Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10123
Views
5
Helpful
15
Replies

Firepower 6.2.3 released

Oliver Kaiser
Level 7
Level 7

‎03-30-2018 01:19 AM - edited ‎02-21-2020 07:34 AM

For all of you out there eager to upgrade their lab environments (or brave enough to upgrade to a new software release a few hours after release), Firepower 6.2.3 has just been released and brings some interesting and long awaited changes...

 

Some features worth noting:

 

SSL Hardware Acceleration 

FPR4100/9300 can make use of their built in crypto chips for ssl encryption and decryption

 

 

Firepower Management Center REST API Improvements
CRUD Operations for NAT, Static Routing, and HA Bundling

 

Upgrade Package Push
Download updates to your sensors before maintenance windows... Saves a lot of time in case you have some low bandwidth links

 

Policy Deploy Restart Improvements
Less snort restarts during policy deployments, leading to more smoother policy deployments

 

Firepower Device Manager REST API
FTD now includes an API browser and a large set of CRUD operations

 

Direct Upgrade from 6.1.x (!)
Starting with version 6.1.0 you can directly upgrade to 6.2.3. No need to go through many time consuming upgrades (upgrade times should also be greatly enhanced, but we'll see :)

 

Apart from some other enhancements there have been 207 bug fixes and minor changes in default behavior. For a full list of changes check out the release notes:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/relnotes/Firepower_Release_Notes_623.html

 

 

EDIT:

The Upgrade was pulled of the cisco download site due to a bug that basically changed your ips variable set when you were using objects in it. An updated upgrade package should be available on monday, 2nd of april.

Labels:
0 Helpful
15 Replies 15

Brandon1
Level 1
Level 1

‎03-30-2018 10:35 AM

I was brave enough to attempt the FMC upgrade, of which doesn't appear to be available to download any longer at the time of writing this. Luck was not on my side...

 

I am running the FMCv on ESXi, was at version 6.2.2.2, managed one FTD device (FP 2110). 

 

My upgrade fails at 42%, I'm still playing around with it (blindly) but wanted to share what I am seeing in case it helps anyone make a more informed decision.

 

 

getting filenames from [/usr/local/sf/etc/db_updates/base-6.2.3]
getting exceptions from [/usr/local/sf/etc/db_exceptions/db_exceptions.yaml]
Unable to run DB Check, Can't call method "e;selectall_arrayref"e; on unblessed reference at /usr/local/sf/bin/DBCheck.pl line 71.
running database integrity check with the following options:
- use exception directory /usr/local/sf/etc/db_exceptions
- check refererences
- check enterprise objects
- check schema
- check required data
- log to file /var/log/sf/Sourcefire_3D_Defense_Center_S3_Upgrade-6.2.3/DBCheck.log
- log to stderr
Fatal error: ERROR: Post-install database integrity check failed
**********************************************************
[180330 17:22:35:398] Starting script: 600_schema/110_post_update_dbic.sh
Entering 600_schema/110_post_update_dbic.sh...
No /.skip_pidbic file found, running the post install database integrity check 
getting filenames from [/usr/local/sf/etc/db_updates/index]
getting filenames from [/usr/local/sf/etc/db_updates/base-6.2.3]
getting exceptions from [/usr/local/sf/etc/db_exceptions/db_exceptions.yaml]

 

 

 

I don't have much experiance or knowledge working through the linux based CLI so I won't be able to provide much logs. I do see this though:

 


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The Cisco 6.2.3 upgrade has halted, status:
[42%] Fatal error: Error running script 600_schema/110_post_update_dbic.sh

Log files for the halted upgrade are located beneath:
/var/log/sf/Sourcefire_3D_Defense_Center_S3_Upgrade-6.2.3
If log files indicate upgrade failure please contact technical support.'
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

If log files indicate upgrade failure and failure condition has been fixed, up grade can be resumed by running 'upgrade_resume.sh'

 

Fourtanently my system hasn't made it to production yet...

Preview file
50 KB
Preview file
31 KB
0 Helpful

yogdhanu
Cisco Employee
Cisco Employee
In response to Brandon1

‎03-30-2018 11:10 AM

Hi

 

I would suggest to open TAC case for this one.

 

Thanks,

Yogesh

0 Helpful

mikael.lahtela
Level 4
Level 4
In response to Brandon1

‎03-30-2018 11:51 AM

Hi,
Had exactly same crash.
Index errors in my db.
It was in my lab so I reinstalled it.

Br, Micke
0 Helpful

azeemusman.mca@gmail.com
Level 1
Level 1
In response to Brandon1

‎07-04-2018 12:27 PM

Hi  Brandon,

 

I do see a Fatal erro in your logs. if you are upgrading FMC to 6.2.3 then all your sensor in the FMC must be at least on 6.1.0 version. 

 

The Fatal error mainly refers if the senors are not supporting to the FMC upgrade which you are going.

check on upgrading sensors first with the supported version of FMC which you are going either 6.2.0 or 6.2.3 etc. then you can upgrade the FMC.

 

Regards,

Azeem Usman 

 

  

0 Helpful

davidgardnerccs2
Level 1
Level 1

‎03-30-2018 12:01 PM

I downloaded the update for our 2110 and then ran the install_update.pl --readiness-check from the cli.  The final response at the end of the check says "UPGRADE READINESS CHECK COMPLETE  status : PASS" but when I scroll up a bit there's an error that says the appliance lacks enough disk space to install the update:

"...

[180330 18:35:43:278] Low disk space detected, upgrade may fail if pruning not recovered enough disk space 000_start/410_check_disk_space.sh
Find largest table in /var/lib/mysql ...
Checking for 770048K of /var disk space to upgrade the database
Total disk space calculated based on mysql files
Warning: Using a password on the command line interface can be insecure.
/ngfw/Volume/lib/mysql /ngfw/var/tmp/selfgz225123829
/ngfw/var/tmp/selfgz225123829
disk space required to backup database is 2107578
Total /var disk space needed for upgrade is 11006138
Fatal error: Not enough var disk space available.  You need at least 11006138K free to perform this upgrade.  You have 8302620K free.
Low disk space detected, upgrade may fail if pruning not recovered enough disk space
[180330 18:35:43:281] continuing on next script due to readiness check.

..."

 

How is it possible that the check passed after it failed the space check, and how is it possible an update has been released that won't fit on the appliance?

0 Helpful

dan.letkeman
Level 4
Level 4
In response to davidgardnerccs2

‎04-02-2018 12:59 PM

I received a workaround from TAC for this.  I was on 6.2.2 upgrading to 6.2.3 and had the same issue.  There was a bug that didn't rotate the mysql-server.err file.  This workaround must be done in order to have enough space.

 

The bug is fixed in 6.2.2.2 and 6.2.3 but if you don''t have space you can't upgrade so you are stuck with performing the workaround.

0 Helpful

edeloscobos
Level 1
Level 1
In response to dan.letkeman

‎04-17-2018 08:24 AM

Hi Dan,

 

Can you share the provided workaround? I'm stuck trying to upgrade a NGFWv from 6.2.2.2 to 6.2.3, getting the disk space errors.

 

I tried to free some disk space erasing old update files, logs, tmp and so on, but still unsuccessful.

 

Thank you for your help! 

0 Helpful

dan.letkeman
Level 4
Level 4
In response to edeloscobos

‎04-17-2018 08:56 AM

It was an internal doc.  I wouldn't want to be responsible for any issues it might cause.  I suggest you contact TAC for the workaround.

0 Helpful

edeloscobos
Level 1
Level 1
In response to dan.letkeman

‎04-20-2018 12:41 PM

Thank you Dan,

 

I will contact TAC to get help.

 

Regards,

0 Helpful

David Lang
Level 1
Level 1
In response to edeloscobos

‎06-12-2018 05:09 AM

I will be doing the same. It would be nice if Cisco formally published the workaround advice, since you need a current support contract to download the update in the first place. 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-31-2018 12:42 AM

I upgraded my FMC and two managed sensors (FTDv) in my lab successfully. That went without a hitch and has been running OK so far.

 

I also upgraded an ASA 5506 with local (FDM) management. I ended up having to reimage it and start from bare metal. Once I did that it is also working fine (so far).

 

@Oliver Kaiser I will be interested to see if you do some further experimentation with the API now that there are a bunch more PUT operations available.

0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to Marvin Rhoads

‎04-02-2018 09:20 AM

I am currently working on ansible modules for the FMC API... Hopefully I will be done with a alpha release by end of april. I will update this post once I have something that is useful to others. :)

dan.letkeman
Level 4
Level 4

‎04-02-2018 01:03 PM

Installed 6.2.3 on the 30th on an FMCv, 2120 and a 5545x which are all working without issue.  I don't use IPS so I didn't have an issue with the bug that was found last week.  I had a list of 8 bugs that I ran into with 6.2.2 so 6.2.3 was a welcome patch to install.  For me SSL deycrption is the only thing still not working properly even on 6.2.3.

0 Helpful

Moe Shea
Level 1
Level 1
In response to dan.letkeman

‎04-06-2018 07:17 AM

After reading the Firepower Compatibility guide, I understand that for 4100/9000 Appliances, FXOS should be upgraded first to 2.3.1.73+ on the appliance before proceeding with the FMC upgrade

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card