07-14-2016 12:03 PM - edited 03-12-2019 06:04 AM
We're looking at deploying 40+ Firepower ASA modules across our network (multiple sites) and I'm trying to find the best (read: fastest, least administrative) way to bring these modules up to 5.4.1.7 from 5.4.1.0 - base system image - to 5.4.1.7 which runs on our management console. It seems that doing individual incremental upgrades are more successful individually but are very time consuming. Is there a system image with the patches slipstreamed? Pushing 5.4.1.7 seems to fail really frequently for some reason...working with TAC on that though.
07-14-2016 10:59 PM
Hi Brian,
Could you share the error which you are getting after pushing 5.4.1.7 so that we can assist you further?
Thanks,
Ankita
05-02-2017 10:21 AM
We're got quite a few FirePOWER customers now and literally several dozen 5.4 to 6.x SFR upgrades to get scheduled. Incremental upgrades can take most of a day per device to follow the insane process and customers don't want to see big labor bills for what to them should be a simple upgrade. The answer cannot be tear out ASAs for Meraki. Even complete mass reimaging can take hours per device and bomb for various reasons. There needs to be an faster way to maintain these. Any ideas?
05-02-2017 09:26 PM
Unfortunately re-imaging is currently the fastest method.
When I do upgrades and am on hourly rate I don't pass on the cost of every minute the device spends on the upgrade script. I figure that's only fair since I only look in on it in the background while I am engaged with other tasks. Tyically that translates to about an hour for a re-image and 2 or so for several cascaded incremental upgrades where re-imaging is not an option for one reason or another.
The Cisco business unit is aware that upgrades are a pain point and is taking steps to make them less cumbersome going forward.
However as of the current 6.2.0.1 release that's how it is.
05-03-2017 06:48 AM
I'm seeing from multiple sources that reimaging is the best bet vs. the insane incremental path in some cases. Granted, we've seen lighter shades of incremental headaches on WLC, ACS and other systems not running a monolithic image but this is particularly cumbersome as you say. Compared to upgrading IOS, IOS XE, NX-OS, ASA, etc., it is quite obvious to customers that FirePOWER upgrades have a disproportionate work requirement. This is not only a friction point with customers in keeping these devices up to date but makes them think twice about getting deeper into FirePOWER implementation.
Our engineers have often been billing only a portion of the time spent on these upgrades, depending on what issues they run into, but even a few hours to upgrade one FMC VM & SFRs on an ASA pair raises a customer eyebrow. Telling a customer with just a dozen firewalls that we need to put an engineer on FirePOWER upgrades alone for a couple days has created billing issues and we've had some where we incurred a lump of time we couldn't bill or had to open TAC cases for upgrades that went off the rails for no good reason. It's not good from services value, scheduling or resource consumption aspects either.
We are anxious to see Cisco bundle these upgrades better, hopefully to the point that, like on IOS XE, a bundle image of several packages self-deploys, self-verifies and upgrades whatever previous version to current in one image & reboot, even if it needs to update file system, bootloader, microcode or whatever. Until such time, we struggle to upgrade these like everyone else looking for a better faster way.
05-03-2017 07:12 AM
When I do re-image , I do not use Cisco Notes. I re--image the old fashion way....if you can follow my thoughts....
It is much faster, than the release or user guide.
These Cisco Release notes re-imaging process is still convoluted after more than 10 years.
05-03-2017 07:22 AM
I agree with your points. There's lots of opportunity for improvement in the FP upgrade process and time required.
If you're with a partner be sure to channel your feedback to your Cisco GSSO Security SE. It's real world experiences like ours that help prioritize and guide product development.
Coincidentally the Security SE Virtual Team event is going on in San Jose this week and we are making sure to provide whatever good feedback we have to make sure our points are heard.
07-15-2016 10:54 AM
This is common, when you try to push all upgrades or patches at the same time. In theory it should work. Just do a group of 5 first, wait until it starts the process (looking at the task manager when it hits 1 to 7%), then proceed with the next batch of 5. And so on.
07-15-2016 12:03 PM
Hello Brian,
For the best practice , its always recommended to refer the release notes for the specific version that you are trying to move to .
http://www.cisco.com/c/en/us/td/docs/security/firesight/5408/relnotes/FireSIGHT-System-Release-Notes-version5408-and-5417.html
This release notes will help you to plan your upgrade based on an average estimated time. First of all make sure that you meet all version requirements to move to the targeted version.During the maintenance window you can upgrade multiple Firepower modules together. Please attach a screenshot of the error that you faced at 7 % . Another important thing that you have to make sure is always reapply the access control policies to all the Firepower modules before you attempt the upgrade , otherwise the upgrade may fail .
Rate if the post helps you
Regards
Jetsy
05-03-2017 07:08 AM
Brian,
If you can manage to re-image to 6.2 you will be in better position to work resolution or issues under 5.4.x. Or at least try 6.1.x
ed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide