Upgrade Management Center

Upgrade the Management Center: Standalone

Use this procedure to upgrade a standalone management center. As you proceed, the system displays basic information about the upgrade, as well as the current upgrade-related status. This includes any reasons why you cannot upgrade.

Upgrade does not start until you complete the upgrade wizard and click Upgrade. All steps up to that point can be performed outside of a maintenance window, including downloading upgrade packages and running readiness checks. For information on traffic handling during the first post-upgrade deploy (which typically restarts Snort), see Traffic Flow and Inspection when Deploying Configurations.


Caution

Do not make or deploy configuration changes during upgrade. Even if the system appears inactive, do not manually reboot, shut down, or restart an upgrade in progress. You could place the system in an unusable state and require a reimage. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Before you begin

Make sure you are ready to upgrade:

Procedure

Step 1

On the management center, choose System (system gear icon) > Product Upgrades.

Step 2

Get the upgrade package.

The Product Upgrades page lists all upgrade packages that apply to your current deployment, with suggested releases specially marked. In most cases, you can just click Download next to the upgrade package or version you want.

For more information, see Managing Upgrade Packages with the Management Center and Troubleshooting Upgrade Packages.

Step 3

Launch the upgrade wizard.

Click Upgrade next to the target version. If you are given a drop-down menu, select Management Center.

The management center upgrade wizard appears. Compatibility and other quick prechecks are automatic. For example, the system alerts you immediately if you need to deploy configurations.

Step 4

Click Next to run readiness checks.

Click Run Readiness Checks. Do not manually reboot or shut down during readiness checks. For the management center, passing readiness checks is not optional. If you fail readiness checks, you cannot upgrade.

Step 5

Click Next and reconfirm you are ready to upgrade.

We recommend revisiting the configuration and deployment health checks you performed earlier: Configuration and Deployment Checks.

Step 6

Click Upgrade, then confirm that you want to upgrade and reboot.

You can monitor progress in the Message Center until you are logged out.

Step 7

Log back in when you can.

  • Major and maintenance upgrades: You can log in before the upgrade is completed. The system displays a page you can use to monitor the upgrade's progress and view the upgrade log and any error messages. You are logged out again when the upgrade is completed and the system reboots. After the reboot, log back in again.

  • Patches and hotfixes: You can log in after the upgrade and reboot are completed.

Step 8

Verify upgrade success.

If the system does not notify you of the upgrade's success when you log in, choose Help (help icon) > About to display current software version information.

Step 9

Update intrusion rules (SRU/LSP) and the vulnerability database (VDB).

Although the upgrade often updates these components, there could be newer ones available. If the component available on the Cisco Support & Download site is newer than the version currently running, install the newer version. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will do that later.

Step 10

Complete any required post-upgrade configuration changes.

Step 11

Redeploy configurations to all managed devices.

Upgrade the Management Center: High Availability

Use this procedure to upgrade high availability management centers. As you proceed, the system displays basic information about the upgrade, as well as the current upgrade-related status.

First, upgrade the standby. In most cases the system automatically pauses synchronization, however, some hotfixes do not require it. When that upgrade completes and the standby comes back up, you can upgrade the active. For major and maintenance upgrades, synchronization automatically resumes post-upgrade, with the peers in their original roles. For patches and hotfixes, you must manually resume synchronization (unless the system never paused it).


Note

Best practice is to avoid making or deploying changes while synchronization is paused, although if done from the active peer while (or after) the standby upgrades, changes will be synchronized later. If you urgently need to make changes or deploy from the standby while the active is upgrading, you can break high availability and use the standby as a standalone management center. You may also be able to switch roles, but this can be blocked depending on upgrade progress on the active. Note that if you switch roles mid-upgrade, when the active comes back up, it will also be active and you will be split-brain, which is not supported for general operations. In either case, you must manually resume high availability, making sure to choose the old standby (the management center where you deployed) as the new active. Otherwise, your changes will be lost.

Upgrade does not start until you complete the upgrade wizard and click Upgrade. All steps up to that point can be performed outside of a maintenance window, including downloading upgrade packages and running readiness checks. For information on traffic handling during the first post-upgrade deploy (which typically restarts Snort), see Traffic Flow and Inspection when Deploying Configurations.


Caution

Do not make or deploy configuration changes during upgrade. Even if the system appears inactive, do not manually reboot, shut down, or restart an upgrade in progress. You could place the system in an unusable state and require a reimage. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Before you begin

Make sure you are ready to upgrade:

Procedure

Prepare to upgrade.

Step 1

On the standby peer, choose System (system gear icon) > Product Upgrades.

Step 2

Get the upgrade package.

The Product Upgrades page lists all upgrade packages that apply to your current deployment, with suggested releases specially marked. In most cases, you can just click Download next to the upgrade package or version you want. If the remote peer has internet access the package will download there as well.

For more information, see Managing Upgrade Packages with the Management Center and Troubleshooting Upgrade Packages.

Step 3

Launch the upgrade wizard.

Click Upgrade next to the target version. If you are given a drop-down menu, select Management Center.

The management center upgrade wizard appears. Compatibility and other quick prechecks automatically run on both peers. For example, the system alerts you immediately if you need to deploy configurations. You are also given a chance to fix common upgrade issues, such as:

  • If the remote peer does not have the upgrade package yet, you can retry the download or sync the file.

  • If you do not have enough disk space to run the upgrade, a Clean Up Disk Space option deletes old upgrade, VDB, and SRU/LSP packages, as well as old configuration data and log files.

Step 4

Click Next to run readiness checks.

Click Run Readiness Checks. Running checks on one peer automatically runs them on the other. Do not manually run readiness checks on both peers at the same time. Do not manually reboot or shut down during readiness checks. For the management center, passing readiness checks is not optional. If you fail readiness checks, you cannot upgrade.

Step 5

Click Next and reconfirm you are ready to upgrade.

We recommend revisiting the configuration and deployment health checks you performed earlier: Configuration and Deployment Checks.

Upgrade the standby, then the active.

Step 6

On the standby peer, click Upgrade, then confirm that you want to upgrade and reboot.

Synchronization pauses if necessary, and the upgrade begins. You can monitor progress in the Message Center until you are logged out.

Step 7

Log back in when you can.

  • Major and maintenance upgrades: You can log in before the upgrade is completed. The system displays a page you can use to monitor the upgrade's progress and view the upgrade log and any error messages. You are logged out again when the upgrade is completed and the system reboots. After the reboot, log back in again.

  • Patches and hotfixes: You can log in after the upgrade and reboot are completed.

Step 8

Verify upgrade success.

If the system does not notify you of the upgrade's success when you log in, choose Help (help icon) > About to display current software version information.

Step 9

Repeat the previous steps on the active peer.

The upgrade package should already be there, and all checks should have passed. You can quickly click through those tasks.

Resume synchronization if necessary, and complete post-upgrade tasks.

Step 10

On the active peer (the one you just upgraded), verify or resume high availability synchronization.

Remember that for major and maintenance upgrades, synchronization should automatically resume. For patches and hotfixes, you must manually resume (unless the system never paused it).

  1. Choose Integration > Other Integrations.

  2. On the High Availability tab, if necessary, click Resume Synchronization.

Step 11

Update intrusion rules (SRU/LSP) and the vulnerability database (VDB).

Although the upgrade often updates these components, there could be newer ones available. If the component available on the Cisco Support & Download site is newer than the version currently running, install the newer version. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will do that later.

Step 12

Complete any required post-upgrade configuration changes.

Step 13

Redeploy configurations to all managed devices.