cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12853
Views
30
Helpful
21
Replies

Upgrade the FTD HA pair

jumperdub
Level 1
Level 1

Hi there,

 

I'm planning to upgrade FTD version from 6.3 to 6.4. Also, My FTDs is running in HA.

 

As I have checked from the document Upgrading an FTD HA pair on Firepower appliances.

After the first FTD was successfully upgraded, Will the upgrade of second FTD be starting automatically and active state changed also?

 

However, there is some manually command from the document below that I'm not sure what exactly time I have to execute it.

Switching to Standby

I concern about this because of the FTDs are in production. Customer barely to give me downtime so I'm afraid of packet loss on the FTDs while upgrading.

 

Thank you

1 Accepted Solution

Accepted Solutions

As noted in the article you linked earlier, the FX-OS upgrade should be done separately and not from FMC.

You upgrade FX-OS on the Secondary-Standby first. Then you issue the command:

no failover active

on the Primary-Active unit from the cli. "switching to standby" is not a command but rather the output you should see on the appliances when you enter the command above.

Then upgrade FX-OS on the Primary-(now)Standby unit.

After both units have successfully completed their FX-OS upgrades you then initiate the FTD upgrade from FMC for the HA pair. No further manual failover is required from that point - the upgrade process will do that automatically.

View solution in original post

21 Replies 21

Marvin Rhoads
Hall of Fame
Hall of Fame

Yes - when you upgrade from FMC the Primary/Secondary FTD upgrades will be sequenced by FMC.

The manual failover you referenced is only needed when you also need to upgrade FX-OS - that's only necessary as a separate procedure for Firepower 4100 and 9300 series. 2100 series and below have FX-OS embedded in the FTD image so that step is not needed.

Thanks @Marvin Rhoads,

 

I have to upgrade FX-OS also in this scenario (2.4.1.222->2.6.1) for FTD 6.4 compatibility. So, this mean I have to do manaully failover.

Just to make me understand clearly on this step, Do I have to immediately manaul failover with command "Switching to standby" via CLI once I found the stage as pic below on FMC?

 

 

 

 

 

As noted in the article you linked earlier, the FX-OS upgrade should be done separately and not from FMC.

You upgrade FX-OS on the Secondary-Standby first. Then you issue the command:

no failover active

on the Primary-Active unit from the cli. "switching to standby" is not a command but rather the output you should see on the appliances when you enter the command above.

Then upgrade FX-OS on the Primary-(now)Standby unit.

After both units have successfully completed their FX-OS upgrades you then initiate the FTD upgrade from FMC for the HA pair. No further manual failover is required from that point - the upgrade process will do that automatically.

Sorry for bring to use topic agian but I have some question for FTD HA pair upgrade

 

I'm planning to upgrade the FTD HA Pair from version 6.3 to 6.4.0.7 via FMC, which is major upgrade. So, I'm not sure interruptions in traffic flow maybe occur. I already have checked in the Cisco document but I'm just to make sure the upgrade will not impact the traffic. Could you guys please help me to confirm on this? Thank you

If you perform the HA pair upgrade from FMC as recommended, you should not experience traffic interruption.

If you redeploy policies post upgrade, you may experience a brief interruption.

Source: https://www.cisco.com/c/en/us/td/docs/security/firepower/640/relnotes/firepower-release-notes-640/upgrade.html#id_64500

High Availability Pairs: Firepower Software Upgrade

You should not experience interruptions in traffic flow or inspection while upgrading the Firepower software on devices in high availability pairs. To ensure continuity of operations, they upgrade one at a time. Devices operate in maintenance mode while they upgrade.

The standby device upgrades first. The devices switch roles, then the new standby upgrades. When the upgrade completes, the devices' roles remain switched. If you want to preserve the active/standby roles, manually switch the roles before you upgrade. That way, the upgrade process switches them back.

Thanks for your help Marvin,

 

If so, how FTD HA Pair can handle traffic while upgrading? Since we have to redeploy policy to FTD HA Pair again at post upgraded. Or is it just optional for redeploy policy task?

It is not mandatory to redeploy policies post-upgrade but it is highly recommended. The upgrade package may have a different set of Snort rules than the FMC and redeploy will sync everything as well as ensuring all aspects of the deployment process are working as designed.

I have a pair of FMC managing a pair of 4110s, all operating HA. 

I have to upgrade from 6.2.x to 6.4.x for both.

Question:

Is there any issues going straight from 6.2 to 6.4 or do I need to do an interim 6.3?

Does the information given for 6.3 to 6.4 applies for 6.2 to 6.4?

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide/upgrade_firepower_management_centers.html#id_58959

 

As Cisco document above, I think you can do direct upgrade from 6.2.x to 6.4. Then you can do minor upgrade (patch) from 6.4 to 6.4.x

Upgrade your FMC HA pair first. There is no need to install 6.3 as part of that. Get them to the latest patch of 6.4 (currently 6.4.0.8).

Redeploy to your Firepower 4110 HA pair after each FMC upgrade (i.e after 6.4 and then after 6.4.0.8).

Then repeat for the Firepower 4110 HA pair.

Hi Marvin,

I am preparing to update the FXOS firmware on a pair of 4125s running in a HA pair configuration. I am doing so in response to this field notice -> https://www.cisco.com/c/en/us/support/docs/field-notices/720/fn72077.html 

My current FXOS chassis version is 2.10 which is compatible with the required firmware version of version 1.0.19 

is the following correct:

1. update the firmware on the secondary unit first (FTD2)

2. Once the update is completed on the secondary unit switch it to the active unit in the CLI using the command

no failover active

(is it OK to  to make that unit the primary in the FMC GUI or, must this be done form the CLI?)

3. run the firmware update on FTD1 (now the secondary) then once complete switch it back to the primary

thank you in advance for your expert guidance

 

asadali1979
Level 1
Level 1

Hi Marvin, 

 

i need your expert advise regarding upgrade of the ASA-5555-X running v 6.2.0.2 in HA active/standby pair, Managed by the FMC (6.4.0.9)  

 

Can we upgrade directly to the 6.4.0 from FMC or we need to upgrade FXOS separetly also. need your advise please

 

ASA Version:

Cisco Fire Linux OS v6.2.0 (build 42)
Cisco ASA5555-X Threat Defense v6.2.0.2 (build 51)

 

If you are running FTD image on ASA the required "Fire Linux OS" bits are bundled into the image and not installed separately. Only when running ASA image on a Firepower appliance or FTD image on a 4100 or 9300 series do we need to be concerned about tracking and upgrading the FXOS image separately.

Thanks Marvin, for the explanation.. we have the HA running as Active/Standby, if i do the upgrade directly from the FMC and select the HA Pair to upgrade..

How upgrade will happen, can we do the upgrade first secondary and then primary or we have to select the HA pair

do we need a downtime or it can be done without downtime

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: