Solved: FTD 6.6 on FPR 1010 returns to initial configuration after upgrade

Marcus Eickhoff · ‎08-06-2025

We took a pair of FPR1010 running FTD version 6.6 into service.

An upgrade to a higher version by FDM or manually wasn't although pre-testing not possible due to an outdated certificate.

The upgrade starts but ends in a rollback.

Discovering by our virtual LAB FMC running 7.0.x and following configuration deployment updated the certificate so an upgrade to a FTD version 7.0 was successful but returns the configuration of the devices to initial factory configuration (except the management interface setting), removed all prior made configurations, especially the interface configurations moved back from routed-mode to switch-mode, dhcp on eth1/1 was active again etc.

Interfaces were first in down status but turned after a while to active so we experienced a spanning-tree issue cause vlan1 was active again too and the switch the FPR is connected to became unresponsive.

Unfortunately no logs are available after accessing the FPR was possible again.

Is this a "normal" behaviour caused by the upgrade ?

I'd never experienced a behaviour like this after several updates before.

Thank you in advance for any hints about.

Marcus

Marvin Rhoads · ‎08-06-2025

In your 6.6 > 7.0 initial use case, it is expected that changing from FDM to FMC management would wipe the config.

"Switching managers erases the device configuration and returns the system to the default configuration. However, management IP address and hostname are preserved. "

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/fdm/fptd-fdm-config-guide-700/fptd-fdm-mgmt.html#id_16122

If you look at the same section in the 7.4 guide, Cisco have quietly removed that caveat.

https://www.cisco.com/c/en/us/td/docs/security/firepower/740/fdm/fptd-fdm-config-guide-740/fptd-fdm-mgmt.html#id_24195

View solution in original post

MHM Cisco World · ‎08-06-2025

when you change the mgmt from FDM to FMC sure all config will be delete

MHM

Marcus Eickhoff · ‎08-06-2025

Hi,

I'm not sure about.

I did a preparation with FDM several times in Office ncluding setting the Ethernet interfaces to routed before shipping the FPR1010 to it's destination site and discovered them once racked and wired by FMC. Changing from local Management to external Manager cannot be the cause from my perspective. But I already did it using FTD 7.2 and higher.

Marcus

Marcus Eickhoff · ‎08-06-2025

Running same device now on 7.4.2.1 (Build 30), deleted local Management, nothing changes on Port Mode, remains L3

MHM Cisco World · ‎08-06-2025

Let me dive deeper to check issue here

Thanks for waiting

MHM

Marcus Eickhoff · ‎08-06-2025

I feel sorry, but this seems not matching my question mark why the configuration was returned back from routed to switched interfaces like on a fresh, maybe similar to a re-imaged, configuration.

Best,

Marcus

Marvin Rhoads · ‎08-06-2025

In your 6.6 > 7.0 initial use case, it is expected that changing from FDM to FMC management would wipe the config.

"Switching managers erases the device configuration and returns the system to the default configuration. However, management IP address and hostname are preserved. "

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/fdm/fptd-fdm-config-guide-700/fptd-fdm-mgmt.html#id_16122

If you look at the same section in the 7.4 guide, Cisco have quietly removed that caveat.

https://www.cisco.com/c/en/us/td/docs/security/firepower/740/fdm/fptd-fdm-config-guide-740/fptd-fdm-mgmt.html#id_24195

Marcus Eickhoff · ‎08-07-2025

Hi Marvin,

thank you very much, this is satisfying my question completely. Long time ago since I've studied the 7.0 documentation.

@MHM Cisco World - thank you too

Best,

Marcus