10-08-2019 08:20 PM - edited 02-21-2020 09:34 AM
Hi,
I have upcoming software upgrade and have below questions and needs answers please.
Upgrading
1 - vFMC
2 - ASA 5516 with firepower module (Active/Standby)
3 - FTD2100 (Active/Standby)
4 - FTD Standalone
5 - ASA5516 Standalone
Questions :
1 - Can I do software upgrade on FTD2100 nodes through vFMC and not going to cli and how much will be the traffic interruption and how this will work like FMC will switchover firewalls to minimize interruption/outage
2 - Can I do software upgrade on ASA with firePower module through vFMC and not going to cli and how much will be the traffic interruption/outage
3 - As far as I know vFMC will be done first and then FTD/ASA with firepower
4 - Best Practice of software upgrade to avoid outage for production traffic
5 - current versions on vFMC and FTD are 6.4.1 and upgrading to 6.4.5
6 - I think upgrade of standalone FTD and ASA with firepower will be more straight forward through vFMC,
10-09-2019 08:48 AM
@Fantas ,
1 - Can I do software upgrade on FTD2100 nodes through vFMC and not going to cli and how much will be the traffic interruption and how this will work like FMC will switchover firewalls to minimize interruption/outage
Yes, that is the preferred and recommended method. With HA pairs, it works much like ASA HA upgrades except FMC takes care of doing both units for you (standby first and then it takes on active role and upgrades former active unit).
2 - Can I do software upgrade on ASA with firePower module through vFMC and not going to cli and how much will be the traffic interruption/outage
Yes that is preferred. For HA pair there is no outage. Just a failover when the Active unit's Firepower module goes down for upgrade. For single units if your service policy is set for fail-open (by far the most common option) there is no outage as well.
3 - As far as I know vFMC will be done first and then FTD/ASA with firepower
Correct
4 - Best Practice of software upgrade to avoid outage for production traffic
Read the release notes and follow the upgrade guide.
5 - current versions on vFMC and FTD are 6.4.1 and upgrading to 6.4.5
I think you mean 6.4.0.1 to 6.4.0.5
6 - I think upgrade of standalone FTD and ASA with firepower will be more straight forward through vFMC,
Yes
10-09-2019 05:01 PM
Many Thanks,
I am going to attempt this soon.
For ASA with Firepower service module, how this will work like
FMC will upgrade ASA Software version and then FirePower service module version.
Do we really needs to upgrade ASA Software version or can do just Firepower service module upgrade through FMC
10-09-2019 05:41 PM
Ok.
The FMC does not interact with the ASA software at all. It only interacts with the Firepower service module which is analogous to a VM running on the ASA hardware alongside the ASA software.
You should check the compatibility guide to see whether an ASA software upgrade is necessary or recommended for your target Firepower service module software version.
10-10-2019 09:09 PM
great.
So I can upgrade Cisco ASA with firepower service module with below steps
1 - upgrade ASA part through normal way like we upgrade other ASAs
2-Once ASA upgraded as above then upgrade its Firepower service module through FMC
and If we have cluster active/standby ASA with firepower service module, FMC will upgrade both service modules active/standby and will reboot one by one.
Is FXOS Cli is for firepower service module, I have seen some cli commands in upgrade processes
10-11-2019 01:20 AM - edited 10-11-2019 01:30 AM
1. Yes. as usual for ASAs.
2. When upgrading an FTD HA pair from FMC the FMC takes care of the order of upgrades and ensuring one unit succeeds before upgrading the second one. That's because the FTD units are aware of each other.
If you have ASAs with Firepower service modules they are independent modules with no state communications between them as that is not inherited from their associated ASAs. So FMC can upgrade them but doesn't take care of the failing over and checking bits. That's up to each respective ASA.
Depending on the environment's sensitivity to loss of Firepower services I either:
a. upgrade both target modules as a group (letting the failover happen as it may between the respective ASAs when they detect a service module failure during once the first one in the pair enters maintenance mode) or
b. upgrade one and then the other separately taking care to manually failover the ASAs in between so that there is continuous availability of Firepower services.
On FTD devices the is an cli known as clish. There's also an FXOS cli for the hardware on Firepower appliances as well as a LINA cli ("system support diagnostic-cli") which is the classic ASA code ported onto the new system. It's a pretty complicated set of pieces. There are only a few commands for changing system configuration- the vast majority must be done via the management interface - FMC (which communicates via sftunnel) or Firepower Device Manager (via API) or Cisco Defense Orchestrator cloud-based product (also via API). For the very adventurous you can also manage using your own orchestration toolset via API.
I would recommend you a book if you want to understand those better vs. here in a forum posting. See Nazmul Rajib's Cisco Press book (also available via O'Reilly / Safari):
http://www.ciscopress.com/store/cisco-firepower-threat-defense-ftd-configuration-and-9780134679518
08-16-2021 03:10 AM
Hallo Marvin,
to your answer:
2 - Can I do software upgrade on ASA with firePower module through vFMC and not going to cli and how much will be the traffic interruption/outage
Yes that is preferred. For HA pair there is no outage. Just a failover when the Active unit's Firepower module goes down for upgrade. For single units if your service policy is set for fail-open (by far the most common option) there is no outage as well.
Unfortunately, I can't find any official instructions on how to upgrade the Firepower modules.
Nowhere is it described which module I should start with.
Do I start the upgrade with the active module first or with the secondary.
Do you know an official manual.
Thanks a lot
08-16-2021 05:06 AM
Upgrade the one not handling traffic first (i.e., the module in the standby ASA). After it shows as up/up from the ASA cli ("show module sfr"), verify the ASA is in Standby Ready state switch the ASA to Active role ("failover active").
There are detailed upgrade instructions in the following guide:
07-06-2024 02:35 AM
I need assistance to upgrade the ASA and FTD versions on our device. I have already copied the .TAR
file into the FTD, but I am encountering some challenges during the installation process.
Here are the steps I need to complete:
Could you please provide guidance on the following issues:
.TAR
file for the FTD upgrade?Any assistance you can provide would be greatly appreciated. Please let me know if additional information is required from my end.
Thank you in advance for your help.
07-06-2024 05:57 AM
Hi @anil-kumar2
With this being a ~5 year old thread, I recommend you start a new thread with your question to keep it separate from this one.
And once you do, more context would be valuable to be able to offer any assistance or insights.
For example, based on your text one would assume you're using ASA with firepower services? Is this correct, or what is your setup like?
And what software version are you upgrading from (and to), for both ASA & FTD? (Depending on how "big" the upgrade is, you may need to follow a certain upgrade path)
Are you using a FMC/management center to manage the FTDs? (This matters in how you proceed with upgrading the FTD.)
All of this would be valuable in order to give you the best help, and again, preferably in a thread of its own.
I wish you all the best on this.
07-08-2024 01:13 AM
Hi Jonathan,
Thanks for your reply .. i created a new post subject line
"I'm encountering uploading IOS image on the ASA5508 & FTD same box"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide