Revert or Uninstall the Software

If an upgrade succeeds but the system does not function to your expectations, you may be able to return to the previous version:

  • Revert is for major and maintenance upgrades to FTD with FDM.

  • Uninstall is for patches in FMC and ASDM deployments.

If neither of these methods will work for you and you still need to return to an earlier version, you must reimage. Note that neither revert nor uninstall is supported for hotfixes. For failed upgrades, see Unresponsive Upgrades.

Uninstall a Patch in FMC and ASDM Deployments

Uninstalling a patch returns you to the version you upgraded from, and does not change configurations. Because the FMC must run the same or newer version as its managed devices, uninstall patches from devices first.

Patches That Support Uninstall

Uninstalling specific patches can cause issues, even when the uninstall itself succeeds. These issues include:

  • Inability to deploy configuration changes after uninstall.

  • Incompatibilities between the operating system and the software.

  • FSIC (file system integrity check) failure when the appliance reboots, if you patched with security certifications compliance enabled (CC/UCAPL mode).


Caution

If security certifications compliance is enabled and the FSIC fails, the software does not start, remote SSH access is disabled, and you can access the appliance only via local console. If this happens, contact Cisco TAC.

Version 7.0 Patches That Support Uninstall

Uninstall is currently supported for all Version 7.0 patches.

Uninstall Order for High Availability/Scalability

In high availability/scalability deployments, minimize disruption by uninstalling from one appliance at a time. Unlike upgrade, the system does not do this for you. Wait until the patch has fully uninstalled from one unit before you move on to the next.

Table 1. Uninstall Order for FMC High Availability

Configuration

Uninstall Order

FMC high availability

With synchronization paused, which is a state called split-brain, uninstall from peers one at a time. Do not make or deploy configuration changes while the pair is split-brain.

  1. Pause synchronization (enter split-brain).

  2. Uninstall from the standby.

  3. Uninstall from the active.

  4. Restart synchronization (exit split-brain).
Table 2. Uninstall Order for FTD High Availability and Clusters

Configuration

Uninstall Order

FTD high availability

You cannot uninstall a patch from devices configured for high availability. You must break high availability first.

  1. Break high availability.

  2. Uninstall from the former standby.

  3. Uninstall from the former active.

  4. Reestablish high availability.

FTD cluster

Uninstall from one unit at a time, leaving the control unit for last. Clustered units operate in maintenance mode while the patch uninstalls.

  1. Uninstall from the data modules one at a time.

  2. Make one of the data modules the new control module.

  3. Uninstall from the former control.
Table 3. Uninstall Order for ASA with FirePOWER Services in ASA Failover Pairs/Clusters

Configuration

Uninstall Order

ASA active/standby failover pair, with ASA FirePOWER

Always uninstall from the standby.

  1. Uninstall from the ASA FirePOWER module on the standby ASA device.

  2. Fail over.

  3. Uninstall from the ASA FirePOWER module on the new standby ASA device.

ASA active/active failover pair, with ASA FirePOWER

Make both failover groups active on the unit you are not uninstalling.

  1. Make both failover groups active on the primary ASA device.

  2. Uninstall from the ASA FirePOWER module on the secondary ASA device.

  3. Make both failover groups active on the secondary ASA device.

  4. Uninstall from the ASA FirePOWER module on the primary ASA device.

ASA cluster, with ASA FirePOWER

Disable clustering on each unit before you uninstall. Uninstall from one unit at a time, leaving the control unit for last.

  1. On a data unit, disable clustering.

  2. Uninstall from the ASA FirePOWER module on that unit.

  3. Reenable clustering. Wait for the unit to rejoin the cluster.

  4. Repeat for each data unit.

  5. On the control unit, disable clustering. Wait for a new control unit to take over.

  6. Uninstall from the ASA FirePOWER module on the former control unit.

  7. Reenable clustering.

Uninstall Standalone FMC Patches

We recommend you use the web interface to uninstall FMC patches. If you cannot use the web interface, you can use the Linux shell as either the admin user for the shell, or as an external user with shell access. If you disabled shell access, contact Cisco TAC to reverse the lockdown.


Caution

Do not make or deploy configuration changes during uninstall. Even if the system appears inactive, do not manually reboot, shut down, or restart an uninstall in progress. You could place the system in an unusable state and require a reimage. If you encounter issues with the uninstall, including a failed uninstall or unresponsive appliance, contact Cisco TAC.

Before you begin

  • If uninstalling will put the FMC at a lower patch level than its managed devices, uninstall patches from the devices first.

  • Make sure your deployment is healthy and successfully communicating.

Procedure

Step 1

Deploy to managed devices whose configurations are out of date.

Deploying before you uninstall reduces the chance of failure.

Step 2

Under Available Updates, click the Install icon next to the uninstall package, then choose the FMC.

Patch uninstallers are named like upgrade packages, but have Patch_Uninstaller instead of Patch in the file name. When you patch the FMC, the uninstaller for that patch is automatically created. If the uninstaller is not there, contact Cisco TAC.

Step 3

Click Install, then confirm that you want to uninstall and reboot.

You can monitor uninstall progress in the Message Center until you are logged out.

Step 4

Log back in when you can and verify uninstall success.

If the system does not notify you of the uninstall's success when you log in, choose Help > About to display current software version information.

Step 5

Redeploy configurations to all managed devices.

Uninstall High Availability FMC Patches

We recommend you use the web interface to uninstall FMC patches. If you cannot use the web interface, you can use the Linux shell as either the admin user for the shell, or as an external user with shell access. If you disabled shell access, contact Cisco TAC to reverse the lockdown.

Uninstall from high availability peers one at a time. With synchronization paused, first uninstall from the standby, then the active. When the standby starts the uninstall, its status switches from standby to active, so that both peers are active. This temporary state is called split-brain and is not supported except during upgrade and uninstall.


Caution

Do not make or deploy configuration changes while the pair is split-brain. Your changes will be lost after you restart synchronization. Do not make or deploy configuration changes during uninstall. Even if the system appears inactive, do not manually reboot, shut down, or restart an uninstall in progress. You could place the system in an unusable state and require a reimage. If you encounter issues with the uninstall, including a failed uninstall or unresponsive appliance, contact Cisco TAC.

Before you begin

  • If uninstalling will put the FMCs at a lower patch level than their managed devices, uninstall patches from the devices first.

  • Make sure your deployment is healthy and successfully communicating.

Procedure

Step 1

On the active FMC, deploy to managed devices whose configurations are out of date.

Deploying before you uninstall reduces the chance of failure.

Step 2

On the active FMC, pause synchronization.

  1. Choose System > Integration.

  2. On the High Availability tab, click Pause Synchronization.

Step 3

Uninstall the patch from peers one at a time — first the standby, then the active.

Follow the instructions in Uninstall Standalone FMC Patches, but omit the initial deploy, stopping after you verify uninstall success on each peer. In summary, for each peer:

  1. On the System > Updates page, uninstall the patch.

  2. Monitor progress until you are logged out, then log back in when you can.

  3. Verify uninstall success.
Step 4

On the FMC you want to make the active peer, restart synchronization.

  1. Choose System > Integration.

  2. On the High Availability tab, click Make-Me-Active.

  3. Wait until synchronization restarts and the other FMC switches to standby mode.

Step 5

Redeploy configurations to all managed devices.

Uninstall Device Patches with FMC

Use the Linux shell (expert mode) to uninstall device patches. You must have access to the device shell as the admin user for the device, or as another local user with CLI configuration access. You cannot use an FMC user account. If you disabled shell access, contact Cisco TAC to reverse the lockdown.


Caution

Do not make or deploy configuration changes during uninstall. Even if the system appears inactive, do not manually reboot, shut down, or restart an uninstall in progress. You could place the system in an unusable state and require a reimage. If you encounter issues with the uninstall, including a failed uninstall or unresponsive appliance, contact Cisco TAC.

Before you begin

  • Break FTD high availability pairs. In other high availability/scalability deployments, make sure you are uninstalling from the correct device; see Uninstall Order for High Availability/Scalability.

  • Make sure your deployment is healthy and successfully communicating.

Procedure

Step 1

If the device's configurations are out of date, deploy now from the FMC.

Deploying before you uninstall reduces the chance of failure. Make sure the deployment and other essential tasks are completed. Tasks running when the uninstall begins are stopped, become failed tasks, and cannot be resumed. You can manually delete failed status messages later.

Exception: Do not deploy to mixed-version clusters or high availability pairs. In a high availability/scalability deployment, deploy before you uninstall from the first unit, but then not again until you have uninstalled the patch from all units.

Step 2

Access the Firepower CLI on the device. Log in as admin or another CLI user with configuration access.

You can either SSH to the device's management interface (hostname or IP address) or use the console. If you use the console, some devices default to the operating system CLI, and require an extra step to access the Firepower CLI.

Firepower 1000 series

connect ftd

Firepower 2100 series

connect ftd

Firepower 4100/9300

connect module slot_number console, then connect ftd (first login only)

ASA FirePOWER

session sfr
Step 3

Use the expert command to access the Linux shell.

Step 4

Verify the uninstall package is in the upgrade directory.

ls /var/sf/updates

Patch uninstallers are named like upgrade packages, but have Patch_Uninstaller instead of Patch in the file name. When you patch a device, the uninstaller for that patch is automatically created in the upgrade directory. If the uninstaller is not there, contact Cisco TAC.

Step 5

Run the uninstall command, entering your password when prompted.

sudo install_update.pl --detach /var/sf/updates/uninstaller_name

Caution 

The system does not ask you to confirm. Entering this command starts the uninstall, which includes a device reboot. Interruptions in traffic flow and inspection during an uninstall are the same as the interruptions that occur during an upgrade. Make sure you are ready. Note that using the --detach option ensures the uninstall process is not killed if your SSH session times out, which can leave the device in an unstable state.

Step 6

Monitor the uninstall until you are logged out.

For a detached uninstall, use tail or tailf to display logs:

  • FTD: tail /ngfw/var/log/sf/update.status

  • ASA FirePOWER and NGIPSv: tail /var/log/sf/update.status

Otherwise, monitor progress in the console or terminal.

Step 7

Verify uninstall success.

After the uninstall completes, confirm that the device has the correct software version. On the FMC, choose Devices > Device Management.

Step 8

Redeploy configurations.

Exception: Do not deploy to mixed-version clusters or high availability pairs. Deploy only after you repeat this procedure for all units.

What to do next

In high availability/scalability deployments, repeat this procedure for each unit in your planned sequence. Then, make any final adjustments. For example:

  • For FTD high availability, reestablish high availability.

  • For FTD clusters, if you have preferred roles for specific devices, make those changes now.

Uninstall ASA FirePOWER Patches with ASDM

Use the Linux shell (expert mode) to uninstall device patches. You must have access to the device shell as the admin user for the device, or as another local user with CLI configuration access. If you disabled shell access, contact Cisco TAC to reverse the lockdown.


Caution

Do not make or deploy configuration changes during uninstall. Even if the system appears inactive, do not manually reboot, shut down, or restart an uninstall in progress. You could place the system in an unusable state and require a reimage. If you encounter issues with the uninstall, including a failed uninstall or unresponsive appliance, contact Cisco TAC.

Before you begin

Procedure

Step 1

If the device's configurations are out of date, deploy now from ASDM.

Deploying before you uninstall reduces the chance of failure. Make sure the deployment and other essential tasks are completed. Tasks running when the uninstall begins are stopped, become failed tasks, and cannot be resumed. You can manually delete failed status messages later.

Step 2

Access the Firepower CLI on the ASA FirePOWER module. Log in as admin or another Firepower CLI user with configuration access.

You can either SSH to the module's management interface (hostname or IP address) or use the console. Note that the console port defaults to the ASA CLI and you must use the session sfr command to access the Firepower CLI.

Step 3

Use the expert command to access the Linux shell.

Step 4

Verify the uninstall package is in the upgrade directory.

ls /var/sf/updates

Patch uninstallers are named like upgrade packages, but have Patch_Uninstaller instead of Patch in the file name. When you patch a device, the uninstaller for that patch is automatically created in the upgrade directory. If the uninstaller is not there, contact Cisco TAC.

Step 5

Run the uninstall command, entering your password when prompted.

sudo install_update.pl --detach /var/sf/updates/uninstaller_name

Caution 

The system does not ask you to confirm. Entering this command starts the uninstall, which includes a device reboot. Interruptions in traffic flow and inspection during an uninstall are the same as the interruptions that occur during an upgrade. Make sure you are ready. Note that using the --detach option ensures the uninstall process is not killed if your SSH session times out, which can leave the device in an unstable state.

Step 6

Monitor the uninstall until you are logged out.

For a detached uninstall, use tail or tailf to display logs:

tail /ngfw/var/log/sf/update.status

Otherwise, monitor progress in the console or terminal.

Step 7

Verify uninstall success.

After the uninstall completes, confirm that the module has the correct software version. Choose Configuration > ASA FirePOWER Configurations > Device Management > Device.

Step 8

Redeploy configurations.

What to do next

In ASA failover/cluster deployments, repeat this procedure for each unit in your planned sequence.