cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5032
Views
17
Helpful
25
Replies

Is FMCv supported on vmware ESXI 8.x?

lcaruso
Level 6
Level 6

FMC docs state it runs on ESXI 7.0 but nothing higher unless I missed something. 

3 Accepted Solutions

Accepted Solutions

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @lcaruso,

Based on Compatibility Matrix, VMware 7.0 is officially last listed version, even for FMC v7.3. I even tried digging from FTDv Virtual Getting Started Guide for v7.3, but that document doesn't even mention VMware version at all.

Kind regards,

Milos

View solution in original post

marce1000
VIP
VIP

 

 - FYI : https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/compatibility/management-center-compatibility.html#reference_7CC9392196754AD38B5250A9183027C8  , standard = not mentioned = not supported , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

The next release (7.6 - due out later in 2024) will officially support ESXi8 for FMCv, FTDv and ASAv.

View solution in original post

25 Replies 25

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @lcaruso,

Based on Compatibility Matrix, VMware 7.0 is officially last listed version, even for FMC v7.3. I even tried digging from FTDv Virtual Getting Started Guide for v7.3, but that document doesn't even mention VMware version at all.

Kind regards,

Milos

marce1000
VIP
VIP

 

 - FYI : https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/compatibility/management-center-compatibility.html#reference_7CC9392196754AD38B5250A9183027C8  , standard = not mentioned = not supported , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Question for VMware experts out there--all I can buy is VMware 8.x license but VMware has a license downgrade procedure. My question is does VMware 8.x have backwards compatibility for vm that require VMware 7.x environment? And does dowgrading the license unlock a different compiled code base to run? Does the product dynamically load the correct code base based on license?

lcaruso
Level 6
Level 6

Thank you both for taking the time to answer. 

robertyoung
Level 1
Level 1

Word to the masses here.

I only stumbled across this post while trying to work out why my FMCv upgrade from 7.0.5 to 7.2.5 failed and here is the reason:

vSphere 8.

 

We were running a vSphere 7 environment, to which I deployed the FMCv and configured it to handle our HA pair of 1120 firewalls.

A number of months ago, I upgraded the vSphere environment to vSphere 8.  The FMCv continued to run without any issue.

Only when I came to do the upgrade of the FMCv from 7.0.5 to 7.2.5 and had the console tell me the upgrade was successful, I rebooted.  Then nothing.  The upgrade had NOT completed successfully.  I was left with a repeating error.

Further attempts to deploy 7.2.5 and 7.4 from the OVFs resulted in immediate failure.

vSphere 8 has been around for well over 6 months now and pre-releases will have been available to Cisco for far longer.

Why is this not supported?  I now need to find an alternative solution and quite frankly, I am utterly fizzing.

You can nest an ESXi 7 instance on an ESXi 8 server and it will work.

Official support for FMCv and FTDv on vSphere 8 is projected for the next major release after the current 7.4.x - expect it in 7.6 in mid-2024.

That's great to hear, however the issue is I now need to rebuild the FMCv and the configuration has disappeared with my now broken FMCv.

I cannot truly express how furious I am.

If you had backups enabled on the FMC previously, they should be retrievable via scp and can be located on the FMC disk under /var/sf/backups

robertyoung
Level 1
Level 1

Hi all.  A less than brief update on what happened with our environment and how we recovered from it.

Our organization was running vSphere 7.0.3 with the FMCv 7.0.5 deployed to it and all was well.  We carried out the upgrade to vSphere 8 a number of months back and the FMCv continued to function under v7.0.5.

I attempted to update the software on the Firepower 1120 HA pair from within the FMCv but got the error that the FMCv needed to be on a higher version than the 1120s.  So, in order to allow me to upgrade them, I first set about upgrading the FMCv.  This is where it all went wrong.  The FMCv was, for the most part, utterly wrecked.  The upgrade was broken, I couldn't log into the web interface.  I tried getting access to it via Putty and this, thankfully, worked, however I wasn't able to do much.

Thankfully I got access to the FMCv using WinSCP and was able to retrieve some config backups that were in place.

Note:  To enable access via WinSCP you need to login into the device by Putty and run the following commands:

>expert

>sudo usermod --shell /bin/bash admin

You will then be able to connect using WinSCP

To switch back run

>sudo usermod --shell /usr/bin/clish admin

I had a ticket open with Cisco TAC, however they weren't really that much use.  I genuinely feel that they didn't understand what had gone wrong or, more importantly, how to fix it.  They had suggested that if I deployed a new FMCv and pointed the 1120s at it, then my config would be gone from them.

 

How I managed to fix it:

As we didn't have any spare vSphere hosts at v7.0.3, with our entire production environment on v8, I installed ESXi 7.0.3 onto a desktop PC with enough resource to run the FMCv and rolled out the OVF of FMCv 7.0.5.  I then uploaded the backup I had recovered via WinSCP earlier and uploaded to the new FMCv.  I was able to connect to the web interface and login.  I then restored the backup to the new FMCv.  

At this point, the 2 1120s in the HA group were showing as in a critical state with no heartbeats being received by the FMCv.  This was down to the FMCv having a different IP address from the original.  This was rectified by changing the DHCP reservation and the FMCv being rebooted to allow the new lease to take place.

Finally, I joined the ESXi installation on the desktop PC to the vSphere 8 cluster and did a storage and compute vMotion from the ESXi 7.0.3 desktop PC install onto one of our vSphere 8 based hosts and the attached SAN.

The FMCv has been running since without any issue, however........

If we are unable to update the FMCv to the latest version due to vSphere 8 being unsupported, this also means that we are unable to update the software on the Firepower 1120s.  Surely this needs to be a critical issue for Cisco as their customers are being left high and dry with no support path for critical software updates for their firewall estate.

The FMC 7.2 upgrade guidelines do specifically state that "VMware vSphere/VMware ESXi 6.5, 6.7, or 7.0" is required.

Reference: https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/upgrade/management-center/720/upgrade-management-center-72/requirements.html#Cisco_Reference.dita_e99ca027-6ded-436e-a882-d0d35d6359b0

I can confirm based on first hand experience that if you create a nested ESXi 7.0 instance on an ESXi 8.0 host, you can then proceed to run FMC 7.0 or 7.2 (and even upgrade to 7.4+).

Yeah I understand that it CAN be run in a nested VM, however our clients mandate that we need to be bang up to date with production versions of software and that includes vSphere/ESXi.  We would fail an audit and potentially materially impact on the ability to retain the contract for a large number of our clients.

Almost any client requiring up to date software in general will accept documented third party vendor requirements to run a lesser version.

It's considered a valid compensating control in PCI, HIPAA or other regulatory regimes to document the deviation and have in place a process to review and validate it regularly.

ESXi 7.0 is being actively supported by VMware though April 2025.

https://lifecycle.vmware.com/#/

robertyoung
Level 1
Level 1

Keen to know if there has been any progress on vSphere 8 supported version of FMCv.  We are almost halfway into the year with little or no suggestion that there will be a release any time soon.  The cynic in me holds the belief that this may be an attempt to kill off the FMCv and push customers to physical hardware for FTD management.

 

The next release (7.6 - due out later in 2024) will officially support ESXi8 for FMCv, FTDv and ASAv.

Review Cisco Networking for a $25 gift card