Solved: Re: Upgrade the FTD HA pair - Page 2

jumperdub · ‎07-31-2019

Hi there,

I'm planning to upgrade FTD version from 6.3 to 6.4. Also, My FTDs is running in HA.

As I have checked from the document Upgrading an FTD HA pair on Firepower appliances.

After the first FTD was successfully upgraded, Will the upgrade of second FTD be starting automatically and active state changed also?

However, there is some manually command from the document below that I'm not sure what exactly time I have to execute it.

Switching to Standby

I concern about this because of the FTDs are in production. Customer barely to give me downtime so I'm afraid of packet loss on the FTDs while upgrading.

Thank you

Marvin Rhoads · ‎10-04-2020

When an FTD HA pair is FMC-managed you simply select the HA pair to upgrade. FMC and FTD will work together to perform the individual unit upgrades in the proper order.

It will first upgrade the unit currently in Standby role, sync config and then switch it to Active role. It will then upgrade the formerly Active unit (now operating in Standby). After the HA pair upgrade is completed you should once again re-deploy policy to it to sync everything with FMC.

kamleshku · ‎03-04-2022

Hi Marvin,

But when we perform upgrade in HA pair, Failover is not happened , Secondary upgrade first but this unit state not change i.e even after upgrade on higher code , this in standby state , while primary with lower code still in Active state. PFB the sniff.

Marvin Rhoads · ‎04-04-2023

Check the job status entries in FMC to see if any error was reported.

This is definitely unusual behavior and may require a TAC case to resolve.

syed.akbarzada · ‎05-24-2023

Hi Marvin - This upgrade is not the same for the version 7.0.5 platform 2140. it will NOT automatically upgrade the primary or secondary as active/standby unit. it is required to push the image to both FTD's and start installing the standby unit first. once done make sure you don't have any deployment pending on FMC, then failover unit to the secondary unit and start upgrade the same way as you did the legacy standby unit. and redeploy to synch with FMC.

I hope it make sense

Marvin Rhoads · ‎05-25-2023

@syed.akbarzada I have a couple of customers running 2100 series with FTD image in HA setup and your observation does not match my experience. I have upgraded them multiple times from FMC and it always worked as one upgrade to the pair and then FMC takes care of everything.

Mohammed al Baqari · ‎10-04-2020

Hi,

You can upgrade directly from FMC:

- First check from release notes if you can run 6.4 on ASA5555. It might
not be supported
- I know that 6.4 have couple of major bugs. Hence my advise is to go to
6.5 (require fmc upgrade) directly or stay at 6.3

**** please remember to rate useful posts

asadali1979 · ‎10-04-2020

Hi Mohammed,

Thanks for the reply.. i've checked and 6.4.0 is supported for ASA-5555-X, also team doesn't want to upgrade to 6.5 currently. that's why we've to upgrade the ASA-FTD to 6.4.0.9

please correct me if i'm not wrong

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/relnotes/firepower-release-notes-640/welcome.html