cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7573
Views
1
Helpful
0
Comments
vschary.scc
Level 1
Level 1

Symptoms

Outage during FTD code upgrade 

Diagnosis

The FTD code upgrade thru FMC will cause the traffic interruption

Solution

Below process will upgrade the FTD with no downtime and no traffic interruption.

Before the upgrade process:

Download the FTD platform bundle software package to which you are upgrading

Backup your FTD configurations

Deploy the policy to the devices you are about to upgrade

Put the devices in Maintenance mode for not to create incidents

Verify current xlate and connection count on FTD

              #Show xlate count

              #Show Conn count

Make sure you have console access

Make sure you have SSH access to the device (both local and AD)

Upgrade FTD Software: Firepower 4100/9300

 

Step 1: Connect to FMC and choose system > Updates

  • Click upload the Image to Upload Image dialog box.
  • Click Choose File to navigate to and select the image that you want to upload
  • Click Upload

Step 2: After the new platform bundle image is successfully uploaded, Click on push

 

Step 3: Once you click push, the device list will appear. Select the device which you want to upgrade and push

 

Step 4: Continue the upgrade process using CLI.

Connect to Secondary Standby FTD

 

Firepower-module1>connect ftd

Connecting to ftd console... enter exit to return to bootCLI

 

> expert

Firepower-module1:/opt/bootcli/cisco/cli/bin$ sudo su -

Password:

 

root@Firepower-module1:~# cd /ngfw/var/sf/updates/

 

root@Firepower-module1:/ngfw/var/sf/updates# install_update.pl /var/sf/updates/Cisco_FTD_SSP_Upgrade-6.3.0-85.sh.REL.tar

 

System:

ARGV[0] = /var/sf/updates/Cisco_FTD_SSP_Upgrade-6.3.0-85.sh

TODO:: Need to check Sybase Database is running in Standby Mode at /ngfw/usr/local/sf/bin/install_update.pl line 246.

Verifying archive integrity... All good.

Uncompressing Cisco FTD Patch / Fri May 26 23:33:01 UTC 2017.............

[170621 01:01:52] #####################################

[170621 01:01:52] # UPGRADE  STARTING

[170621 01:01:52] #####################################

[170621 01:01:52] BEGIN  000_start/000_check_update.sh

[170621 01:01:53] BEGIN  000_start/100_start_messages.sh

[170621 01:01:53] BEGIN  000_start/100_zz_verify_bundle.sh

[170621 01:01:53] BEGIN  000_start/101_run_pruning.pl

[170621 01:01:58] BEGIN  000_start/102_check_sru_install_running.pl

[170621 01:01:58] BEGIN  000_start/105_check_model_number.sh

[170621 01:01:58] BEGIN  000_start/106_check_HA_sync.pl

[170621 01:01:59] BEGIN  000_start/106_check_HA_updates.pl

[170621 01:01:59] BEGIN  000_start/107_version_check.sh

[170621 01:01:59] BEGIN  000_start/108_check_sensors_ver.pl

[170621 01:02:00] BEGIN  000_start/109_check_HA_MDC_status.pl

[170621 01:02:00] BEGIN  000_start/110_DB_integrity_check.sh

[170621 01:02:02] BEGIN  000_start/111_FS_integrity_check.sh

[170621 01:02:02] BEGIN  000_start/112_CF_check.sh

...

[170621 01:08:14] BEGIN 999_finish/999_y_must_be_next_to_last_to_generate_integrity_data.sh

[170621 01:08:15] BEGIN 999_finish/999_z_must_remain_last_finalize_boot.sh

[170621 01:08:15] BEGIN 999_finish/999_zz_install_bundle.sh

Cleaning up.

shutdown PM on whitebox systems except Readiness package, sample patch and RNA redhat

about to remove upgrade lock

removed '/ngfw/tmp/upgrade.lock/main_upgrade_script.log'

removed '/ngfw/tmp/upgrade.lock/status_log'

removed '/ngfw/tmp/upgrade.lock/PID'

removed '/ngfw/tmp/upgrade.lock/LSM'

removed directory: '/ngfw/tmp/upgrade.lock'

[170621 01:08:48] Attempting to remove upgrade lock

[170621 01:08:48] Success, removed upgrade lock

Upgrade lock /ngfw/tmp/upgrade.lock removed successfully.

[170621 01:08:48]

[170621 01:08:48] #######################################################

 

 

[170621 01:08:48] # UPGRADE COMPLETE #

[170621 01:08:48] #######################################################

Process 1061 exited.I am going away.

RC: 0

Update package reports success: almost finished...

Scheduling a reboot to occur in 60 seconds...

 

Step 4: GO TO Primary Active and failover to Secondary Standby.

Check the failover status

Show failover

Check the connection counts

Show conn count

Check the xlate count

Show xlate count

No failover active = This will failover the firewall.

Again, Check the failover status, connection counts

If all good, then do the same on Primary FTD

 

After the upgrade process:

Deploy the policy to the devices you have upgraded

Put the devices back in Production mode

Verify current xlate and connection count on FTD

              #Show xlate count

              #Show Conn count

Validate you have SSH access to the device (both local and AD).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: