Introduction
This document describes a specific upgrade failure scenario seen on Firepower Threat Defense (FTD) when the upgrade procedure is not properly followed. It also covers the proposed solution.
Problem
An attempt to perform an upgrade results in the Update Install failed
error as shown in this screenshot:
Analysis
In the FTD Troubleshoot file, under this path ('x' characters will vary), there is a file named status.log
. The file contains the transcript of the upgrade:
results-xx-xx-xxxx--xxxxxx\dir-archives\var-log\sf\Cisco_FTD_SSP_Upgrade-6.x.x
state:running
ui:Upgrade has begun.
ui:[ 0%] Running script 000_start/000_check_update.sh...
ui:[ 1%] Running script 000_start/100_start_messages.sh...
ui:[ 3%] Running script 000_start/105_check_model_number.sh...
ui:[ 4%] Running script 000_start/106_check_HA_sync.pl...
ui:[ 5%] Running script 000_start/107_version_check.sh...
ui:[ 7%] Running script 000_start/109_check_HA_MDC_status.pl...
ui:[10%] Running script 000_start/125_verify_bundle.sh...
ui:[12%] Running script 000_start/400_run_troubleshoot.sh...
ui:[13%] Running script 200_pre/001_check_reg.pl...
ui:[14%] Running script 200_pre/002_check_mounts.sh...
ui:[14%] Running script 200_pre/003_check_health.sh...
ui:[15%] Running script 200_pre/006_check_snort.sh...
ui:[15%] Fatal error: Error running script 200_pre/006_check_snort.sh <-- the problem
Additionally, under this path there is a file named 006_check_snort.sh.log
which further describes the reason for the failure:
results-xx-xx-xxxx--xxxxxx\dir-archives\var-log\sf\Cisco_FTD_SSP_Upgrade-6.x.x\200_pre
In this case, the file contains these messages:
Entering 200_pre/006_check_snort.sh...
Snort build is too old.
Please apply AC Policy from FMC before attempting upgrade.
There are a few reasons why this error can occur:
- Your Firepower Management Center was updated; however, the sensor which attempts to upgrade has not had a new policy deployment pushed out towards it.
- Your Firepower Management Center has updated its Snort Rule Update (SRU); however, the sensor which attempts to upgrade has not had a new policy deployment pushed out towards it
In either situation the resolution is the same.
Solution
Once you have verified that the device encounters this issue, simply deploy a policy to the affected device in order to resolve the error. From Firepower Management Center, check the box next to the device to be upgraded and click Deploy.
Once this is performed, proceed with your upgrade.
Related Information