04-24-2019 12:11 PM - edited 02-21-2020 09:04 AM
Hi Experts
Ran into a scenario as following and was hoping I could get some guidance on the process of upgrading the vFMC and FTD.
Currently we have 5525-X in HA mode registered on the vFMC running FMC version 6.2.0 with FTD version 6.2.0 as well.
I am suppose to upgrade these to 6.2.3.10 and due to some other past network architectural issues all traffic manually gets routed to Primary 5525-X , YES I know !!
Q1. Can I jump directly to 6.2.3.10 from 6.2.0 or do I need to first jump to 6.2.3 and than jump to 6.2.3.10 (as per cisco document I can go to 6.2.3 from current version but does not specifically say I can jump directly to 6.2.3.10 -https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide/plan_upgrade_path.html)
Q2. Do I need to upgrade the vFMC first to 6.2.3.10 or I should be doing the FTD devices first ? same concern applies as above from intermediate release or direct jump
Q3. Because of the business issues , we cannot ask or afford downtime. Therefore I was thinking as following
1. Disable the HA, that will unregister the devices from FMC.
2. Than register them back in FMC
3. Upgrade each devices standalone
4. Upgrade the FMC
5. Create an HA
Thanks in Advance
04-24-2019 10:42 PM
Hi,
1. You cannot go directly to 6.2.3.10, you need to first upgrade to 6.2.3 then install the patch 6.2.3.10
2. upgrade the vFMC first then FTD.
3. Disabling HA will not unregister the devices from FMC. Unregistering/Registering the FTD will get erase the configurations in FTD. Break HA so the devices will be standalone then you can upgrade appliances individually.
Hope This Helps
Abheesh
04-25-2019 10:23 AM
Hi Abheesh
Based on this documentation (https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html#anc11)
It says , If Disable the HA following will happen:
Main points to note for disabling the HA:
Primary FTD | Secondary FTD |
The device is removed from the FMC. No configuration is removed from the FTD device | The device is removed from the FMC. No configuration is removed from the FTD device |
Step 6. After you finish the task, register the devices to the FMC and enable HA pair.
and, if Break the HA following will happen:
Main points to note for breaking the HA:
Primary FTD | Secondary FTD |
All failover configuration is removed Standby IP's remain | All configuration is removed |
Step 5. After you finish this task, recreate the HA pair.
sort of opposite to what you said !! or did I read that wrong ?
Anyways, my question would be that if I Disable the HA and keep the configuration , does it mean that the devices will now become standalone and I can upgrade them individually or I have to go with Break HA option and get device config erased completely from Secondary Node, meaning I would need to have physical access to it , just to be able to configure it to a state where I can register it back on FMC ?
04-26-2019 07:34 AM - edited 04-26-2019 07:36 AM
Hi,
If you disable HA the configuration will remain in FTD and it will be removed from FMC.
While adding back to FMC you need reconfigure all(map the ACP, Interface configuration, route etc.)
If you break HA, Configuration will remain in Primary FTD only fail over will get removed from primary and the configurations in secondary will be erased but still you will be able to mange it via FMC.
So you will get both the FTD as individual firewall and start upgrading the secondary FTD and then configure it and switch traffic to secondary FTD. Then proceed with Primary.
Once upgraded both, you can switch the traffic to primary and then enable HA.
Hope This Helps
Abheesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide