Many Thanks,

I am going to attempt this soon.

For ASA with Firepower service module, how this will work like

FMC will upgrade ASA Software version and then FirePower service module version.

Do we really needs to upgrade ASA Software version or can do just Firepower service module upgrade through FMC

Ok.

The FMC does not interact with the ASA software at all. It only interacts with the Firepower service module which is analogous to a VM running on the ASA hardware alongside the ASA software.

You should check the compatibility guide to see whether an ASA software upgrade is necessary or recommended for your target Firepower service module software version.

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#id_60529

great.

So I can upgrade Cisco ASA with firepower service module with below steps

1 - upgrade ASA part through normal way like we upgrade other ASAs

2-Once ASA upgraded as above then upgrade its Firepower service module through FMC

and If we have cluster active/standby ASA with firepower service module, FMC will upgrade both service modules active/standby and will reboot one by one.

Is FXOS Cli is for firepower service module, I have seen some cli commands in upgrade processes

1. Yes. as usual for ASAs.

2. When upgrading an FTD HA pair from FMC the FMC takes care of the order of upgrades and ensuring one unit succeeds before upgrading the second one. That's because the FTD units are aware of each other.

If you have ASAs with Firepower service modules they are independent modules with no state communications between them as that is not inherited from their associated ASAs. So FMC can upgrade them but doesn't take care of the failing over and checking bits. That's up to each respective ASA.

Depending on the environment's sensitivity to loss of Firepower services I either:

a. upgrade both target modules as a group (letting the failover happen as it may between the respective ASAs when they detect a service module failure during once the first one in the pair enters maintenance mode) or

b. upgrade one and then the other separately taking care to manually failover the ASAs in between so that there is continuous availability of Firepower services.

On FTD devices the is an cli known as clish. There's also an FXOS cli for the hardware on Firepower appliances as well as a LINA cli ("system support diagnostic-cli") which is the classic ASA code ported onto the new system. It's a pretty complicated set of pieces. There are only a few commands for changing system configuration- the vast majority must be done via the management interface - FMC (which communicates via sftunnel) or Firepower Device Manager (via API) or Cisco Defense Orchestrator cloud-based product (also via API). For the very adventurous you can also manage using your own orchestration toolset via API.

I would recommend you a book if you want to understand those better vs. here in a forum posting. See Nazmul Rajib's Cisco Press book (also available via O'Reilly / Safari):

http://www.ciscopress.com/store/cisco-firepower-threat-defense-ftd-configuration-and-9780134679518

Hallo Marvin,

to your answer:

2 - Can I do software upgrade on ASA with firePower module through vFMC and not going to cli and how much will be the traffic interruption/outage

Yes that is preferred. For HA pair there is no outage. Just a failover when the Active unit's Firepower module goes down for upgrade. For single units if your service policy is set for fail-open (by far the most common option) there is no outage as well.

Unfortunately, I can't find any official instructions on how to upgrade the Firepower modules.
Nowhere is it described which module I should start with.

Do I start the upgrade with the active module first or with the secondary.
Do you know an official manual.

Thanks a lot

Upgrade the one not handling traffic first (i.e., the module in the standby ASA). After it shows as up/up from the ASA cli ("show module sfr"), verify the ASA is in Standby Ready state switch the ASA to Active role ("failover active").

There are detailed upgrade instructions in the following guide:

https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide/upgrade_asa_firepower.html

Hi @anil-kumar2 

With this being a ~5 year old thread, I recommend you start a new thread with your question to keep it separate from this one.

And once you do, more context would be valuable to be able to offer any assistance or insights.
For example, based on your text one would assume you're using ASA with firepower services? Is this correct, or what is your setup like?
And what software version are you upgrading from (and to), for both ASA & FTD? (Depending on how "big" the upgrade is, you may need to follow a certain upgrade path)
Are you using a FMC/management center to manage the FTDs? (This matters in how you proceed with upgrading the FTD.)

All of this would be valuable in order to give you the best help, and again, preferably in a thread of its own.

I wish you all the best on this.