Cisco Firepower 4100/9300 FXOS Release Notes, 2.1(1)
New Features in FXOS 2.1.1.116
New Features in FXOS 2.1.1.115
New Features in FXOS 2.1.1.113
New Features in FXOS 2.1.1.107
New Features in FXOS 2.1.1.106
Upgrade a Firepower Security Appliance with No Logical Devices Configured
Upgrading an ASA Failover Pair Using the Enhanced Zero Downtime Process
Upgrading an ASA Failover Pair
Upgrading an ASA Inter-chassis Cluster Using the Enhanced Zero Downtime Process
Upgrading an ASA Inter-chassis Cluster
Resolved Bugs in FXOS 2.1.1.116
Resolved Bugs in FXOS 2.1.1.115
Resolved Bugs in FXOS 2.1.1.113
Resolved Bugs in FXOS 2.1.1.107
Resolved Bugs in FXOS 2.1.1.106
Resolved Bugs in FXOS 2.1.1.97
Resolved Bugs in FXOS 2.1.1.86
Resolved Bugs in FXOS 2.1.1.85
Resolved Bugs in FXOS 2.1.1.83
Resolved Bugs in FXOS 2.1.1.77
Resolved Bugs in FXOS 2.1.1.73
Resolved Bugs in FXOS 2.1.1.64
Communications, Services, and Additional Information
First Published: January 23, 2017
Last Revised: June 3, 2019
This document contains release information for Cisco Firepower eXtensible Operating System 2.1(1).
Use this release note as a supplement with the other documents listed in the documentation roadmap:
http://www.cisco.com/go/firepower9300-docs
http://www.cisco.com/go/firepower4100-docs
Note: The online versions of the user documentation are occasionally updated after the initial release. As a result, the information contained in the documentation on Cisco.com supersedes any information contained in the context-sensitive help included with the product.
This document contains the following sections:
–New Features in FXOS 2.1.1.116
–New Features in FXOS 2.1.1.115
–New Features in FXOS 2.1.1.113
–New Features in FXOS 2.1.1.107
–New Features in FXOS 2.1.1.106
–New Features in FXOS 2.1.1.97
–New Features in FXOS 2.1.1.86
–New Features in FXOS 2.1.1.85
–New Features in FXOS 2.1.1.83
–New Features in FXOS 2.1.1.77
–New Features in FXOS 2.1.1.73
–New Features in FXOS 2.1.1.64
–Upgrade a Firepower Security Appliance with No Logical Devices Configured
–Upgrade a Firepower Security Appliance Running Standalone Firepower Threat Defense Logical Devices or a Firepower Threat Defense Intra-Chassis Cluster
–Upgrade Firepower Security Appliances with Firepower Threat Defense Logical Devices in a Failover Configuration
–Upgrading a Firepower Security Appliance Running Standalone ASA Logical Devices or an ASA Intra-Chassis Cluster
–Upgrading an ASA Failover Pair Using the Enhanced Zero Downtime Process
–Upgrading an ASA Failover Pair
–Upgrading an ASA Inter-chassis Cluster Using the Enhanced Zero Downtime Process
–Upgrading an ASA Inter-chassis Cluster
–Resolved Bugs in FXOS 2.1.1.116
–Resolved Bugs in FXOS 2.1.1.115
–Resolved Bugs in FXOS 2.1.1.113
–Resolved Bugs in FXOS 2.1.1.107
–Resolved Bugs in FXOS 2.1.1.106
–Resolved Bugs in FXOS 2.1.1.97
–Resolved Bugs in FXOS 2.1.1.86
–Resolved Bugs in FXOS 2.1.1.85
–Resolved Bugs in FXOS 2.1.1.83
–Resolved Bugs in FXOS 2.1.1.77
–Resolved Bugs in FXOS 2.1.1.73
–Resolved Bugs in FXOS 2.1.1.64
The Cisco Firepower security appliance is a next-generation platform for network and content security solutions. The Firepower security appliance is part of the Cisco Application Centric Infrastructure (ACI) Security Solution and provides an agile, open, secure platform that is built for scalability, consistent control, and simplified management.
The Firepower security appliance provides the following features:
■Modular chassis-based security system—Provides high performance, flexible input/output configurations, and scalability.
■Firepower Chassis Manager—Graphical user interface provides a streamlined, visual representation of the current chassis status and allows for simplified configuration of chassis features.
■FXOS CLI—Provides command-based interface for configuring features, monitoring chassis status, and accessing advanced troubleshooting features.
■FXOS REST API—Allows users to programmatically configure and manage their chassis.
Cisco Firepower eXtensible Operating System 2.1.1.116 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.1.1.116).
Cisco Firepower eXtensible Operating System 2.1.1.115 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.1.1.115).
Cisco Firepower eXtensible Operating System 2.1.1.113 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.1.1.113).
Cisco Firepower eXtensible Operating System 2.1.1.107 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (seeResolved Bugs in FXOS 2.1.1.107).
Cisco Firepower eXtensible Operating System 2.1.1.106 introduces the following new features in addition to the features included in earlier releases:
■Fixes for various problems (see Resolved Bugs in FXOS 2.1.1.106).
Cisco Firepower eXtensible Operating System 2.1.1.97 introduces the following new features in addition to the features included in earlier releases:
■Fixes for various problems (see Resolved Bugs in FXOS 2.1.1.97).
Cisco Firepower eXtensible Operating System 2.1.1.86 introduces the following new features in addition to the features included in earlier releases:
■Fixes for various problems (see Resolved Bugs in FXOS 2.1.1.86).
Cisco Firepower eXtensible Operating System 2.1.1.85 introduces the following new features in addition to the features included in earlier releases:
■Fixes for various problems (see Resolved Bugs in FXOS 2.1.1.85).
Cisco Firepower eXtensible Operating System 2.1.1.83 introduces the following new features in addition to the features included in earlier releases:
■Adds additional support for verifying security module adapters and provides CLI commands for viewing and updating the boot image for the adapter.
Note: After installing FXOS 2.1.1.83, you might receive a critical fault asking you to update the firmware for your security module adapters. For instructions, see Adapter Bootloader Upgrade.
■Secure Unlock, also called Cisco Interactive Debug, is a new serviceability feature that implements a secure way of accessing a Linux prompt on the Supervisor Module on Firepower 9300 and Firepower 4100 Series security appliances.
Note: Before you can use the Secure Unlock feature, the security appliance must have Firmware package 1.0.12 or later installed. For instructions on how to verify your firmware package version and to upgrade the firmware if necessary, see the “Firmware Upgrade” topic in the Cisco FXOS CLI Configuration Guide, 2.1(1) or Cisco FXOS Firepower Chassis Manager Configuration Guide, 2.1(1) (http://www.cisco.com/go/firepower9300-config).
■Fixes for various problems (see Resolved Bugs in FXOS 2.1.1.83).
Cisco Firepower eXtensible Operating System 2.1.1.77 introduces the following new features in addition to the features included in earlier releases:
■Fixes for various problems (see Resolved Bugs in FXOS 2.1.1.77).
Cisco Firepower eXtensible Operating System 2.1.1.73 introduces the following new features in addition to the features included in earlier releases:
■Support for Service Chaining of Radware DefensePro (vDP) with Firepower Threat Defense on all Firepower 4100 and 9300 devices.
Note: Radware DefensePro (vDP) with Firepower Threat Defense is supported on FXOS 2.1.1.64 and later, but requires Radware vDP version 8.10.01.17-2, which is being released at the same time as FXOS 2.1.1.73. For more information on version compatibility, see Cisco FXOS Compatibility (http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html).
■Fixes for various problems (see Resolved Bugs in FXOS 2.1.1.73).
Cisco Firepower eXtensible Operating System 2.1.1.64 introduces the following new features:
■New option to remove the Call Home URL via the Firepower Chassis Manager or FXOS CLI.
■You can now configure Console authentication using the Firepower Chassis Manger.
■You can now view and configure the AAA authentication fallback method using the Firepower Chassis Manager.
■FXOS will now verify the integrity of CSP files installed on the system.
■Support for Firepower Threat Defense 6.2.
■Support for Service Chaining of Radware DefensePro (vDP) with Firepower Threat Defense on all Firepower 4100 and 9300 devices.
■Support for 1GB FTW network modules on the Firepower 4100 series security appliances.
■Support high-voltage DC (HVDC) power supply modules on the Firepower 9300 security appliance.
■Support for inter-chassis clustering using Firepower Threat Defense 6.2 and later.
■Inter-site clustering improvement.
■You can now use the FXOS Chassis Manager to enable FIPs/Common Criteria mode to support achieving compliance with FIPS (Federal Information Processing Standard) 140-2 and Common Criteria security certifications.
■FXOS 2.1(1) contains several new features and numerous enhancements to support achieving compliance with the UC-APL (Unified Capabilities Approved Product List) security certification:
–Enable/Disable FIPS/CC Mode using Firepower Chassis Manager
–Configuring Management ACL (ip-block) via Firepower Chassis Manager
–Configuring SSH Server – MAC Authentication via Firepower Chassis Manager
–Configuring SSH Server – Encryption Algorithms via Firepower Chassis Manager
■You can now enable NTP server authentication.
■FXOS now has an absolute timeout value that will close Firepower Chassis Manager sessions regardless of session use. The absolute timeout value defaults to 60 minutes and can be changed using the FXOS CLI. Refer to the FXOS CLI Configuration Guide for more information.
■Information about data port-channels inline pairs is now propagated from Firepower Threat Defense to FXOS.
■You can now use Firepower Chassis Manager to delete application instances that are not part of a logical device.
■Enhancements to the Packet Capture feature:
–Filtering based on IPv6 addresses.
–Specifying the snap length for a session.
–Support for session sizes from a range of 1 MB to 2 GB. In previous releases, it was from 256 MB to 2 GB.
–Command to delete all packet capture sessions.
–LACP Control traffic prioritization for the configured port-channels in FXOS.
–MIO CPU port queue settings modifications to prioritize internal Control Plane traffic.
■Licensing changes for ASA failover pairs. Only the active unit requests the license entitlements. Previously, both units requested license entitlements.
■Fixes for various problems (see Resolved Bugs in FXOS 2.1.1.64).
You can download software images for FXOS and supported applications from one of the following URLs:
■Firepower 9300 — https://software.cisco.com/download/type.html?mdfid=286287252
■Firepower 4100 — https://software.cisco.com/download/navigator.html?mdfid=286305164
For information about the applications that are supported on a specific version or FXOS, refer to the Cisco FXOS Compatibility guide at this URL:
http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html
■Beginning with ASA 9.7, the behavior for smart licensing configurations for failover pairs has changed. If you are upgrading an ASA failover pair from 9.6 and earlier to 9.7 and later, you must perform the following steps to upgrade the entitlements on the devices (active unit is device A and standby unit is device B):
a. If the current standby unit (device B) has any entitlements configured, remove the configuration from the standby unit and instead configure the same entitlements on the active unit (device A). For context count, combine the values from the active unit and standby unit and request the total number on the active unit.
b. Upgrade the standby unit (device B) and then let it rejoin the failover pair as standby. At this point there is no smart license configuration on device B. For more information, see Upgrading an ASA Failover Pair.
c. Upgrade the active unit (device A). During the upgrade, device A will leave the failover pair and device B will become active. All of the entitlements that were configured on device A need to be configured on device B while device A is being upgraded.
d. After device A finishes upgrading, it will rejoin the failover pair as a standby unit. Since it is now standby, it will release all entitlements and remove the smart license configuration.
During configuration sync from device B (active) to device A (standby), device A will receive and cache the smart license configuration from device B so that if it ever becomes the active unit, it knows what entitlements need to be requested.
■When you configure Radware DefensePro (vDP) in a service chain on a currently running Firepower Threat Defense application on a Firepower 4110 or 4120 device, the installation fails with a fault alarm. As a workaround, stop the Firepower Threat Defense application instance before installing the Radware DefensePro application. Note that this issue and workaround apply to all supported releases of Radware DefensePro service chaining with Firepower Threat Defense on Firepower 4110 and 4120 devices.
■Firmware Upgrade—We recommend upgrading your Firepower 4100/9300 security appliance with the latest firmware. For information about how to install a firmware update and the fixes included in each update, see https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/firmware-upgrade/fxos-firmware-upgrade.html.
■Beginning with FXOS 1.1(3), the behavior for port-channels was changed. In FXOS 1.1(3) and later releases, when a port-channel is created, it is now configured as lacp cluster-detach by default and its status will show as down even if the physical link is up. The port-channel will be brought out of cluster-detach mode in the following situations:
–The port-channel's port-type is set to either cluster or mgmt
–The port-channel is added as a data port for a logical device that is part of a cluster and at least one security module has joined the cluster
If the port-channel is removed from the logical device or the logical device is deleted, the port-channel will revert to cluster-detach mode.
FXOS 2.1.1.83 and later adds additional testing to verify the security module adapters on your security appliance. After installing FXOS 2.1.1.83 or later, you might receive the following critical fault on your security appliance indicating that you should update the firmware for your security module adapter:
Critical F1715 2017-05-11T11:43:33.121 339561 Adapter 1 on Security Module 1 requires a critical firmware upgrade. Please see Adapter Bootloader Upgrade instructions in the FXOS Release Notes posted with this release.
If you receive the above message, use the following procedure to update the boot image for your adapter:
1. Connect to the FXOS CLI on your Firepower security appliance. For instructions, see the “Accessing the FXOS CLI” topic in the Cisco FXOS CLI Configuration Guide or the Cisco FXOS Firepower Chassis Manager Configuration Guide (see Related Documentation).
2. Enter the adapter mode for the adapter whose boot image you are updating:
3. Use the show image command to view the available adapter images and to verify that fxos-m83-8p40-cruzboot.4.0.1.62.bin is available to be installed:
--------------------------------------------- -------------------- -------
fxos-m83-8p40-cruzboot.4.0.1.62.bin Adapter Boot 4.0(1.62)
fxos-m83-8p40-vic.4.0.1.51.gbin Adapter 4.0(1.51)
4. Use the update boot-loader command to update the adapter boot image to version 4.0.1.62:
5. Use the show boot-update status command to monitor the update status:
6. Use the show version detail command to verify that the update was successful:
Note: Your show version detail output might differ from the following example. However, please verify that Bootloader-Update-Status is “Ready” and that Bootloader-Vers is 4.0(1.62).
You can access the Firepower Chassis Manager using the following browsers:
■Mozilla Firefox – Version 42 and later
■Google Chrome – Version 47 and later
■Microsoft Internet Explorer – Version 11 and later
Testing on FXOS 2.1(1) was performed using Mozilla Firefox version 42, Google Chrome version 47, and Internet Explorer version 11. We anticipate that future versions of these browsers will also work. However, if you experience any browser-related issues, we suggest you revert to one of the tested versions.
Use the following tables for guidance on the upgrade path required to move from older releases to this release. For instructions on upgrading to a specific release, see the release notes document for that release:
http://www.cisco.com/c/en/us/support/security/firepower-9000-series/products-release-notes-list.html
Refer to the FXOS Compatibility guide for release version compatibility information. Use older compatible versions of the application only in the context of upgrades. Note that for upgrade-compatible versions, you may be prompted that the application version is not compatible with the new FXOS version; in this case, indicate Yes to continue with the upgrade. You are expected to upgrade the application version as soon as possible.
Note: If you are running a version of FXOS earlier than FXOS 1.1(4), see the Cisco FXOS Release Notes, 1.1(4) for information on how to upgrade your system to FXOS 1.1(4).
|
||||
|
||||
|
|
|
||||
|
||||
|
|
■The upgrade process typically takes between 20 and 30 minutes.
If you are upgrading a Firepower 9300 or Firepower 4100 series security appliance that is running a standalone logical device or if you are upgrading a Firepower 9300 security appliance that is running an intra-chassis cluster, traffic will not traverse through the device while it is upgrading.
If you are upgrading a Firepower 9300 or a Firepower 4100 series security appliance that is part of an inter-chassis cluster, traffic will not traverse through the device being upgraded while it is upgrading. However, the other devices in the cluster will continue to pass traffic.
■When upgrading the FXOS platform bundle software and application CSP images at the same time, do not upload the application CSP images to your security appliance until after you upgrade the FXOS platform bundle software.
Refer to the upgrade instructions that apply for your device configuration:
Upgrade a Firepower Security Appliance with No Logical Devices Configured |
|
Upgrade a Firepower Security Appliance Running Standalone Firepower Threat Defense Logical Devices or a Firepower Threat Defense Intra-Chassis Cluster |
|
Firepower security appliances with Firepower Threat Defense logical devices in a failover configuration |
Upgrade Firepower Security Appliances with Firepower Threat Defense Logical Devices in a Failover Configuration |
Firepower security appliance that is running standalone ASA logical devices or an ASA intra-chassis cluster |
Upgrading a Firepower Security Appliance Running Standalone ASA Logical Devices or an ASA Intra-Chassis Cluster |
Firepower security appliances with ASA logical devices in a failover configuration |
For instructions on how to upgrade from FXOS 2.0(1.135) or later to FXOS 2.1(1.64) or from FXOS 2.1(1.64) or later to FXOS 2.1(1.97), see Upgrading an ASA Failover Pair Using the Enhanced Zero Downtime Process. For instructions on how to upgrade from FXOS 2.0(1.37)-2.0(1.86) to FXOS 2.1(1.64), see Upgrading an ASA Failover Pair. |
Two or more Firepower security appliances that are configured as an ASA inter-chassis cluster |
For instructions on how to upgrade from FXOS 2.0(1.135) or later to FXOS 2.1(1.64) or from FXOS 2.1(1.64) or later to FXOS 2.1(1.97), see Upgrading an ASA Inter-chassis Cluster Using the Enhanced Zero Downtime Process. For instructions on how to upgrade from FXOS 2.0(1.37)-2.0(1.86) to FXOS 2.1(1.64), see Upgrading an ASA Inter-chassis Cluster. |
If your Firepower security appliance is not yet configured with any logical devices, perform the following steps to update your system to 2.1(1):
1. Download the FXOS 2.1(1) image to your local computer (see Software Download).
2. Upload the FXOS 2.1(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
3. Upgrade your Firepower security appliance using the FXOS 2.1(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide.
Note: After upgrading FXOS, you can then upgrade the Firepower Threat Defense logical devices using the Firepower Management Center. For more information, see the Firepower System Release Notes.
1. Download the FXOS 2.1(1) image to your local computer (see Software Download).
2. Upload the FXOS 2.1(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
3. Upgrade your Firepower security appliance using the FXOS 2.1(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide.
Note: After upgrading FXOS, you can then upgrade the Firepower Threat Defense logical devices using the Firepower Management Center. For more information, see the Firepower System Release Notes.
1. Download the FXOS 2.1(1) image to your local computer (see Software Download).
2. Upgrade the Firepower eXtensible Operating System bundle on the Firepower security appliance that contains the standby Firepower Threat Defense logical device:
a. Upload the FXOS 2.1(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your Firepower security appliance using the FXOS 2.1(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide.
3. Wait for the chassis to reboot and upgrade successfully:
a. Enter show firmware monitor under scope system to monitor the upgrade process.
b. After the upgrade process finishes, enter show slot under scope ssa to verify that the slots have come “Online.”
c. Enter show app-instance under scope ssa to verify that the applications have come “Online.”
4. Make the Firepower Threat Defense device that you just upgraded the active unit so that traffic flows to the upgraded unit. For instructions, see the “Switch the Active Peer in a Firepower Threat Defense High Availability Pair” topic in the Firepower Management Center Configuration Guide.
5. Upgrade the Firepower eXtensible Operating System bundle on the Firepower security appliance that contains the new standby Firepower Threat Defense logical device:
a. Upload the FXOS 2.1(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your Firepower security appliance using the FXOS 2.1(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide.
6. Wait for the chassis to reboot and upgrade successfully:
a. Enter show firmware monitor under scope system to monitor the upgrade process.
b. After the upgrade process finishes, enter show slot under scope ssa to verify that the slots have come “Online.”
c. Enter show app-instance under scope ssa to verify that the applications have come “Online.”
7. You can now make the unit that you just upgraded the active unit as it was before the upgrade.
If you are upgrading a Firepower security appliance that is running standalone ASA logical devices or an ASA intra-chassis cluster, use the following procedure to update the FXOS version on your Firepower 9300 or Firepower 4100 series security appliance and to update the ASA version on your logical devices:
1. Download the FXOS 2.1(1) image to your local machine (see Software Download).
2. Upload the FXOS 2.1(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
3. Upgrade your Firepower security appliance using the FXOS 2.1(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide.
4. Upload the ASA CSP image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower Appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide.
5. Upgrade any ASA logical devices (standalone or intra-chassis cluster) using the ASA CSP image. For instructions, see the “Updating the Image Version for a Logical Device” topic in the Cisco Firepower Chassis Manager Configuration Guide.
Note: This process is only supported when upgrading from FXOS 2.0(1.135) or later to FXOS 2.1(1.64) or from FXOS 2.1(1.64) or later to FXOS 2.1(1.97). If you are upgrading from FXOS 2.0(1.37)-2.0(1.86) to FXOS 2.1(1.64), see Upgrading an ASA Failover Pair.
1. Download the FXOS 2.1(1) image to your local machine (see Software Download).
2. Upgrade the Firepower eXtensible Operating System bundle on the Firepower security appliance that contains the standby ASA logical device:
a. Upload the FXOS 2.1(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your Firepower security appliance using the FXOS 2.1(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide.
3. Wait for the chassis to reboot and upgrade successfully:
a. Use the show firmware monitor command under scope system to monitor the upgrade process.
b. After the upgrade process finishes, use the show slot command under scope ssa to verify that the slots have come “Online.”
c. Use the show app-instance command under scope ssa to verify that the applications have come “online”.
4. Upgrade the ASA and vDP logical device images:
a. Upload the ASA CSP image to your Firepower security appliance. If Radware DefensePro (vDP) is configured as a decorator for this ASA application and there is an update available, upload the vDP CSP image too.
For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your logical device image using the ASA CSP image:
top (set the scope to the top level in the mode hierarchy)
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
set startup-version <version>
exit
c. If Radware DefensePro is configured as a decorator for this ASA application, upgrade the vDP image:
scope app-instance vdp
set startup-version <version>
exit
e. If there are multiple failover peers (with or without Radware DefensePro decorator) configured on the Firepower security appliance, upgrade them using Steps b-d.
5. After the upgrade process finishes, verify that the applications are online:
6. Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:
a. Connect to the ASA console on the Firepower security appliance that contains the standby ASA logical device.
d. Verify that the unit is active :
7. Upgrade the Firepower eXtensible Operating System bundle on the Firepower security appliance that contains the new standby ASA logical device:
a. Upload the FXOS 2.1(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your Firepower security appliance using the FXOS 2.1(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide.
8. Wait for the chassis to reboot and upgrade successfully:
a. Use the show firmware monitor command under scope system to monitor the upgrade process.
b. After the upgrade process finishes, use the show slot command under scope ssa to verify that the slots have come “Online.”
c. Use the show app-instance command under scope ssa to verify that the applications have come “online”.
9. Upgrade the ASA and vDP logical device images:
a. Upload the ASA CSP image to your Firepower security appliance. If Radware DefensePro (vDP) is configured as a decorator for this ASA application and there is an update available, upload the vDP CSP image too.
For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your logical device image using the ASA CSP image:
top (set the scope to the top level in the mode hierarchy)
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
set startup-version <version>
exit
c. If Radware DefensePro is configured as a decorator for this ASA application, upgrade the vDP image:
scope app-instance vdp
set startup-version <version>
exit
e. If there are multiple failover peers (with or without Radware DefensePro decorator) configured on the Firepower security appliance, upgrade them using Steps b-d.
10. After the upgrade process finishes, verify that the applications are online:
11. Make the unit that you just upgraded the active unit as it was before the upgrade:
a. Connect to the ASA console on the Firepower security appliance that contains the new standby ASA logical device.
Note: This process is only supported when upgrading from FXOS 2.0(1.37)-2.0(1.86) to FXOS 2.1(1.64). If you are upgrading from FXOS 2.0(1.135) or later to FXOS 2.1(1.64) or from FXOS 2.1(1.64) or later to FXOS 2.1(1.97), see Upgrading an ASA Failover Pair Using the Enhanced Zero Downtime Process.
1. Download the FXOS 2.1(1) image to your local machine (see Software Download).
2. Disable applications on the standby ASA logical device:
a. Connect to the FXOS CLI on the Firepower security appliance that contains the standby ASA logical device. For instructions, see the “Accessing the FXOS CLI” topic in the Cisco FXOS CLI Configuration Guide or the Cisco FXOS Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Turn off the ASA application:
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
disable
exit
c. If Radware DefensePro is configured as a decorator for this ASA application, disable it. If not, proceed to Step d.
scope app-instance vdp
disable
exit
e. Verify that the applications are offline:
Note: It may take 2-5 minutes before all applications are “Offline,” as vDP begins stopping only after the security module reboots following the ASA stop. If any of the stop jobs fail, please repeat Steps b-d.
f. If there are multiple failover peers (with or without Radware DefensePro decorator) configured on the Firepower security appliance, disable them and verify using Steps b-e.
3. Upgrade the Firepower eXtensible Operating System bundle on the Firepower security appliance that contains the standby ASA logical device:
a. Upload the FXOS 2.1(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your Firepower security appliance using the FXOS 2.1(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide.
4. Wait for the chassis to reboot and upgrade successfully:
a. Use the show firmware monitor command under scope system to monitor the upgrade process.
b. After the upgrade process finishes, use the show slot command under scope ssa to verify that the slots have come “Online.”
5. Upgrade the ASA and vDP logical device images:
a. Upload the ASA CSP image to your Firepower security appliance. If Radware DefensePro (vDP) is configured as a decorator for this ASA application and there is an update available, upload the vDP CSP image too.
For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your logical device image using the ASA CSP image:
top (set the scope to the top level in the mode hierarchy)
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
set startup-version <version>
exit
c. If Radware DefensePro is configured as a decorator for this ASA application, upgrade the vDP image:
scope app-instance vdp
set startup-version <version>
exit
e. If there are multiple failover peers (with or without Radware DefensePro decorator) configured on the Firepower security appliance, upgrade them using Steps b-d.
6. After the upgrade process finishes, re-enable applications on the standby ASA logical device:
a. Use the show slot command under scope ssa to verify that every slot is “Online.”
b. Use the show app-instance command under scope ssa to verify that the application has successfully completed upgrade and is now “Offline.”
c. Turn on the ASA application:
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
enable
exit
d. If Radware DefensePro is configured as a decorator for this ASA application, enable it. If not, proceed to Step e.
scope app-instance vdp
enable
exit
f. Verify that the applications are online:
g. If there are multiple failover peers (with or without Radware DefensePro decorator) configured on the Firepower security appliance, enable them and verify using Steps a-f.
7. Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:
a. Connect to the ASA console on the Firepower security appliance that contains the standby ASA logical device.
b. Enable failover and make active:
d. Verify that the unit is active :
8. Disable applications on the new standby ASA logical device:
a. Connect to the FXOS CLI on the Firepower security appliance that contains the new standby ASA logical device. For instructions, see the “Accessing the FXOS CLI” topic in the Cisco FXOS CLI Configuration Guide or the Cisco FXOS Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Turn off the ASA application:
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
disable
exit
c. If Radware DefensePro is configured as a decorator for this ASA application, disable it. If not, proceed to Step d.
scope app-instance vdp
disable
exit
e. Verify that the applications are offline:
Note: It may take 2-5 minutes before all applications are “Offline,” as vDP begins stopping only after the security module reboots following the ASA stop. If any of the stop jobs fail, please repeat Steps b-d.
f. If there are multiple failover peers (with or without Radware DefensePro decorator) configured on the Firepower security appliance, disable them and verify using Steps b-e.
9. Upgrade the Firepower eXtensible Operating System bundle on the Firepower security appliance that contains the new standby ASA logical device:
a. Upload the FXOS 2.1(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your Firepower security appliance using the FXOS 2.1(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide.
10. Wait for the chassis to reboot and upgrade successfully:
a. Use the show firmware monitor command under scope system to monitor the upgrade process.
b. After the upgrade process finishes, use the show slot command under scope ssa to verify that the slots have come “Online.”
11. Upgrade the ASA and vDP logical device images:
a. Upload the ASA CSP image to your Firepower security appliance. If Radware DefensePro (vDP) is configured as a decorator for this ASA application and there is an update available, upload the vDP CSP image too.
For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your logical device image using the ASA CSP image:
top (set the scope to the top level in the mode hierarchy)
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
set startup-version <version>
exit
c. If Radware DefensePro is configured as a decorator for this ASA application, upgrade the vDP image:
scope app-instance vdp
set startup-version <version>
exit
e. If there are multiple failover peers (with or without Radware DefensePro decorator) configured on the Firepower security appliance, upgrade them using Steps b-d.
12. After the upgrade process finishes, re-enable applications on the new standby ASA logical device:
a. Use the show slot command under scope ssa to verify that every slot is “Online.”
b. Use the show app-instance command under scope ssa to verify that the application has successfully completed upgrade and is now “Offline.”
c. Turn on the ASA application:
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
enable
exit
d. If Radware DefensePro is configured as a decorator for this ASA application, enable it. If not, proceed to Step e.
scope app-instance vdp
enable
exit
f. Verify that the applications are online:
g. If there are multiple failover peers (with or without Radware DefensePro decorator) configured on the Firepower security appliance, enable them and verify using Steps a-f.
13. Make the unit that you just upgraded the active unit as it was before the upgrade:
a. Connect to the ASA console on the Firepower security appliance that contains the new standby ASA logical device.
b. Enable failover and make active:
Note: This process is only supported when upgrading from FXOS 2.0(1.135) or later to FXOS 2.1(1.64) or from FXOS 2.1(1.64) or later to FXOS 2.1(1.97). If you are upgrading from FXOS 2.0(1.37)-2.0(1.86) to FXOS 2.1(1.64), see Upgrading an ASA Inter-chassis Cluster.
1. Connect to the FXOS CLI on Chassis #2 (this should be a chassis that does not have the Primary unit). For instructions, see the “Accessing the FXOS CLI” topic in the Cisco FXOS CLI Configuration Guide or the Cisco FXOS Firepower Chassis Manager Configuration Guide (see Related Documentation).
2. Verify that all installed security modules are online:
3. Verify that all installed security modules have the correct FXOS version and ASA version installed:
scope server 1/ x
show version
scope ssa
show logical-device
4. Verify that the cluster operational state is “In-Cluster” for all security modules installed in the chassis:
5. Verify that all installed security modules are shown as part of the cluster:
connect module x console
show cluster info
6. Verify that the Primary unit is not on this chassis:
There should not be any ASA instance with Cluster Role set to “Master”.
1. Download the FXOS 2.1(1) image to your local machine (see Software Download).
2. Connect to the FXOS CLI on Chassis #2 (this should be a chassis that does not have the Primary unit). For instructions, see the “Accessing the FXOS CLI” topic in the Cisco FXOS CLI Configuration Guide or the Cisco FXOS Firepower Chassis Manager Configuration Guide (see Related Documentation).
3. Upgrade the Firepower eXtensible Operating System bundle on Chassis #2:
a. Upload the FXOS 2.1(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your Firepower security appliance using the FXOS 2.1(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
4. Wait for the chassis to reboot and upgrade successfully (approximately 15-20 minutes):
a. Use the show firmware monitor command under scope system to monitor the upgrade process. Every component should show “Upgrade-Status: Ready.”
b. After the upgrade process finishes, verify that all installed security modules are online:
c. Verify that all ASA applications are currently online:
5. Upgrade the ASA and vDP logical device images:
a. Upload the ASA CSP image to your Firepower security appliance. If Radware DefensePro (vDP) is configured as a decorator for this ASA application and there is an update available, upload the vDP CSP image too.
For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your logical device image using the ASA CSP image:
top (set the scope to the top level in the mode hierarchy)
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
set startup-version <version>
exit
c. If Radware DefensePro is configured as a decorator for this ASA application, upgrade the vDP image:
scope app-instance vdp
set startup-version <version>
exit
d. Repeat Steps b-c for all slots of the logical device installed on this security appliance.
6. After the upgrade process finishes, verify that the applications are online:
Verify that the operational state is “Online” for all ASA and vDP applications in the chassis.
Verify that the cluster operational state is “In-Cluster” for all ASA and vDP applications in the chassis.
Verify that the cluster role is “Slave” for all ASA applications in the chassis.
7. Set one of the security modules on Chassis #2 as Primary:
connect module x console
configure terminal
cluster master
After setting one of the security modules on Chassis #2 to Primary, Chassis #1 no longer contains the Primary unit and can now be upgraded.
8. Repeat the Pre-Upgrade Checklist and Steps 1-6 for Chassis #1.
9. If there are any additional chassis included in the cluster, repeat the Pre-Upgrade Checklist and Steps 1-6 for those chassis.
10. To return the Primary role to Chassis #1, set one of the security modules on Chassis #1 as Primary:
Note: This process is only supported when upgrading from FXOS 2.0(1.37)-FXOS 2.0(1.86) to FXOS 2.1(1.64). If you are upgrading from FXOS 2.0(1.135) or later to FXOS 2.1(1.64) or from FXOS 2.1(1.64) or later to FXOS 2.1(1.97), see Upgrading an ASA Inter-chassis Cluster Using the Enhanced Zero Downtime Process.
1. Connect to the FXOS CLI on Chassis #2 (this should be a chassis that does not have the Primary unit). For instructions, see the “Accessing the FXOS CLI” topic in the Cisco FXOS CLI Configuration Guide or the Cisco FXOS Firepower Chassis Manager Configuration Guide (see Related Documentation).
2. Verify that all installed security modules are online:
3. Verify that all installed security modules have the correct FXOS version and ASA version installed:
scope server 1/ x
show version
scope ssa
show logical-device
4. Verify that the cluster operational state is “In-Cluster” for all security modules installed in the chassis:
5. Verify that all installed security modules are shown as part of the cluster:
connect module x console
show cluster info
6. Verify that the Primary unit is not on this chassis:
There should not be any ASA instance with Cluster Role set to “Master”.
1. Download the FXOS 2.1(1) image to your local machine (see Software Download).
2. Connect to the FXOS CLI on Chassis #2 (this should be a chassis that does not have the Primary unit). For instructions, see the “Accessing the FXOS CLI” topic in the Cisco FXOS CLI Configuration Guide or the Cisco FXOS Firepower Chassis Manager Configuration Guide (see Related Documentation).
3. Turn off all applications on Chassis #2:
a. Turn off the ASA application:
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
disable
exit
b. If Radware DefensePro is configured as a decorator for this ASA application, disable it. If not, proceed to Step c.
scope app-instance vdp
disable
exit
c. Repeat Steps a-b for all slots of the logical device installed on this security appliance.
e. Verify that the applications are offline:
top (set the scope to the top level in the mode hierarchy)
scope ssa
show app-instance
Note: It may take 2-5 minutes before all applications are “Offline.” If any of the stop jobs fail, please repeat Steps a-d.
4. Upgrade the Firepower eXtensible Operating System bundle on Chassis #2:
a. Upload the FXOS 2.1(1) Platform Bundle image to your Firepower security appliance. For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Upgrade your Firepower security appliance using the FXOS 2.1(1) Platform Bundle image. For instructions, see the “Upgrading the Firepower eXtensible Operating System Platform Bundle” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
5. Wait for the chassis to reboot and upgrade successfully (approximately 15-20 minutes).
Use the show firmware monitor command under scope system to monitor the upgrade process. Every component should show “Upgrade-Status: Ready.”
6. Upgrade the ASA and vDP logical device images:
a. Upload the ASA CSP image to your Firepower security appliance. If Radware DefensePro (vDP) is configured as a decorator for this ASA application and there is an update available, upload the vDP CSP image too.
For instructions, see the “Uploading an Image to the Firepower appliance” topic in the Cisco Firepower Chassis Manager Configuration Guide (see Related Documentation).
b. Verify that all installed security modules are online:
c. Verify that all ASA applications are currently offline:
d. Upgrade your logical device image using the ASA CSP image:
top (set the scope to the top level in the mode hierarchy)
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
set startup-version <version>
exit
e. If Radware DefensePro is configured as a decorator for this ASA application, upgrade the vDP image:
scope app-instance vdp
set startup-version <version>
exit
f. Repeat Steps d-e for all slots of the logical device installed on this security appliance.
7. After the upgrade process finishes, re-enable applications on Chassis #2:
a. Use the show slot command under scope ssa to verify that every slot is “Online.”
b. Use the show app-instance command under scope ssa to verify that all the applications have successfully completed upgrade and are now “Offline.”
c. Turn on the ASA application:
scope ssa
scope slot x (where x is the slot ID on which the ASA logical device is configured)
scope app-instance asa
enable
exit
d. If Radware DefensePro is configured as a decorator for this ASA application, enable it. If not, proceed to Step e.
scope app-instance vdp
enable
exit
e. Repeat Steps c-d for all slots of the logical device installed on this security appliance.
ASA nodes will automatically rejoin the existing cluster after successful upgrade and re-enabling.
g. Verify that the applications are online:
Verify that the operational state is “Online” for all ASA and vDP applications in the chassis.
Verify that the cluster operational state is “In-Cluster” for all ASA and vDP applications in the chassis.
Verify that the cluster role is “Slave” for all ASA applications in the chassis.
8. Set one of the security modules on Chassis #2 as Primary:
connect module x console
configure terminal
cluster master
After setting one of the security modules on Chassis #2 to Primary, Chassis #1 no longer contains the Primary unit and can now be upgraded.
9. Repeat the Pre-Upgrade Checklist and Steps 1-7 for Chassis #1.
10. If there are any additional chassis included in the cluster, repeat the Pre-Upgrade Checklist and Steps 1-7 for those chassis.
11. To return the Primary role to Chassis #1, set one of the security modules on Chassis #1 as Primary:
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note: You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account.
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open bugs severity 3 and higher for Firepower eXtensible Operating System 2.1(1) are listed in the following table:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.1.1.116:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.1.1.115:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.1.1.113:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.1.1.107:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.1.1.106:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.1.1.97:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.1.1.86:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.1.1.85:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.1.1.83:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.1.1.77:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 2.1.1.73:
The following table lists the previously release-noted and customer-found defects that were resolved in Firepower eXtensible Operating System 2.1.1.64:
For additional information on the Firepower 9300 security appliance and the Firepower eXtensible Operating System, see Navigating the Cisco Firepower 9300 Documentation.
■To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
■To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
■To submit a service request, visit Cisco Support.
■To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.
■To obtain general networking, training, and certification titles, visit Cisco Press.
■To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Cisco Bug Search Tool (BST) is a web-based tool that acts as a gateway to the Cisco bug tracking system that maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. BST provides you with detailed defect information about your products and software.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)