cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3822
Views
13
Helpful
27
Replies

Steps and impacts during ASA FTD 5516 UPGRADING FROM v6 to v7

amralrazzaz
Level 5
Level 5

 I have Firewall model Cisco ASA5516-X Threat Defense with IOS software version 6.6.5.1-15 and ill do upgrade to IOS version Cisco_FTD_Upgrade-7.0.1-84.sh.REL.tar so i need help to get the correct steps to follow in sequence and also my question about upgrading from V6  to V7 what are the impact ill face ?

will setting and current configurations be lost during the upgrade ? if yes , then what shall i do ! if i took back from v6 shall it be worked after upgrade to restore the configurations or i have to reconfigure it from scratch !?

will Smart net and base license will lost during the upgrade!?

amralrazzaz_0-1698701122501.png

 

amr alrazzaz
1 Accepted Solution

Accepted Solutions

Thanks for support , would like to inform that issue has been resolved finally and issue was because the certificate was expired and need to be renewal and create new Self-Signed certificate with installation and then try to run the upgrade and it was working and ASA FTD has been upgraded to 7.0.1 successfully.

Useful links  used for certificate creation:

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215850-certificate-installation-and-renewal-on.html

https://getacert.com/signacert.html

https://www.youtube.com/watch?v=Exo6HW9c8h0&t=310s

 

amr alrazzaz

View solution in original post

SUBSCRIBE - LIKE - HIT THE NOTIFICATIONS BELL In this video we take a look at how to generate a CSR using the FTD CLI and install a certificate using Firepower Device Manager (FDM). Useful links: Fund me: https://t.co/Iva1Y3IchF Website: www.networkwizkid.com Twitter: iwiizkiid Instagram: iwiizkiid
27 Replies 27

Marvin Rhoads
Hall of Fame
Hall of Fame

Follow the guide that is included in the release notes:

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/relnotes/firepower-release-notes-700/upgrade.html#Cisco_Generic_Topic.dita_f5e65f64-d2ac-4a1f-bdc5-4bd93d5d6def

There's no reason to go to 7.0.1 unless you want to exactly match some other device for testing reasons. The suggested release would currently be 7.0.6.

All of your current settings and configurations should be preserved across the upgrade.

My device managed via FDM not FMC so is it okay to start the upgrading from GUI directly & for the configurations i wish it will keep remain otherwise i have to reconfigure it from scratch because i think the backup taken from version 6 not compatible to be restored on version 7 ! 

amr alrazzaz

Yes, see Table 4 in the link I shared - it specifically covers FDM-managed devices.

You are correct that a version 6 backup must be restored on a version 6 device. In the event of a catastrophic failure, you could reimage to version 6 and then restore. But that's quite unlikely.

Just to add to what @Marvin Rhoads has already mentioned, it is always a very good idea to read the release notes before upgrading.  Not only does it provide information on upgrade paths and procedures, it also provides information on bugs and other changes to the software that might affect you.

That being said, I have done many upgrades from 6.6.5 to 7.0 + and have never experiences any issues during the actual upgrade.  I have, however, hit a few bugs after the upgrade and the FTD has been running the code for a little while.

--
Please remember to select a correct answer and rate helpful posts

Thanks for your reply dear and just to confirm the below :

1- ill go directly for upgrade from 6 to 7 using GUI from website or better connect device back 2 back with FW it self ?

2-after upgrade ill lost configurations and will lost also smartnet licenses! am i right ? in that case i have to reconfigure fw from scratch because cannot restore the backup from 6 to 7 ! also i have to restore the smartnet license! 

 

Thanks again for support and if u have nice youtube video about steps would be great !

 

amr alrazzaz

1. For FDM-managed devices, you upload the upgrade file to FDM and then select "upgrade". It's all done within the GUI.

2. Backup is recommended but not required. It is only needed for recovery in the event of a failure. Upgrading via the FDM GUI does not cause any loss of configuration nor does it require license re-registration.

i tried twice time to upgrade the asa but still not effected , and current version the same on 6.6.5.1-15 and not upgraded to Cisco_FTD_Upgrade-7.0.1-84.sh.REL.tar and i have check the upgrading progress via ssh using show upgrade status and output as below but seems

amralrazzaz_1-1698920855735.png

 

not completed !

> show upgrade status
Upgrade from 6.6.5.1 to 7.0.1 in progress (22% progress, time remaining 31 mins)

Started: Thu Nov 02 09:45:31 UTC 2023

Auto cancel on upgrade failure enabled.

Current state: Updating Operating System... (300_os/100_install_Fire_Linux_OS_a quila.sh (in background: 200_pre/600_ftd_onbox_data_export.sh))

>
> show upgrade status
Upgrade from 6.6.5.1 to 7.0.1 in progress (22% progress, time remaining 31 mins)

Started: Thu Nov 02 09:45:31 UTC 2023

Auto cancel on upgrade failure enabled.

Current state: Updating Operating System... (300_os/100_install_Fire_Linux_OS_aquila.sh (in background: 200_pre/600_ftd_onbox_data_export.sh))

> show upgrade status
Upgrade from 6.6.5.1 to 7.0.1 in progress (22% progress, time remaining 31 mins)

Started: Thu Nov 02 09:45:31 UTC 2023

Auto cancel on upgrade failure enabled.

Current state: Updating Operating System... (300_os/100_install_Fire_Linux_OS_aquila.sh (in background: 200_pre/600_ftd_onbox_data_export.sh))

> show upgrade status
Upgrade from 6.6.5.1 to 7.0.1 in progress (35% progress, time remaining 26 mins)

Started: Thu Nov 02 09:45:31 UTC 2023

Auto cancel on upgrade failure enabled. 

Current state: Updating FTD software... (500_rpms/550_configure_mysql.pl)

> show upgrade status
Upgrade from 6.6.5.1 to 7.0.1 in progress (57% progress, time remaining 17 mins)

Started: Thu Nov 02 09:45:31 UTC 2023

Auto cancel on upgrade failure enabled.

Current state: Updating configurations... (800_post/880_install_VDB.sh (in background: 800_post/100_ftd_onbox_data_import.sh))

> show upgrade status
Upgrade from 6.6.5.1 to 7.0.1 in progress (57% progress, time remaining 17 mins)

Started: Thu Nov 02 09:45:31 UTC 2023

Auto cancel on upgrade failure enabled.

Current state: Updating configurations... (800_post/880_install_VDB.sh (in background: 800_post/100_ftd_onbox_data_import.sh))

> show upgrade status
Upgrade from 6.6.5.1 to 7.0.1 in progress (57% progress, time remaining 17 mins)

Started: Thu Nov 02 09:45:31 UTC 2023

Auto cancel on upgrade failure enabled.

Current state: Updating configurations... (800_post/880_install_VDB.sh (in background: 800_post/100_ftd_onbox_data_import.sh))

> show upgrade status
Upgrade from 6.6.5.1 to 7.0.1 in progress (57% progress, time remaining 17 mins)

Started: Thu Nov 02 09:45:31 UTC 2023

Auto cancel on upgrade failure enabled.

Current state: Updating configurations... (800_post/880_install_VDB.sh (in background: 800_post/100_ftd_onbox_data_import.sh))

> show upgrade status
Upgrade from 6.6.5.1 to 7.0.1 in progress (57% progress, time remaining 17 mins)

Started: Thu Nov 02 09:45:31 UTC 2023

Auto cancel on upgrade failure enabled.

Current state: Updating configurations... (800_post/880_install_VDB.sh (in background: 800_post/100_ftd_onbox_data_import.sh))

> show upgrade status
>
Broadcast message from root@EGCAI01-Firepower (Thu Nov 2 10:07:08 2023):


System going to reboot due to upgrade cancel.  (( im not canceling any thing and its canceled by it self and back to previous version!!!))


Broadcast message from root@EGCAI01-Firepower (Thu Nov 2 10:07:13 2023):

The system is going down for reboot NOW!

 

 

amralrazzaz_0-1698920838407.png

 

 

amr alrazzaz

There should be a file "status.log" in a folder on the ASA operating system. Log into the clish and change to expert mode. Then look under /var/log/sf for a folder with the name of the 7.0.1 upgrade. The last few lines of the log file will usually tell you exactly where it is failing.

admin@EGCAI01-Firepower:~$ cat /etc/sf/patch_history
6.6.1-91
6.6.5-81
6.6.5.1-15
Hotfix_DA-4__856373902

bash: /var/log/sf: Is a directory
admin@EGCAI01-Firepower:~$ cat /var/log/sf
cat: /var/log/sf: Is a directory

Just from your experiences i need to ask you if u know ! can i directly upgrade the ASA device from current version i have  6.6.5.1 (Build 15) to for example version 7.0.1 using GUI directly ?

or shall i go 1st to upgrade from what i have to specific version then i re upgrade it again to the approved version ! 

or what is the right path of upgrading starting from what i currently have 6.6.5.1 (Build 15) ? is it okay to go directly to 7.0.1 or something in between to upgrade before go to 7.0.1?

 

 

amr alrazzaz

cd to /var/log/sf and then look for the folder specific to the 7.0.1 upgrade. cd into that folder and then you will find status.log file.

The direct upgrade should work as you are attempting. The GUI will not allow you to proceed with an invalid upgrade path.

and then admin@EGCAI01-Firepower:/var/log/sf$ ??  coz nothing come or no output ?

amr alrazzaz

> expert
admin@EGCAI01-Firepower:~$ dir /var/log/sf/
Cisco_FTD_Hotfix_DA-6.6.5.2
Cisco_FTD_Patch-6.6.5.1
Cisco_FTD_Upgrade-6.6.5
Cisco_FTD_Upgrade-7.0.1.1698919627.rollback
Cisco_FTD_Upgrade-7.0.1.1698924488.rollback
Cleanup_23.11.02_09.47.54.log
Cleanup_23.11.02_11.08.56.log
GeoDB_update_info.txt
SW_update_info.txt
VDB_update_info.txt
current_cancel_status.log
current_update_status.log
db_manage.log
fdm_upgrade_status.log
ftd-upgrade-stack.log
geodb-2022-03-28-002
geodb-2023-10-05-100
initial_setup.log
last_update_info.json
policy_deployment.log
policy_deployment.log.1.gz
policy_deployment.log.2.gz
policy_deployment.log.3.gz
policy_deployment.log.4.gz
prev_vdb-4.5.0-336_logdir__20211221_112725.tgz
sru-2020-08-18-001-vrt
sru-2021-05-03-001-vrt
sru-2022-03-28-001-vrt
sru-2023-10-25-001-vrt
ts_results
upgrade_status_api_stack.log
vdb-4.5.0-336
vdb-4.5.0-353
vdb-4.5.0-374
verify_file_integ.log
verify_signature.log
admin@EGCAI01-Firepower:~$

amr alrazzaz

can i try to upgrade from current version i have now 6.6.5.1 (Build 15) to Cisco_FTD_Patch-6.6.7.1-42.sh.REL.tar then jump to version 7.0.1 !?? of it will not work! 

and btw what's the correct path starting from current version i have now to upgrade to 7.0.1 ? as i found the minimum requirement for upgrade to 7 is to have version 6.4 ! 

amr alrazzaz

The path to the upgrade logs is in /ngfw/var/log/sf then go into the 7.0.1 upgrade directory and look in the status logs there.

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card