Re: Updating FTD 6.2.2.1-75 to 6.2.2.2-4 - System does not show if update is applied or not

Leon1 · ‎01-31-2018

Hello!

I updated my Firepower Threat Defense from 6.2.2.1 Build 75 to 6.2.2.2 Build 4, as this update was released yesterday.

The Update process starts and logs me off, like I expect. Then after some minutes my ping to the ASA is lost and after some minutes it comes back. So I think it reboots. After some time the web interface is reachable again.

When I log on the device, it still shows Version 6.2.2.1-75 to me. I am totally confused about this. I retried it four times, but got the same result. So I tried to find some update logs, but I didn't find them.

What I found is an empty file called "Cisco_FTD_Hotfix_AB-6.2.2.2_build_4_applied" in the directory "/var/log".

This update is related to a high risk security exploit and I need to be absolutely sure if it is applied or not. Has anybody applied it too and could confirm that something is wrong on my side or within the update?

I am also a little bit confused about the versioning in software.cisco.com.

It shows the wrong version also:

Firepower Threat Defense Hotfix 6.2.2.1
Cisco_FTD_Hotfix_AB-6.2.2.2-4.sh.REL.tar

Please help me, as my device remains offline, until this is fixed.

Cheers

Leon

mikael.lahtela · ‎01-31-2018

Hi,

Are you using FMC or FDM?
You should contact TAC if your network is down.

br, Micke

Leon1 · ‎01-31-2018

Hello!

excuse me for misunderstanding. My network is not down. I shutdown VPN for this device, until I am sure the Hotfix is applied.

I am using FTD Device Manager sadly you could not use FMC and Device Manager at the same time.

Cheers

mikael.lahtela · ‎01-31-2018

Ok great, I usually open TAC anyways if there is issues with updates as it can really mess things up if it fails.
What platform are you using?

br, Micke

Leon1 · ‎01-31-2018

ASA 5500-X

mikael.lahtela · ‎01-31-2018

Ok,
If you downloaded the file and did not unpack the file before upgrade I think you should contact Cisco TAC.
Looks like you are using the correct file and if you have read the release notes and follow the correct upgrade procedure it should work.
I haven't tried this upgrade yet.

br, Micke

Rahul Govindan · ‎01-31-2018

I did an update to a 4120 deployment running FTD yesterday and did not see any issues after the upda. But this was not in full production yet so can't confirm if there are any major issues with traffic like you see. Like Mikael mentioned, open a TAC case if it is impacting your traffic.

Leon1 · ‎01-31-2018

I do not see traffic issues.

I can not confirm whetever the update is applied or not.

The system still shows Version 6.2.2.1 but there is an empty log file which says it was applied.

mikael.lahtela · ‎01-31-2018

Can you check if you find this file in expert mode in FTD.
/ngfw/var/log/update.status
Sanitize the file and post it here?

br, Micke

Rahul Govindan · ‎01-31-2018

I checked my status log and it shows as upgraded:

ui:[98%] Running script 999_finish/999_z_complete_upgrade_message.sh...
ui:[98%] Upgrade complete
ui:[99%] Running script 999_finish/999_z_must_remain_last_finalize_boot.sh...
ui:[99%] Running script 999_finish/999_zz_install_bundle.sh...
ui:[100%] The system will now reboot.
ui:System will now reboot.
ui:[100%] Installation completed successfully.
ui:Upgrade has completed.
state:finished
admin@ftd2:/ngfw/var/log/sf/Cisco_FTD_SSP_Hotfix_AB-6.2.2.2$

Leon1 · ‎01-31-2018

I searched through the logfiles and found something! thanks for pointing me in the correct direction.

...

ui:[98%] Running script 999_finish/999_z_complete_upgrade_message.sh...
ui:[98%] Upgrade complete
ui:[99%] Running script 999_finish/999_z_must_remain_last_finalize_boot.sh...
ui:[99%] Running script 999_finish/999_zz_install_bundle.sh...
ui:[100%] The system will now reboot.
ui:System will now reboot.
ui:[100%] Installation completed successfully.
ui:Upgrade has completed.
state:finished
...

looks good, but when I enter "show version", it shows me the following:

> show version
----------------------[ fw1 ]-----------------------
Model                     : Cisco ASA5508-X Threat Defense (75) Version 6.2.2.1 (Build 73)
UUID                      : <a guid was here>
Rules update version      : 2018-01-24-001-vrt
VDB version               : 292
----------------------------------------------------

hmmm .

mikael.lahtela · ‎01-31-2018

I'm upgrading my lab now, so I will see my show version.
Might be that HF is not showing there.

br, Micke

mikael.lahtela · ‎01-31-2018

Not sure if this works on 5500x FTD but try check this:
connect to FTD
> system support diagnostic-cli
firepower> show ver

Before update on a 2100:
Cisco Adaptive Security Appliance Software Version 9.8(2)10
Firepower Extensible Operating System Version 2.2(2.63)

After update with HF:
Cisco Adaptive Security Appliance Software Version 9.8(2)12
Firepower Extensible Operating System Version 2.2(2.63)

Version output in FTD is still same Cisco Firepower 2110 Threat Defense (77) Version 6.2.2.1 (Build 80)

br, Micke

Leon1 · ‎01-31-2018

hey thank you very much in assisting me.

firepower> show ver
----------------------[ fw1 ]-----------------------
Model                     : Cisco ASA5508-X Threat Defense (75) Version 6.2.2.1 (Build 73)
UUID                      : <guid was here>
Rules update version      : 2018-01-24-001-vrt
VDB version               : 292
----------------------------------------------------

Cisco Adaptive Security Appliance Software Version 9.8(2)12
Firepower Extensible Operating System Version 2.2(2.52)

This is my output.

So you could confirm the version is not changed after hotfix.

mikael.lahtela · ‎01-31-2018

I would say that it is upgraded.

This is same in my 2100 after upgrade:
Cisco Adaptive Security Appliance Software Version 9.8(2)12
I think Cisco has a special ASA image in the FTD upgrade that is fixed.

br, Micke