You must uninstall updates locally. You cannot use a Firepower Management Center to uninstall the update from a managed device.
To monitor the uninstallation process, access the device through the shell and navigate to the /var/log/sf/<uninstaller file name folder> directory, then execute the tail –f main_upgrade_script.log shell command. Once the uninstallation process is complete, the system generates a upgrade completed message in the file
main_upgrade_script.log.
Order of Uninstallation
Uninstall the update in the reverse order that you installed it. That is, first uninstall the update from managed devices,
then from Firepower Management Centers.
Uninstall the Update from Firepower Threat Defense Devices in High Availability
Firepower Threat Defense devices in high availability pairs must run the same Firepower version.
You cannot uninstall Firepower Threat Defense devices in high availability. Before you uninstall, you must break the high availability. Uninstall each device independently, then reform the high availability pair.
Uninstall the Update from Clustered Firepower Threat Defense Devices
Verify the Firepower Threat Defense devices within the cluster are healthy and operating normally. Determine which member
nof the cluster is the master and which member is the slave. Uninstall the update from each slave unit one at a time and then
uninstall the master unit to avoid dropping traffic. While the slave unit uninstalls, the other slave units and the master
unit continue to process traffic. While the master unit uninstalls, one of the slave units becomes the master and continues
to process traffic. Once the uninstall completes on the master unit, the termporary master unit returns to the slave state
and reforms the cluster.
Uninstall the Update from Clustered 7000 and 8000 Series Devices
Clustered devices must run the same Firepower version. Although the uninstallation process triggers an automatic failover,
appliances in mismatched pairs or clusters do not share configuration information, nor do they install or uninstall updates
as part of their synchronization. If you need to uninstall an update from redundant appliances, plan to perform the uninstallations
in immediate succession.
To ensure continuity of operations, uninstall the update from clustered devices one at a time. First, uninstall the update
from the secondary appliance. While the secondary appliance uninstalls, the active appliance continues to forward traffic
to the Firepower Management Center. Wait until the uninstallation process is complete, then immediately uninstall the update
from the active appliance. While the active appliance uninstalls, the secondary appliance temporarily becomes active and continues
to forward traffic to the Firepower Management Center. Once the uninstall completes, the secondary appliances returns and
the appliances reform the cluster.
Uninstall the Update from Stacked Devices
All devices in a stack must run the same Firepower version. Uninstalling the update from any of the stacked devices causes
the devices in that stack to enter a limited, mixed-version state.
To minimize impact on your deployment, we recommend you uninstall an update from stacked devices simultaneously. The stack
resumes normal operation when the uninstallation completes on all devices in the stack.
Uninstall the Update from Devices Deployed Inline
Managed devices do not perform traffic inspection, switching, routing, or related functions while the update is being uninstalled.
Depending on how your devices are configured and deployed, the uninstallation process may also affect traffic flow and link
state. See Preupdate Configuration and Event Backups for more information.
Uninstall the Update from Firepower Management Centers in High Availability
Firepower Management Centers in high availability pairs must run the same Firepower version. Although the uninstallation process triggers an automatic
failover, appliances in mismatched pairs or clusters do not share configuration information, nor do they install or uninstall
updates as part of their synchronization. If you need to uninstall an update from redundant appliances, plan to perform the
uninstallations in immediate succession.
To ensure continuity of operations, uninstall the update from paired Firepower Management Centers one at a time. First, pause high availability synchronization and uninstall the update from the secondary Firepower Management
Center. Wait until the uninstallation process is complete, then immediately uninstall the update from the primary Firepower
Management Center. Once the primary Firepower Management Center uninstallation completes, resume high availability synchronization.
At this point, both Firepower Management Centers exist in split brain. Click Make Me Active for the Firepower Management Center you want to act as the primary. The Firepower Management Center you do not make active
automatically switches to standby mode. Communication between the Firepower Management Center pairs automatically restarts.
Note |
If the uninstallation process on Firepower Management Centers in a high availability pair fails, do not restart the uninstall or change configurations on its peer. Instead, contact Cisco
TAC.
|
After the Uninstall
After you uninstall the update, there are several steps you should take to ensure that your deployment is performing properly.
These include verifying that the uninstall succeeded and that all appliances in your deployment are communicating successfully.
Confirm that uninstalling devices with Firepower software and ASA Firepower or FXOS versions, such as devices running Firepower
Threat Defense or ASA Firepower Services, uninstalls both the Firepower and the ASA or FXOS version.
Clustered, stacked, or paired devices reform after the uninstall. Verify the cluster, stack, or paired devices experience
healthy activity and communication before deploying any new policies.
The next sections include detailed instructions not only on performing the uninstallation, but also on completing any post-update
steps. Make sure you complete all of the listed tasks.