Upgrading an HA Pair of Firepower 2110s in FTD mode
~~~~~~~~~ UPDATE!! ~~~~~~~~
As of FMC and FTD 7.0 this process is much more straightforward. Readiness Check is now enabled for an HA pair of firewalls. After pushing the update to the appliances, you can go into the upgrade screen and select both and do the "Check Readiness" button on both and wait for the results prior to doing the install.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you are like me you don't upgrade an FTD appliance often enough to remember the procedure. Today I installed the 6.3.0.1 update to an HA pair of FTD 6.3.0 2110s. This document assumes you have already updated the Firepower Management Center (FMC).
Download Updates to the FMC
Push the update to the HA pair of devices
Verify Upgrade Readiness
This is where you will be tempted to click the "install" icon next to the update, select the firewall HA pair and then click the button marked "Launch Readiness Check". I think I still do this every time hoping Cisco will make this work for an HA pair of firewalls.
If you do this you will probably be greeted with the following message that states, "Readiness Check is not applicable for appliance in High-availability, Stack or Cluster, do you want to proceed by de-selecting them and 'Launch Readiness Check'".
Now, this message doesn't make sense. And if you are like me, you don't just trust that it will be alright without some sort of check being done on the firewall pair. On an early version of 6.1 I attempted a blind upgrade to my HA pair and the update bricked one of my firewalls for several days (maybe weeks) while TAC tried to figure out what was wrong. Once it was all said and done I ended up having to re-image that device from scratch.
Verifying Readiness Via the Command Line
Some versions of the realease notes have a proceedure listed for running the readiness check via the CLI and some do not. Also, some have the wrong path. Here is the proceedure I've used a few times now.
- Login to each firewall appliance via SSH.
- Enter "expert" mode by typing expert at the command prompt and enter your password.
- Run the upgrade readiness check with the command " sudo install_update.pl --detach --readiness-check /var/sf/updates/Cisco_FTD_SSP_FP2K_{update version number}.sh.REL.tar" You will be prompted to enter your sudo password which should be the same as the password you logged into the CLI with initally. Wait for the command to complete.
- View the logs to verify that upgrade readiness was completed successfully. Type teh command "more /ngfw/var/log/sf/Cisco_FTD_SSP_FP2K_{update version number}/upgrade_readiness/main_upgrade_script.log" You are looking for the following at the end of the log file.
########################################################
# UPGRADE READINESS CHECK COMPLETE status : PASS
########################################################
The output of this process is listed below:
[nathan@nrc01 ~] > ssh admin@10.0.1.6
*****
Unauthorized Users are not permitted.
*****
admin@10.0.1.6's password:
Last login: Thu Dec 13 23:56:47 UTC 2018 from 192.168.100.100 on pts/0
Successful login attempts for user 'admin' : 1
Copyright 2004-2018, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.3.0 (build 21)
Cisco Firepower 2110 Threat Defense v6.3.0 (build 83)
> expert
admin@NSD-R01-FW-02:~$sudo install_update.pl --detach --readiness-check /var/sf/updates/Cisco_FTD_SSP_FP2K_Patch-6.3.0.1-85.sh.REL.tar
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password:
ARGV[0] = --detach
ARGV[1] = --readiness-check
ARGV[2] = /var/sf/updates/Cisco_FTD_SSP_FP2K_Patch-6.3.0.1-85.sh.REL.tar
install_update.pl begins. bundle_filepath: /var/sf/updates/Cisco_FTD_SSP_FP2K_Patch-6.3.0.1-85.sh.REL.tar
Skipping File System Integrity Check
admin@NSD-R01-FW-02:~$
admin@NSD-R01-FW-02:~$ more /ngfw/var/log/sf/Cisco_FTD_SSP_FP2K_Patch-6.3.0.1/upgrade_readiness/main_upgrade_script.log
[190225 22:19:14:847] MAIN_UPGRADE_SCRIPT_START
[190225 22:19:14:889] Readiness check for :Cisco_FTD_SSP_FP2K_Patch-6.3.0.1-85
[190225 22:19:14:891] #####################################
[190225 22:19:14:892] # UPGRADE READINESS CHECK STARTING
[190225 22:19:14:893] #####################################
[190225 22:19:14:940] BEGIN 000_start/000_check_platform_support.sh
[190225 22:19:16:268] END 000_start/000_check_platform_support.sh
[190225 22:19:16:290] BEGIN 000_start/000_check_sign_type.sh
.
.
.
{Output Ommited}
.
.
[190225 22:19:43:490] MAIN_UPGRADE_SCRIPT_END
[190225 22:19:46:091] Readiness check completed....
[190225 22:19:46:099] Attempting to remove upgrade lock
[190225 22:19:46:101] Success, removed upgrade lock
[190225 22:19:46:107]
[190225 22:19:46:109] #######################################################
[190225 22:19:46:111] # UPGRADE READINESS CHECK COMPLETE status : PASS #
[190225 22:19:46:113] #######################################################
Launch the upgrade process from the FMC
Once you are satisfied that both appliances are ready to be upgraded, move back to the FMC, check the box on the HA pair and click the "Install" button. You can verify by navigating to the "!" menu and the "Tasks" tab.
But now the hard, part, wait for the process to complete on both firewall, which takes quite a while.
This is a good time to grab a cup of coffee and contemplate the good ol' days of the PIX and ASA where you simply set your boot variable to the new image and rebooted.
Verify the upgrade is complete and re-apply policy
Re-login to the FMC and check the tasks tab again and verify that the process is now complete.
Thanks. I thought I would put this together since I am always looking for it myself.
ReplyDeleteThis process is still valid for the 6.3.0 to 6.4.0 upgrade.
ReplyDeleteHi
ReplyDeleteI patched am HA pair and one of the devices seems to be stuck on synchronising, any idea how to resolve this issue.??
Thanks
Not sure. How long did you give it to finalize? FTD updates take quite a while. I would open a case with TAC if it’s still not complete.
DeleteThanks for this! Worked going from 6.3 to 6.6
ReplyDeleteGlad to hear it!
DeleteThank you very much for running down the readiness check via CLI. Definitely more helpful that the Cisco documentation!
ReplyDeleteGlad to help!
DeleteGreat write-up!
ReplyDeleteThank you!
Hi Nathan,
ReplyDeletethis is great write-up. Thanks
I have 3 pairs of FTDs (HA) that i want to upgrade (from 6.2.3 to 6.6.4) in 4 hours of maintenance window, is it doable ? how can i save time (e.g "Push or Stage update" the FTD upgrade file and readiness check completed before maint window )?
Note: The FMC and FxOS already upgraded as per TAC advise.
Please advise.
Thanks
VT
I would certainly push the update then run the "upgrade readiness check" script and view the results on all 6 firewalls prior to the update. Being HA pairs, you shouldn't need a maintenance window, but I understand it may still be ideal. Yes, FMC upgrade first is always required and should not impact the function of the firewalls themselves.
DeleteIn Traditional HA PAIR we used to copy the Image to secondary and change boot variable and reload the secondary and if all works then we used to perform on active. Here in FTD is not required to perform any such activity will it performed automatically.?
ReplyDeleteFTD is definitely more involved and time-consuming than traditional Cisco ASA. I wish it was still as simple as copying the binary over and rebooting. You do want to go through the verification scripts on FTD and then go ahead and use the FMC GUI to apply the updates.
Delete