Re: Updating FTD 6.2.2.1-75 to 6.2.2.2-4 - System does not show if update is applied or not - Page 2

Leon1 · ‎01-31-2018

Hello!

I updated my Firepower Threat Defense from 6.2.2.1 Build 75 to 6.2.2.2 Build 4, as this update was released yesterday.

The Update process starts and logs me off, like I expect. Then after some minutes my ping to the ASA is lost and after some minutes it comes back. So I think it reboots. After some time the web interface is reachable again.

When I log on the device, it still shows Version 6.2.2.1-75 to me. I am totally confused about this. I retried it four times, but got the same result. So I tried to find some update logs, but I didn't find them.

What I found is an empty file called "Cisco_FTD_Hotfix_AB-6.2.2.2_build_4_applied" in the directory "/var/log".

This update is related to a high risk security exploit and I need to be absolutely sure if it is applied or not. Has anybody applied it too and could confirm that something is wrong on my side or within the update?

I am also a little bit confused about the versioning in software.cisco.com.

It shows the wrong version also:

Firepower Threat Defense Hotfix 6.2.2.1
Cisco_FTD_Hotfix_AB-6.2.2.2-4.sh.REL.tar

Please help me, as my device remains offline, until this is fixed.

Cheers

Leon

TomKaspar · ‎02-05-2018

Are you sure? I installed hotfix 6.2.2.2-4 (new version AN).

I have ASA version 9.8(2)135

T.

Leon1 · ‎02-05-2018

The new Version was not tried. I will download and install it. Maybe the Version is chown correclty then. I will report.

TomKaspar · ‎02-05-2018

OK, but in system, I can't see new version (I see still version 6.2.2.1) :(

If I try install hotfix again, FMC show me same Firepower appliances. In FMC see old version FTD.

Did you open TAC for this issue?

T.

Rahul Govindan · ‎02-05-2018

They did replace the hotfix version yesterday. According to their download page:

We have replaced Hotfix AC with Hotfix AN; Hotfix AB with Hotfix AO.

I am going to try to see if there is a a change in the version after this hotfix install. So far, I don't think anyone's version has changed to anything other than the one they had before.

TomKaspar · ‎02-05-2018

OK, thank you. I installed last version (from yesterday).

I will wait for your info.

T.

Leon1 · ‎02-06-2018

Hey! I managed to install the new Hotfix and it changed a version, but not of the FTD.

Old hotfix:
Cisco Adaptive Security Appliance Software Version 9.8(2)12
Firepower Extensible Operating System Version 2.2(2.52)

Compiled on Thu 26-Oct-17 20:26 PDT by builders

New Hotfix:

Cisco Adaptive Security Appliance Software Version 9.8(2)135
Firepower Extensible Operating System Version 2.2(2.52)

Compiled on Fri 02-Feb-18 09:47 PST by builders

As you could see, there is a change in ASA version and in build time.

Cheers
Leon

yvesjvccnastudy · ‎02-06-2018

Have patched a couple of 2110
Can confirm the ASA version is now 9.8(2)135.

The FXOS version is confirmed:
Firepower Extensible Operating System Version 2.2(2.63)

Also a new but empty file in /ngfw/var/log/ named 'Cisco_FTD_SSP_FP2K_Hotfix_AN-6.2.2.2_build_4_applied'

mikael.lahtela · ‎02-07-2018

Same version for me now after upgrade with AN hotfix.

br, Micke

Marcel Tempelman · ‎02-13-2018

Hi,

I applied this patch to 6.2.2.1-80 (on a FP2110) and this is what I get on the CLI:

Cisco Adaptive Security Appliance Software Version 9.8(2)135
Firepower Extensible Operating System Version 2.2(2.63)

but the GUI is still giving me the option to upgrade:

I do not see any of the referenced logfiles in the log directory.

Correct if I'm wrong : the update has been applied but the GUI still does "not know"...

Regards,

Marcel.

Nik Jakop · ‎02-15-2018

Hey,

just to add to the topic,

We updated 2x 2110 from 6.2.2.1-75 to 6.2.2.2-4 via FMC and we are experiencing exactly the same issue.

After upgrade asa and os version changes but not FTD version, I also get option to "update" once again.

Regards

Nik

rayscue · ‎02-15-2018

Same problem here. Updated multiple times, but still shows 6.2.2.1 (80) instead of 6.2.2.2 (4).

TomKaspar · ‎02-16-2018

Yes, it's correct. You can't see new version FTD in FMC. But You can verify in LINA (ASA). New hotfix upgrade only ASA code. After upgrade, you can see ASA version 9.8(2)135

Tomas

Marcel Tempelman · ‎02-16-2018

Just the amount of replies shows how careful one should when releasing patches. Just adding a remark in the release notes or just get this right in the first place would have saved me an hour of troubleshooting (mostly due to the extremely slow upgrade procedure of FTD). I'll cut Cisco some slack because this was a patch for a critical vulnerability but QA is an issue at Cisco at the moment.

TCSPB · ‎02-16-2018

Ran into this issue today doing the update to our 2120's. Thanks to everyone here for pointing this out as I was about to waste my day calling TAC to find out what was going on here.