Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1788
Views
0
Helpful
3
Replies

FTD Frozen Upgrade

bmurphree@myemma.com
Level 1
Level 1

‎01-24-2022 08:46 AM

During a 7.0.0+ FTD upgrade on ASA hardware, has anyone else run into this problem?
The local upgrade seems to stop around 82-90%, and never recovers (it proverbially falls asleep at the wheel). Even letting the upgrade sit for an hour+ doesn't do anything. Attempting to cancel results in an error, and rebooting the device from the CLI fails.

 

Screen Shot 2022-01-24 at 10.36.42 AM.png

Cancel fails here:

Screen Shot 2022-01-24 at 10.37.14 AM.png

I've seen this issue multiple times before, and it seems the firewall falls asleep. After a while, I will log into the device in a fresh browser tab, and then the FTD realizes it needs to finish. However, in this example, there is nothing I can assume aside from hard power-cycling the FTD. Any other ideas? I do have CLI access.

RFC 1925
0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎01-24-2022 11:34 AM

I personally have not experienced this issue with any FTD upgarde (so I have perhaps been lucky).

Did you run the upgrade readiness check prior to performing the upgrade?

Which ASA hardware are you running the FTD software on?

What version are you upgrading from?

Have you checked the upgrade log located under /var/log/sf?  Perhaps there is something in there indicating why it is halting / failing.

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

bmurphree@myemma.com
Level 1
Level 1
In response to Marius Gunnerud

‎01-24-2022 11:54 AM

Thanks! I've run into a myriad of upgrade failures over the past 2 years. It's a rather fragile thing in comparison to the older ASA code. Anyway, this failure occurred right after its HA mate upgrade, using the same image, was successful.

 

It does appear there's a bug, possibly:

  • Manually upgrading an FTD FXOS device (ASA5516X) to 7.0.1-84 fails to complete.

    Status: Stuck at 82% on 999_finish/989_update_ngfw_conf_aquila.sh

    BugID: CSCvz35201 states the only workaround is to contact TAC.

     

    Log:

     

    ui: Upgrade in progress: (80% done. 8 mins to reboot). Finishing the upgrade... (999_finish/920_enable_all_rpc.sh)
    ui: Upgrade in progress: (80% done. 8 mins to reboot). Finishing the upgrade... (999_finish/980_update_usb.sh)
    ui: Upgrade in progress: (80% done. 8 mins to reboot). Finishing the upgrade... (999_finish/988_reconfigure_model.sh)
    ui: Upgrade in progress: (82% done. 7 mins to reboot). Finishing the upgrade... (999_finish/989_update_ngfw_conf_aquila.sh)

    (nothing after that...)

    Canceling the upgrade also fails. Rebooting the unit fails, but I've not tried a hard-reset or sudo reboot.

 

 

 

RFC 1925
0 Helpful

Marius Gunnerud
VIP
VIP
In response to bmurphree@myemma.com

‎01-25-2022 12:12 AM

Though not with FTD software, with ASA software a hard powercycle has usually solved hanging issues for me.  But as the bug does seem to match what you are experiencing I would suggest contacting TAC for further troubleshooting / resolving the issue.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card