lang.IllegalStateException: key type extraction failed$$FastClassBySpringCGLIB$$8dd74bb3.invoke(<generated>) org.springframework.cglib.proxy.MethodProxy.invoke( org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint( Reporting error : FTD Onbox Upgrade failed Fatal error: FTD Onbox Upgrade failed

Rollback reason: fatal error on 38% upgrade process with message:
" FTD Onbox Upgrade failed."





7 Replies 7

Upgrading to 7.3.1 from 7.0.1 fails<<- you mean downgrade?

Level 1
Level 1

Hi No upgrade to 7.3.1, how come it is downgrade..


Are you using a certificate from an external CA?

Have you tried upgrading to 7.2.4 instead as an option? (7.3.1 is a short term release and not as thoroughly tested as 7.2.4 = the current suggested release.)


Yeah, we went troubleshooting with Cisco TAC and it seems the initial Cisco intermediate  certificate was somehow deleted after the failed upgrade, .. he tried to fix it by deleting the VPN profiles then another error occurred regarding a missing package not installed.. it was escalated to level 2 then the developers still w/o any luck.. likely we will have to reimage the box.. or dump the whole FDM thing and move to FMC

I always strongly encourage my customers to use FMC instead - even for a single device deployment.

Also, 7.3.1 is a short term release. Unless you have a hard requirement for a feature only available in 7.3.x, I would recommended 7.2.4/7.2.5 at this time.

Hi Marvin

We moved to a 7.2.4 FMX managed firewall.. for now no drops.. but we are facing issues with a S2S ipsec tunnel tearing down after one hour and not establishing again, the configurations of the tunnel are identical as on the old firewall..  I did open a topic/question in the forum for that.. and we tried to apply a workaround by SSHing into the management IF and force a tunnel reset via clear crypto ikev2 sa [remote IP] but now the SSH went down after a day of script running.. Frankly Cisco firewalls are more buggy nowadays compared to competitors or Meraki that they acquired..

Cisco Employee
Cisco Employee

Can you make sure that your management TLS certificate is valid? This will cause a rollback. I can't see the full text in your message, but I do see a reference to SSL. 

Review Cisco Networking for a $25 gift card