Ftd ha upgrade from fmc.

stuart.rock · ‎11-06-2018

Hi I just want to check something.

cisco states that to upgrade an ha pair, fmc will upload (push) the software to the primary, which will then sync to the secondary ( my fmc is on 6.2.3.4 my ftds on 6.2.1)

when I go to select the device to upload to, I have the choice of both Feds - why, or why not just the primary?

so I selected both and ran the push. Two tasks appeared the first copied to the primary device; by design or because it was the first selected? The second to the secondary. The first took 1 hour the second took 2 hours.

can someone explain if I did right or should I have only selected one device? And also what happened? did the fmc upload the file twice, or once and the ftd copied it over. In either case why the massive time difference.

finally am I correct in thinking that to go from 6.2.1 to 6.2.3.4 I need to first upgrade to 6.2.3 then patch to 6.2.3.4?

many thanks

s

Abheesh Kumar · ‎11-06-2018

Hi,

When FTD is in HA you cannot upgrade a single device, you need to select both the devices. First you need to push the update to devices you will select the HA-Pair normally this will not take more that 5-10 mins. It will push the update to active first then to standby. Once this is done you can select the HA-Pair for upgrade. Upgrade will start to standby first and once upgraded standby, it will swithover traffic from active to standby and start upgrading the other one.

Upgrade path will be 6.2.3 >> 6.2.3.4

HTH

Abheesh

stuart.rock · ‎11-08-2018

thanks.

i may not have been clear on what i was asking:

"when I go to select the device to upload to, I have the choice of both FTDs - why, or why not just the primary?"

i want to know why i am able to choose both. i understand that i want to upgrade both, but if cisco "takes over" and copies the file from the active to the passive, why not just present the active as the target and let cisco do its thing?

accepting that the ability to choose both FTDs IS valid, then why are two tasks submitted if the 2nd (copy to passive device) is an automated "cisco" task. If indeed this is still valid, why did the copy to the secondary device (assuming this is a copy from FTD to FTD) take twice as long as the initial upload.

i am not convinced that this is happening and think that two uploads from FMC are running. can anyone contradict or prove otherwise.

BTW, my FMC is in London and my FTDs are in Bangkok, so i can accept the time taken for the first upload. the second seems odd given that it should be a local copy.

re the upgrade path, i presume you mean 6.2.1>>6.2.3>>6.2.3.4 correct?

S

Abheesh Kumar · ‎11-08-2018

Hi,

Below doc will guide you the upgrade procedure.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200896-Upgrading-an-FTD-HA-pair-on-Firepower-ap.pdf

Image pushing is from FMC to FTD's not from primary FTD to secondary FTD.

Upgrade path will be 6.2.1>>6.2.3>>6.2.3.4

Please check the FXOS compatibility before upgrading.

HTH

Abheesh

stuart.rock · ‎11-08-2018

thanks for your help Abheesh.

the FTDs in question are 2110, so its bundled software - no need to check fxos :)

my upgrade process in a nutshell is:

push 6.2.3 to FTD

run upgrade from FMC

test

push 6.2.3.4 from FMC

run upgrade from FMC

test

re the pushing of software, see comment cut from cisco, especially the bold type:

Push the Upgrade Package to Managed Devices

In Version 6.2.3+, you can copy (or push) upgrade packages to managed devices before you run the actual upgrade. This helps reduce the length of your upgrade maintenance window. (Before Version 6.2.3, the Firepower Management Center copies the package to managed devices as part of the installation, and you cannot separate the tasks.)

When you push an upgrade package to a device cluster or stack, the Firepower Management Center first pushes to one unit, then to the others. When you push to a high availability pair, the Firepower Management Center pushes to the primary unit, which then synchronizes with the secondary.

So that is where my question arises. my setup didnt seem to follow this method, as there seemed to be two distinct pushes from the FMC. Three hours simply to push the software.

when i perform the second stage - 6.2.3>>6.2.3.4, i dont want to be waiting ages for two pushes to complete as it may push me beyond my maintenance window. 6.2.3.4 is a lot smaller than 6.2.3 so timings will be lower - but still a potential "bump" with the second push that shouldnt really be there. unless i am doing something wrong?

can anyone enlighten me?

rgds

S

stuart.rock · ‎11-08-2018

BTW this is where i am getting the info:
https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide/prepare_to_upgrade.html#id_59770

Abheesh Kumar · ‎11-09-2018

Hi,

I understand your concern and you are doing the upgradation in proper way. As far i know when you do a image push to HA-Pair devices there will to two instances shown in FMC for the pushing image to devices, one is for primary and the other is for secondary. But as per the document you shared image pushing to Primary FTD will be from FMC, then it will sync to secondary.

Somebody from Cisco FTD experts can explain this then y two instances are there....

HTH

Abheesh

ys1338001 · ‎07-25-2019

The FMC upgrades the FXOS and Fire linux portions of FTD hence the parallel tasks within FMC. The Active sync to standby is the ASA image synching its configs as any standard ASA would do in an HA setup.

Keep in mind that FTD is a stitched image running both the ASA code in the octeon sub processor and the fire linux running the Snort instances.