Thanks, Marvin for the great info.  Greatly appreciate your feedback 

1) Is this the right one to use/download?

Cisco_Network_Sensor_Patch-5.4.0.6-33.sh

Since i am using 2 ASA with active/standby (primary/secondary), when I use FireSIGHT to push the update, can i just select both FirePOWER Module at the same time when it asks me? Or I have to select one FirePOWER module at a time for the push? If one at a time, should I do the active first, or the secondary first, or it doesn't matter?

Since I have to upgrade the firePOWER module, should i just go straight to version 5.4.1.7? If so, is it possible for me to upgrade straight to 5.4.1.7 or there is a rolling upgrade path that I must follow?

Thanks, Marvin.  This is what I experienced when upgrading to Cisco_Network_Sensor_Patch-5.4.0.6-33.sh.  Just sharing ...

1. I selected both firePOWER modules to upgrade at the same time
2. At the beginning, I saw a lot of "no communication" error on the Task Status window for both firePOWER modules.  It took quite long time for it to retry multiple times and finally it successfully upgrade the 1 firePOWER module which is on the active ASA.  During the process the "script running ..." it shows % completed together with "no communication" message.  Generally, if you think the longer you wait, the higher % number you'll see, but it's not always the case here.  The % decreased as I waited and then it came back up.
3. I had to install the patch again on the other firePOWER module.  Then the firePOWER modules rebooted automatically.
4. Refreshed the FireSIGHT management system to see the update task status
5. Finally, when the patching status appears as completed for both firePOWER modules, I'll need to use FireSIGHT to reapply the policies to firePOWER devices.  On the task status window, the message "Please reapply policies to your managed devices" shows up right next to each firePOWER module and the task.  Seeing this message, you'll know that you'll need to reapply the policies after the upgrade.

Here the fun part ....

6.  I thought I am done after reapplying the policies.  I logged into the ASDM and saw a lot of level 1 messages that happened during the upgrade.  

However, I keep seeing this message even after I left my office:

"(Primary) Other firewall reporting failure.  Reason: SSM card failure"

Not sure what step that I missed causing the above error ... I did the upgrade last night and the last time I saw above message showed on the ASDM syslog messages is around 8:43 pm last night.  I finished reapplying the policies at 7:19pm last night.  Don't see that error at all today.  Not sure how to check to make sure after the upgrade, the SFR modules are still working properly before I upgrade my fireSIGHT to 6.1

[@kha@brtrc.com]  ,

You're welcome.

The percentages going up and down is an artifact of their being multiple stages in the upgrade process. They run sequentially and each stage reports its percentage of completion independently. So when FMC (or ASDM if you're not using FMC) is querying for updates it gets the current stage's completion percentage.

If you're interested in seeing the gory details, you can "tail -f" the logs from the command line while the upgrade is happening on a module. The logs are in directories specific to the upgrade under /var/log/sf. Once you see the (literally) hundreds of steps under the covers you will understand why they take so long.

If you see the modules up and health from your device inventory in FMC and you've re-applied your policy, they are good to go. They will similarly show up on the ASDM home screen (FirePOWER tab) or - for either management method - from cli with:

show module sfr detail

Thanks Marvin.  Now, I'm 1 step getting closer.  First time doing all these upgrades ... 

1. I am scheduled to upgrade the ASA to 9.6.2 (from 9.3.2), i am being told that i can do the straight upgrade from current version to 9.6.2.  Is that correct?
   
   
2. I am planning to upgrade my ASDM to 7.6.2+ first and see if it works.  Not sure if from my current version, I need to do the rolling upgrade or any precaution step that i should take.  Please advice.  I am concern if after upgrading the ASDM to 7.6.2, will I still able to manage the ASA with version 9.3.2? Just in case i have a hiccup, pause, or whatever that stop me from continue to next step (upgrading the ASA)
   
   
3. I haven't had approval to upgrade the FireSIGHT to 6.1 but I've upgraded FirePOWER modules to 5.4.0.6-33 already.  If I did #1 and #2 above, don't upgrade FireSIGHT to 6.1, is that still ok? I guess "yes" as FireSIGHT only manage the FirePOWER modules (it's working ok now after the minor upgrade to 5.4.0.6).  Just want to be sure than sorry later since all these are in production.

1. Yes. Reference.

2. No problem. See the ASA compatibility guide - as of ASA 8.0(2) and with all subsequent releases through now you can use the newest ASDM versions - as long as you meet the minimum for that hardware and software.

3. No problem. ASA 9.6(2) can co-exist with versions of FirePOWER modules from 6.1 and lower. The FirePOWER Management Center (formerly known as FireSIGHT or Defense Center before that) can be upgraded to 6.1 as long as the managed FirePOWER modules are at the 5.4.0.6-33 that you have. You cannot upgrade the modules to 6.1 until you have FirePOWER Manager at 6.1 or higher AND the ASA at 9.5(2) or later. Reference.

I upgraded up to 6.0.1-1214 now and my SF modules are still using 5.4.0.6

I am seeing out-of-date 2 targeted devices.  The interface looks different now, i clicked on Policies -> Access Control - Access Control, hit generate report icon next to my Access Control Policy, the pdf generated with 0KB

I was told to push the policy to the sensor after every upgrade.  But with this version, new interface, i don't see anywhere I can push the policy to the sensor

Help please ... 

There should be a 'Deploy' button on the top right corner. Click and choose the devices that you want to push the changes to.

Thanks, Rahul.  I got that working.