Update Firepower Devices – Manually

This is short and hopefully helpful post on how to manually update Cisco Firepower Devices. I have run into this problem a couple of times which is pushing this update with the FMC sometimes just fails and it never really seems to download the update to the Firepower sensor.

On the FMC it will stay on “Initializing” for an hour and timeout so here are the steps to manually update your Firepower Sensor:

  • You can manually update this by either connecting to the console or ssh into the sensor.
  • Once in you’ll need to the bash shell so type the command “expert” to get into it.
  • Next, you need to evaluate to the root account by using sudo su
  • SCP copy the update to the /var/sf/updates folder, you can either copy from the FMC or something else that has the update you are looking for.
scp admin@192.168.1.5:/image.sh /var/sf/updates

If the update is on the FMC the path is /var/sf/updates and it would look something like this, we are pulling from the FMC and copying to the sensor to /var/sf/updates folder.

scp admin@192.168.1.5:/var/sf/updates/Cisco_FTD_Patch-6.2.0.2-51.sh /var/sf/updates
  • Install the update via install_update.pl /var/sf/updates/image.sh and watch the console when the upgrade completes your sensor will reboot and no action is needed on the FMC it will automatically detect the new version.

Below is an omitted copy of the console output when upgrading Cisco Firepower devices, keep in mind this session has to stay active don’t close or disconnect while updating, let’s just say hitting CTRL+C during this process is an instant killjoy, and although it can be fixed I wouldn’t advise it 🙂

> expert
admin@host-172-16-1-110:~$ sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
root@host-172-16-1-110:~#scp admin@172.16.1.15:/var/sf/updates/Cisco_FTD_Patch-6.2.0.2-51.sh /var/sf/updates
Cisco_FTD_Patch-6.2.0.2-51.sh                 100%  319MB   6.0MB/s   00:53
root@host-172-16-1-110:~#install_update.pl /var/sf/updates/Cisco_FTD_Patch-6.2.0.2-51.sh
ARGV[0] = /var/sf/updates/Cisco_FTD_Patch-6.2.0.2-51.sh
TODO:: Need to check Sybase Database is running in Standby Mode at /ngfw/usr/local/sf/bin/install_update.pl line 246.
Verifying archive integrity... All good.
Uncompressing Cisco FTD Patch / Fri May 26 23:33:01 UTC 2017.............
[170621 01:01:52] #####################################
[170621 01:01:52] # UPGRADE  STARTING
[170621 01:01:52] #####################################
[170621 01:01:52] BEGIN  000_start/000_check_update.sh
[170621 01:01:53] BEGIN  000_start/100_start_messages.sh
[170621 01:01:53] BEGIN  000_start/100_zz_verify_bundle.sh
[170621 01:01:53] BEGIN  000_start/101_run_pruning.pl
[170621 01:01:58] BEGIN  000_start/102_check_sru_install_running.pl
[170621 01:01:58] BEGIN  000_start/105_check_model_number.sh
[170621 01:01:58] BEGIN  000_start/106_check_HA_sync.pl
[170621 01:01:59] BEGIN  000_start/106_check_HA_updates.pl
[170621 01:01:59] BEGIN  000_start/107_version_check.sh
[170621 01:01:59] BEGIN  000_start/108_check_sensors_ver.pl
[170621 01:02:00] BEGIN  000_start/109_check_HA_MDC_status.pl
[170621 01:02:00] BEGIN  000_start/110_DB_integrity_check.sh
[170621 01:02:02] BEGIN  000_start/111_FS_integrity_check.sh
[170621 01:02:02] BEGIN  000_start/112_CF_check.sh
...
[170621 01:08:14] BEGIN 999_finish/999_y_must_be_next_to_last_to_generate_integrity_data.sh
[170621 01:08:15] BEGIN 999_finish/999_z_must_remain_last_finalize_boot.sh
[170621 01:08:15] BEGIN 999_finish/999_zz_install_bundle.sh
Cleaning up.
shutdown PM on whitebox systems except Readiness package, sample patch and RNA redhat
about to remove upgrade lock
removed '/ngfw/tmp/upgrade.lock/main_upgrade_script.log'
removed '/ngfw/tmp/upgrade.lock/status_log'
removed '/ngfw/tmp/upgrade.lock/PID'
removed '/ngfw/tmp/upgrade.lock/LSM'
removed directory: '/ngfw/tmp/upgrade.lock'
[170621 01:08:48] Attempting to remove upgrade lock
[170621 01:08:48] Success, removed upgrade lock
Upgrade lock /ngfw/tmp/upgrade.lock removed successfully.
[170621 01:08:48]
[170621 01:08:48] #######################################################
[170621 01:08:48] # UPGRADE COMPLETE #
[170621 01:08:48] #######################################################
Process 1061 exited.I am going away.
RC: 0
Update package reports success: almost finished...
Scheduling a reboot to occur in 60 seconds...
Advertisements

Leave a Reply...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s