07-31-2019 02:59 AM - edited 02-21-2020 09:21 AM
Hi there,
I'm planning to upgrade FTD version from 6.3 to 6.4. Also, My FTDs is running in HA.
As I have checked from the document Upgrading an FTD HA pair on Firepower appliances.
After the first FTD was successfully upgraded, Will the upgrade of second FTD be starting automatically and active state changed also?
However, there is some manually command from the document below that I'm not sure what exactly time I have to execute it.
Switching to Standby
I concern about this because of the FTDs are in production. Customer barely to give me downtime so I'm afraid of packet loss on the FTDs while upgrading.
Thank you
Solved! Go to Solution.
07-31-2019 08:58 AM - edited 04-05-2020 11:04 PM
As noted in the article you linked earlier, the FX-OS upgrade should be done separately and not from FMC.
You upgrade FX-OS on the Secondary-Standby first. Then you issue the command:
no failover active
on the Primary-Active unit from the cli. "switching to standby" is not a command but rather the output you should see on the appliances when you enter the command above.
Then upgrade FX-OS on the Primary-(now)Standby unit.
After both units have successfully completed their FX-OS upgrades you then initiate the FTD upgrade from FMC for the HA pair. No further manual failover is required from that point - the upgrade process will do that automatically.
07-31-2019 07:40 AM
Yes - when you upgrade from FMC the Primary/Secondary FTD upgrades will be sequenced by FMC.
The manual failover you referenced is only needed when you also need to upgrade FX-OS - that's only necessary as a separate procedure for Firepower 4100 and 9300 series. 2100 series and below have FX-OS embedded in the FTD image so that step is not needed.
07-31-2019 07:55 AM - edited 07-31-2019 07:56 AM
Thanks @Marvin Rhoads,
I have to upgrade FX-OS also in this scenario (2.4.1.222->2.6.1) for FTD 6.4 compatibility. So, this mean I have to do manaully failover.
Just to make me understand clearly on this step, Do I have to immediately manaul failover with command "Switching to standby" via CLI once I found the stage as pic below on FMC?
07-31-2019 08:58 AM - edited 04-05-2020 11:04 PM
As noted in the article you linked earlier, the FX-OS upgrade should be done separately and not from FMC.
You upgrade FX-OS on the Secondary-Standby first. Then you issue the command:
no failover active
on the Primary-Active unit from the cli. "switching to standby" is not a command but rather the output you should see on the appliances when you enter the command above.
Then upgrade FX-OS on the Primary-(now)Standby unit.
After both units have successfully completed their FX-OS upgrades you then initiate the FTD upgrade from FMC for the HA pair. No further manual failover is required from that point - the upgrade process will do that automatically.
02-28-2020 04:55 PM
Sorry for bring to use topic agian but I have some question for FTD HA pair upgrade
I'm planning to upgrade the FTD HA Pair from version 6.3 to 6.4.0.7 via FMC, which is major upgrade. So, I'm not sure interruptions in traffic flow maybe occur. I already have checked in the Cisco document but I'm just to make sure the upgrade will not impact the traffic. Could you guys please help me to confirm on this? Thank you
02-28-2020 07:02 PM
If you perform the HA pair upgrade from FMC as recommended, you should not experience traffic interruption.
If you redeploy policies post upgrade, you may experience a brief interruption.
You should not experience interruptions in traffic flow or inspection while upgrading the Firepower software on devices in high availability pairs. To ensure continuity of operations, they upgrade one at a time. Devices operate in maintenance mode while they upgrade.
The standby device upgrades first. The devices switch roles, then the new standby upgrades. When the upgrade completes, the devices' roles remain switched. If you want to preserve the active/standby roles, manually switch the roles before you upgrade. That way, the upgrade process switches them back.
03-03-2020 03:47 AM
Thanks for your help Marvin,
If so, how FTD HA Pair can handle traffic while upgrading? Since we have to redeploy policy to FTD HA Pair again at post upgraded. Or is it just optional for redeploy policy task?
03-03-2020 05:35 AM
04-05-2020 01:16 PM
I have a pair of FMC managing a pair of 4110s, all operating HA.
I have to upgrade from 6.2.x to 6.4.x for both.
Question:
Is there any issues going straight from 6.2 to 6.4 or do I need to do an interim 6.3?
Does the information given for 6.3 to 6.4 applies for 6.2 to 6.4?
04-05-2020 10:11 PM
As Cisco document above, I think you can do direct upgrade from 6.2.x to 6.4. Then you can do minor upgrade (patch) from 6.4 to 6.4.x
04-05-2020 11:08 PM
Upgrade your FMC HA pair first. There is no need to install 6.3 as part of that. Get them to the latest patch of 6.4 (currently 6.4.0.8).
Redeploy to your Firepower 4110 HA pair after each FMC upgrade (i.e after 6.4 and then after 6.4.0.8).
Then repeat for the Firepower 4110 HA pair.
04-03-2023 12:24 PM
Hi Marvin,
I am preparing to update the FXOS firmware on a pair of 4125s running in a HA pair configuration. I am doing so in response to this field notice -> https://www.cisco.com/c/en/us/support/docs/field-notices/720/fn72077.html
My current FXOS chassis version is 2.10 which is compatible with the required firmware version of version 1.0.19
is the following correct:
1. update the firmware on the secondary unit first (FTD2)
2. Once the update is completed on the secondary unit switch it to the active unit in the CLI using the command
no failover active
(is it OK to to make that unit the primary in the FMC GUI or, must this be done form the CLI?)
3. run the firmware update on FTD1 (now the secondary) then once complete switch it back to the primary
thank you in advance for your expert guidance
10-04-2020 06:39 AM
Hi Marvin,
i need your expert advise regarding upgrade of the ASA-5555-X running v 6.2.0.2 in HA active/standby pair, Managed by the FMC (6.4.0.9)
Can we upgrade directly to the 6.4.0 from FMC or we need to upgrade FXOS separetly also. need your advise please
ASA Version:
Cisco Fire Linux OS v6.2.0 (build 42)
Cisco ASA5555-X Threat Defense v6.2.0.2 (build 51)
10-04-2020 07:22 AM
If you are running FTD image on ASA the required "Fire Linux OS" bits are bundled into the image and not installed separately. Only when running ASA image on a Firepower appliance or FTD image on a 4100 or 9300 series do we need to be concerned about tracking and upgrading the FXOS image separately.
10-04-2020 10:57 PM - edited 10-04-2020 11:02 PM
Thanks Marvin, for the explanation.. we have the HA running as Active/Standby, if i do the upgrade directly from the FMC and select the HA Pair to upgrade..
How upgrade will happen, can we do the upgrade first secondary and then primary or we have to select the HA pair
do we need a downtime or it can be done without downtime
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide