cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5067
Views
5
Helpful
4
Replies

FTD HA Lunch readiness check option for upgrade

Hi,

Anyone faced issue when following below TAC document on FTD HA upgrade ? , it looks like readiness check not
supported in HA configuration and a bug filed for the feature (CSCvm11203), but wondering why upgrade document
mentioning otherwise?

FTD HA Upgrade:
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200896-Upgrading-an-FTD-HA-pair-on-Firepower-ap.html

Bug Details:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm11203/?rfs=iqvred

 

Thanks,
Dileep

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

The upgrade document fails to mention that the Readiness Check isn't supported on an HA pair (unless you break HA). I just submitted document feedback to alert the authors of this error.

Readiness check essentially goes through the initial couple of sections of an actual upgrade and then exits prior to the step that would shut down the service and proceed with upgrading.

I find that if you are careful to proactively deploy from FMC prior to doing an upgrade (ensuring that Snort rules are synced and that all communications are working OK), it addresses a lot of the common issues that Readiness Check might uncover.

Upon researching more on the topic, the firepower 6.2.2 release note suggests to run readiness check in CLI for HA and clustered device, but not sure about breaking HA is required in this case as suggested in bug.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/relnotes/Firepower_Release_Notes_622/Firepower_Release_Notes_622_chapter_0101.html#concept_xvp_gvb_yz

 

-- Run a Readiness Check through the Shell
"For clustered devices, stacked devices, and devices in high availability pairs, you must use the shell."

sudo install_update.pl --detach --readiness-check full_path_to_update_package

 

Hello Dileep,

 

As you said, the Firepower 6.2.2 release notes suggest running the readiness check in CLI for each device that is a member of the HA setup. At this point, you do not need to break the HA as suggested in BUG: CSCvm11203. This bug is talking about an enhancement on the readiness-check feature for FTD-HA pairs managed by FMC-GUI.

1. Until now, the readiness check option over FMC-GUI is available for Standalone devices only.

2. Per many customer's requests, we filled out this BUG: CSCvm11203 so the readiness check can be performed for clustered devices, stacked devices, and devices in high availability pairs using the "Launch Readiness Check" bottom on FMC > system > Updates > (target_upgrade)

3. As the documentation says "For clustered devices, stacked devices, and devices in high availability pairs, you must use the shell." That is correct, so basically you need to run the following command on each individual member of your HA: sudo install_update.pl --detach --readiness-check <full_path_to_update_package>

4. As Marvin said, the readiness check essentially goes through an initial couple of sections of an actual upgrade and then exits prior to the step that would shut down the service and proceed with upgrading. Because of this, you do not need to break the HA pair if you trigger the readiness-check using the shell.

Just want to update to you all, i have opened a case with TAC , now FTD HA upgrade document and bug details (CSCvm11203) have been updated.

 

There is also another issue you will run into when try to run readiness check in CLI in FTD HA pair, you have to use different path than mentioned in documentation, so another documentation bug has been opened for this CSCvr33814.

Review Cisco Networking for a $25 gift card