Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
712
Views
0
Helpful
2
Replies

FMC upgrade issues

Go to solution
mangwendeelijah
Level 1
Level 1

‎08-10-2022 09:00 AM

Currently Software
1 Management Center 6.6.5
2 Devices 6.6.4
Need to replace to support upgrade to version 7.0.0+. as it has required full replacement on 2-3 occasions already, our experience has shown us that it can’t handle both the volume of thousands of  ACLs running on this firewall  whilst applying an upgrade at the same time. As the FTD quickly becomes unrecoverable.

Questions:
• What is the estimated level of Risk of this occurring, i.e. best guestimate on the likelihood & frequency of these Bugs occurring?
• If they did impact, what is required to Recover from such an incident?
• What is the likely timescale for that Recovery (loss of service

Thank you in advance 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎08-10-2022 11:16 AM

• What is the estimated level of Risk of this occurring, i.e. best guestimate on the likelihood & frequency of these Bugs occurring?  You have not described any bug, this is more of a hardware limitation as processing ACLs require memory and CPU and upgrades would also require CPU.
• If they did impact, what is required to Recover from such an incident?  This depends on what happens during the upgrade, it is not good to power-cycle the firewall if the upgrade hangs, so I would suggest opening a TAC case and have them help with the recovery.  Ideally you will have an HA setup so the upgrade will do one firewall at a time and therefore you should not have an impact on your users.  Access control entries with several interfaces assigned to the source and destination zones as well as several source and destination networks and ports will compound the number of ACLs.  The newer releases of FTD will address this issue so that there is one entry for each access control entry and there by adding more logic for match criteria when going through the ACLs to find a match.
• What is the likely timescale for that Recovery (loss of service This is difficult to say as it really depends on the type of issue.  If it is deemed that it is OK to perform a power-cycle and the firewall comes up then we are talking a few minutes, or perhaps the power-cycle just helps kickstart the upgrade (I have seen this before also) then it could be 30 minutes until the firewall is back up.  But in the worst case scenario where the firewall has died and you need to replace it, this depends on what type of support agreement you have with Cisco (could be any where from 4 hours to next day to 5 business days...or more).

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marius Gunnerud
VIP
VIP

‎08-10-2022 11:16 AM

• What is the estimated level of Risk of this occurring, i.e. best guestimate on the likelihood & frequency of these Bugs occurring?  You have not described any bug, this is more of a hardware limitation as processing ACLs require memory and CPU and upgrades would also require CPU.
• If they did impact, what is required to Recover from such an incident?  This depends on what happens during the upgrade, it is not good to power-cycle the firewall if the upgrade hangs, so I would suggest opening a TAC case and have them help with the recovery.  Ideally you will have an HA setup so the upgrade will do one firewall at a time and therefore you should not have an impact on your users.  Access control entries with several interfaces assigned to the source and destination zones as well as several source and destination networks and ports will compound the number of ACLs.  The newer releases of FTD will address this issue so that there is one entry for each access control entry and there by adding more logic for match criteria when going through the ACLs to find a match.
• What is the likely timescale for that Recovery (loss of service This is difficult to say as it really depends on the type of issue.  If it is deemed that it is OK to perform a power-cycle and the firewall comes up then we are talking a few minutes, or perhaps the power-cycle just helps kickstart the upgrade (I have seen this before also) then it could be 30 minutes until the firewall is back up.  But in the worst case scenario where the firewall has died and you need to replace it, this depends on what type of support agreement you have with Cisco (could be any where from 4 hours to next day to 5 business days...or more).

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
mangwendeelijah
Level 1
Level 1
In response to Marius Gunnerud

‎08-10-2022 12:22 PM

Thank you for your response, very helpful
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card