Solved: Re: FMC 2500 Upgrade Questions

ChristopherCraddock66504 · ‎08-04-2021

Dear Community,

I want to upgrade my Physical FMC2500 appliances that are in an Active/Standby HA pair from 6.4.0.9 to 6.7.0.2 but had some questions regarding the process. Please let me know if this process seems correct:

- Perform a Backup of the FMC configuration
- Push any pending deployments to FTDs
- Pause Sync

- Upload Upgrade Images to Standby FMC and Primary FMC individually.
- Upgrade standby FMC to 6.7.0 major version.
- Upgrade standby FMC to 6.7.0.2 maintenance release using patch.

- Upgrade Primary FMC to 6.7.0 major version.
- Upgrade Primary FMC to 6.7.0.2 maintenance release using patch.

- Re-establish sync by selecting "make me active" on the primary FMC.

I also had a question about the BIOS/RAID/CIMC upgrade. I would like to upgrade the BIOS/RAID/CIMC to the one released with 6.7.0; however, I am not sure I will have the time to do it immediately after the upgrade to 6.7.0. Can I continue to run my FMC's on my current BIOS/RAID/CIMC versions that came with 6.4.0? Or is it mandatory I upgrade the BIOS after upgrading to 6.7.0?

Thank you.

balaji.bandi · ‎08-04-2021

yes FTD 6.4 can manage using 6.7 and 7.0 (just want to heads up, because once its upgrades, you can not manage older FTD version, so check compatible ( as a cautious step).

as @Marvin Rhoads good version to upgrade, but of the business decision to move to 7.0 it is individual call, we are run 6.7 stable and good as of now.

As per the document you need to apply the fix for the BIOS ( worth cross-check before upgrade for FMC 6.7 or later.)

FMC 1000, 2500, 4500

6.2.3 to 6.7.x

C22M4.4.0.2d.0

24.12.1-0433

4.0(2d)

BIOS Update Hotfix EI

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎08-04-2021

There is a good document that explains the upgrade path, and when BIOS upgrade is required here :

https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide/planning.html

compatibility section cover BIOS :

https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide/compatibility.html

Make sure your FTD is also compatible, which you uplift FMC and you also need FTD.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ChristopherCraddock66504 · ‎08-04-2021

Thank you. I have read these documents already and was unable to ascertain the answers to the questions I asked. However, you did bring up upgrading the FTD's. I was under the understanding that you can have a higher FMC rev than what your FTD's are at. I intend to keep my FTD's at 6.4.0.9 while running 6.7 or 7.0 on my FMC for a short time until I can upgrade my FTD's. This should be ok?

Thank you.

balaji.bandi · ‎08-04-2021

yes FTD 6.4 can manage using 6.7 and 7.0 (just want to heads up, because once its upgrades, you can not manage older FTD version, so check compatible ( as a cautious step).

as @Marvin Rhoads good version to upgrade, but of the business decision to move to 7.0 it is individual call, we are run 6.7 stable and good as of now.

As per the document you need to apply the fix for the BIOS ( worth cross-check before upgrade for FMC 6.7 or later.)

FMC 1000, 2500, 4500

6.2.3 to 6.7.x

C22M4.4.0.2d.0

24.12.1-0433

4.0(2d)

BIOS Update Hotfix EI

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ChristopherCraddock66504 · ‎08-05-2021

Balaji,

Thank you for the reply. I think I am understanding now. Quick question in terms of the C22M4.4.0.2d.0 BIOS rev, any idea what major/minor version this rev came out under? When I look at the BIOS UPDATE EI software it doesn't tell you what version is actually contained within, at least none that I can find.

Thank you

Marvin Rhoads · ‎08-04-2021

The links @balaji.bandi posted cover the upgrade and compatibility exhaustively.

I would add that, unless you really need 6.7.0.2 for a feature specific to that release, I would recommend going to 6.6.4 instead as it is the current Gold Star release.

If you really need something post-6.6.4, then 7.0 will likely server you better as it is an extra long term release while 6.7 is a short term release and already past end-of-sales.

https://www.cisco.com/c/en/us/products/collateral/security/firewalls/bulletin-c25-743178.html

https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw/eos-eol-notice-c51-744709.html

ChristopherCraddock66504 · ‎08-04-2021

Thank you for the replies. I am still a little fuzzy on the BIOS/RAID rev. The documentation states:

We provide updates for BIOS and RAID controller firmware on Firepower Management Center hardware. If your FMC does not meet the requirements, apply the appropriate hotfix. If your FMC model and version are not listed and you think you need to update, contact Cisco TAC.

PlatformFirepower VersionBIOSRAID Controller FirmwareCIMC FirmwareHotfix

FMC 1600, 2600, 4600	6.3.0 to 6.7.x	C220M5.4.1.1c.0	51.10.0-2978	4.1(1f)	BIOS Update Hotfix EI
FMC 1000, 2500, 4500	6.2.3 to 6.7.x	C22M4.4.0.2d.0	24.12.1-0433	4.0(2d)	BIOS Update Hotfix EI

Does this mean if the current BIOS rev is not in this table then you should update? Can I jump to 7.0.0 from 6.4.0.9 without updating the BIOS? The documentation is not clear on this. My devices are currently on the following revs:

BIOS Version: C220M4.2.0.13d.0.0812161113

RAID Version: 24.12.1-0110

Thank you.

ChristopherCraddock66504 · ‎08-04-2021

Marvin,

I am not sure what happened to my other reply. I have read through the documentation that was provided, but it is still unclear to me the BIOS requirement. I need to move to 6.7 or later for the Route Based VPN feature. This feature was introduced in 6.7.0. I would have no issue jumping straight to 7.0.0, but I am still a bit fuzzy on the BIOS/RAID/CIMC version. My current versions are:

BIOS Information

Vendor: Cisco Systems, Inc. FMC5

Version: C220M4.2.0.13d.0.0812161113

FW Package Build = 24.12.1-0110

I apologize if I am not seeing the BIOS to Software rev compatibility, but for some reason I am not seeing it. Do I need to upgrade my BIOS version in your opinion? If I need to upgrade the BIOS, do I need to upgrade to 6.7.0 first and use that one, as 7.0.0 does not yet have a BIOS hotfix.

Thank you.

yuzaimee_yahaya · ‎02-08-2022

I have the same question for BIOS Update.

We are using FMC 2600 and plan to upgrade from version 7.0.1 (recently upgraded from Version 6.5.02) to version 7.1 regarding bug issue. Since my BIOS Version and RAID Version on FMC is below recommended, I might need to update BIOS using Hotfix Release before Upgrade FMC Version 7.1.

Back to ChristopherCraddock66504,

How we can perform BIOS Update on FMC 2600 since it doesnt support for CIMC.

I cant find any official documented guide from CISCO

Marvin Rhoads · ‎02-09-2022

FMC 2600 is based on the UCS C220 M5 server. Despite what is published in the Cisco docs you can access and upgrade the CIMC just like any other UCS server.

The latest release of CIMC firmware for the C220 M5 platform is currently 4.1(3f):

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/release/notes/b_release-notes-for-cisco-ucs-rack-server-software-release-4_1_3.html

https://software.cisco.com/download/home/286318809/type/283850974/release/4.1(3f)

However a UCS firmware upgrade and hotfix are not required to run 7.0.1 or 7.1 Firepower releases - they are only required to address the specific issues mentioned in the release notes.