In Firepower Chassis Manager, choose System > Updates.

Upload the new FXOS platform bundle image and ASA software image::

1. Click Upload Image.

2. Click Choose File to navigate to and select the image that you want to upload.

3. Click Upload.

   The selected image is uploaded to the chassis.

After the new FXOS platform bundle image has successfully uploaded, click the Upgrade icon for the FXOS platform bundle to which you want to upgrade.

Click Yes to confirm that you want to proceed with installation.

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI (see Monitor the Upgrade Progress).

After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).

Choose Logical Devices.

For each ASA logical device that you want to upgrade:

1. Click the Set Version icon for the logical device that you want to update to open the Update Image Version dialog box.

2. For the New Version, choose the software version to which you want to upgrade.

3. Click OK.

After the upgrade process finishes, verify that the applications are online and have upgraded successfully:

1. Choose Logical Devices.

2. Verify the application version and operational status.

Connect to the FXOS CLI.

Download the new FXOS platform bundle image to the chassis:

1. Enter firmware mode:

   scope firmware

2. Download the FXOS platform bundle software image:

   download image URL

   Specify the URL for the file being imported using one of the following syntax:

   • ftp://username@server/ path/ image_name

   • scp://username@server/ path/ image_name

   • sftp://username@server/ path/ image_name

   • tftp://server: port-num/ path/ image_name

3. To monitor the download process:

   scope download-task image_name

   show detail

Firepower-chassis # scope firmware
Firepower-chassis /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

After the new FXOS platform bundle image has successfully downloaded, upgrade the FXOS bundle:

1. If necessary, return to firmware mode:

   up

2. Make note of the version number for the FXOS platform bundle you are installing:

   show package

3. Enter auto-install mode:

   scope auto-install

4. Install the FXOS platform bundle:

   install platform platform-vers version_number

   version_number is the version number of the FXOS platform bundle you are installing--for example, 2.3(1.58).

5. The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings.

   Enter yes to confirm that you want to proceed with verification.

6. Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

   FXOS unpacks the bundle and upgrades/reloads the components.

7. To monitor the upgrade process, see Monitor the Upgrade Progress.

After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).

Download the new ASA software image to the chassis:

1. Enter Security Services mode:

   top

   scope ssa

2. Enter Application Software mode:

   scope app-software

3. Download the logical device software image:

   download image URL

   Specify the URL for the file being imported using one of the following syntax:

   • ftp://username@server/path

   • scp://username@server/path

   • sftp://username@server/path

   • tftp://server:port-num/path

4. To monitor the download process:

   show download-task

5. To view the downloaded applications:

   up

   show app

   Make note of the ASA version for the software package you downloaded. You will need to use the exact version string to enable the application in a later step.

Firepower-chassis # scope ssa
Firepower-chassis /ssa # scope app-software
Firepower-chassis /ssa/app-software # download image scp://user@192.168.1.1/images/cisco-asa.9.4.1.65.csp
Firepower-chassis /ssa/app-software # show download-task

Downloads for Application Software:
    File Name                      Protocol   Server               Userid          State
    ------------------------------ ---------- -------------------- --------------- -----
    cisco-asa.9.4.1.65.csp         Scp        192.168.1.1          user            Downloaded

Firepower-chassis /ssa/app-software # up

Firepower-chassis /ssa # show app

Application:
    Name       Version    Description Author     Deploy Type CSP Type    Is Default App
    ---------- ---------- ----------- ---------- ----------- ----------- --------------
    asa        9.4.1.41   N/A                    Native      Application No
    asa        9.4.1.65   N/A                    Native      Application Yes

For each ASA logical device that you want to upgrade:

1. Enter Security Services mode:

   top

   scope ssa

2. Set the scope to the security module you are updating:

   scope slotslot_number

3. Set the scope to the ASA application:

   For FXOS 2.3.1 and earlier: scope app-instance asa

   For FXOS 2.4.1 and later: scope app-instance asa instance_name

4. Set the Startup version to the new ASA software version:

   set startup-version version_number

Commit the configuration:

To verify the status of the security modules/security engine and any installed applications, see Verify the Installation.

On the Firepower security appliance that contains the standby ASA logical device, upload the new FXOS platform bundle image and ASA software image:

1. In Firepower Chassis Manager, choose System > Updates.

   The Available Updates area shows a list of the packages available on the chassis.

2. Click Upload Image.

3. Click Choose File to navigate to and select the image that you want to upload.

4. Click Upload.

   The selected image is uploaded to the chassis.

After the new FXOS platform bundle image has successfully uploaded, upgrade the FXOS bundle on the Firepower security appliance that contains the standby ASA logical device:

1. Click the Upgrade icon for the FXOS platform bundle to which you want to upgrade.

   The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings.

2. Click Yes to confirm that you want to proceed with installation.

   FXOS unpacks the bundle and upgrades/reloads the components.

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI (see Monitor the Upgrade Progress).

After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).

Upgrade the ASA logical device image:

1. Choose Logical Devices to open the Logical Devices page.

   The Logical Devices page opens to show a list of configured logical devices on the chassis.

2. Click the Set Version icon for the logical device that you want to update to open the Update Image Version dialog box.

3. For the New Version, choose the software version to which you want to update.

4. Click OK.

After the upgrade process finishes, verify that the applications are online and have upgraded successfully:

1. Choose Logical Devices.

2. Verify the application version and operational status.

Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:

1. Launch ASDM on the standby unit by connecting to the standby ASA IP address.

2. Force the standby unit to become active by choosing Monitoring > Properties > Failover > Status, and clicking Make Active.

On the Firepower security appliance that contains the new standby ASA logical device, upload the new FXOS platform bundle image and ASA software image:

1. In Firepower Chassis Manager, choose System > Updates.

   The Available Updates area shows a list of the packages available on the chassis.

2. Click Upload Image.

3. Click Choose File to navigate to and select the image that you want to upload.

4. Click Upload.

   The selected image is uploaded to the chassis.

After the new FXOS platform bundle image has successfully uploaded, upgrade the FXOS bundle on the Firepower security appliance that contains the new standby ASA logical device:

1. Click the Upgrade icon for the FXOS platform bundle to which you want to upgrade.

   The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings.

2. Click Yes to confirm that you want to proceed with installation.

   FXOS unpacks the bundle and upgrades/reloads the components.

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI (see Monitor the Upgrade Progress).

After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).

Upgrade the ASA logical device image:

1. Choose Logical Devices.

   The Logical Devices page opens to shows a list of configured logical devices on the chassis. If no logical devices have been configured, a message stating so is shown instead.

2. Click the Set Version icon for the logical device that you want to update to open the Update Image Version dialog box.

3. For the New Version, choose the software version to which you want to update.

4. Click OK.

After the upgrade process finishes, verify that the applications are online and have upgraded successfully:

1. Choose Logical Devices.

2. Verify the application version and operational status.

(Optional) Make the unit that you just upgraded the active unit as it was before the upgrade:

1. Launch ASDM on the standby unit by connecting to the standby ASA IP address.

2. Force the standby unit to become active by choosing Monitoring > Properties > Failover > Status, and clicking Make Active.

On the Firepower security appliance that contains the standby ASA logical device, download the new FXOS platform bundle image:

1. Connect to the FXOS CLI.

2. Enter firmware mode:

   scope firmware

3. Download the FXOS platform bundle software image:

   download image URL

   Specify the URL for the file being imported using one of the following syntax:

   • ftp://username@server/ path/ image_name

   • scp://username@server/ path/ image_name

   • sftp://username@server/ path/ image_name

   • tftp://server: port-num/ path/ image_name

4. To monitor the download process:

   scope download-task image_name

   show detail

Firepower-chassis # scope firmware
Firepower-chassis /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

After the new FXOS platform bundle image has successfully downloaded, upgrade the FXOS bundle:

1. If necessary, return to firmware mode:

   up

2. Make note of the version number for the FXOS platform bundle you are installing:

   show package

3. Enter auto-install mode:

   scope auto-install

4. Install the FXOS platform bundle:

   install platform platform-vers version_number

   version_number is the version number of the FXOS platform bundle you are installing--for example, 2.3(1.58).

5. The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings.

   Enter yes to confirm that you want to proceed with verification.

6. Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

   FXOS unpacks the bundle and upgrades/reloads the components.

7. To monitor the upgrade process, see Monitor the Upgrade Progress.

After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).

Download the new ASA software image to the chassis:

1. Enter Security Services mode:

   top

   scope ssa

2. Enter Application Software mode:

   scope app-software

3. Download the logical device software image:

   download image URL

   Specify the URL for the file being imported using one of the following syntax:

   • ftp://username@server/path

   • scp://username@server/path

   • sftp://username@server/path

   • tftp://server:port-num/path

4. To monitor the download process:

   show download-task

5. To view the downloaded applications:

   up

   show app

   Make note of the ASA version for the software package you downloaded. You will need to use the exact version string to enable the application in a later step.

Firepower-chassis # scope ssa
Firepower-chassis /ssa # scope app-software
Firepower-chassis /ssa/app-software # download image scp://user@192.168.1.1/images/cisco-asa.9.4.1.65.csp
Firepower-chassis /ssa/app-software # show download-task

Downloads for Application Software:
    File Name                      Protocol   Server               Userid          State
    ------------------------------ ---------- -------------------- --------------- -----
    cisco-asa.9.4.1.65.csp         Scp        192.168.1.1          user            Downloaded

Firepower-chassis /ssa/app-software # up

Firepower-chassis /ssa # show app

Application:
    Name       Version    Description Author     Deploy Type CSP Type    Is Default App
    ---------- ---------- ----------- ---------- ----------- ----------- --------------
    asa        9.4.1.41   N/A                    Native      Application No
    asa        9.4.1.65   N/A                    Native      Application Yes

Upgrade the ASA logical device image:

1. Enter Security Services mode:

   top

   scope ssa

2. Set the scope to the security module you are updating:

   scope slotslot_number

3. Set the scope to the ASA application:

   For FXOS 2.3.1 and earlier: scope app-instance asa

   For FXOS 2.4.1 and later: scope app-instance asa instance_name

4. Set the Startup version to the version you want to update:

   set startup-version version_number

5. Commit the configuration:

   commit-buffer

   Commits the transaction to the system configuration. The application image is updated and the application restarts.

To verify the status of the security modules/security engine and any installed applications, see Verify the Installation.

Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:

1. On the Firepower security appliance that contains the standby ASA logical device, connect to the module CLI using a console connection or a Telnet connection.

   connect module slot_number { console | telnet}

   To connect to the security engine of a device that does not support multiple security modules, always use 1 as the slot_number .

   Example:

   
   Firepower# connect module 1 console
   Telnet escape character is '~'.
   Trying 127.5.1.1...
   Connected to 127.5.1.1.
   Escape character is '~'.
   
   CISCO Serial Over LAN:
   Close Network Connection to Exit
   
   Firepower-module1> 
   
   

2. Connect to the application console.

   connect asa

   Example:

   
   Firepower-module1> connect asa
   Connecting to asa(asa1) console... hit Ctrl + A + D  to return to bootCLI
   [...]
   asa>
   
   

3. Make this unit active:

   failover active

4. Save the configuration:

   write memory

5. Verify that the unit is active:

   show failover

Exit the application console to the FXOS module CLI.

Return to the supervisor level of the FXOS CLI.

1. Enter ~

   You exit to the Telnet application.

2. To exit the Telnet application, enter:

   telnet>quit

1. Enter Ctrl-], .

On the Firepower security appliance that contains the new standby ASA logical device, download the new FXOS platform bundle image:

1. Connect to the FXOS CLI.

2. Enter firmware mode:

   scope firmware

3. Download the FXOS platform bundle software image:

   download image URL

   Specify the URL for the file being imported using one of the following syntax:

   • ftp://username@server/ path/ image_name

   • scp://username@server/ path/ image_name

   • sftp://username@server/ path/ image_name

   • tftp://server: port-num/ path/ image_name

4. To monitor the download process:

   scope download-task image_name

   show detail

Firepower-chassis # scope firmware
Firepower-chassis /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

After the new FXOS platform bundle image has successfully downloaded, upgrade the FXOS bundle:

1. If necessary, return to firmware mode:

   up

2. Make note of the version number for the FXOS platform bundle you are installing:

   show package

3. Enter auto-install mode:

   scope auto-install

4. Install the FXOS platform bundle:

   install platform platform-vers version_number

   version_number is the version number of the FXOS platform bundle you are installing--for example, 2.3(1.58).

5. The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings.

   Enter yes to confirm that you want to proceed with verification.

6. Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

   FXOS unpacks the bundle and upgrades/reloads the components.

7. To monitor the upgrade process, see Monitor the Upgrade Progress.

After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).

Download the new ASA software image to the chassis:

1. Enter Security Services mode:

   top

   scope ssa

2. Enter Application Software mode:

   scope app-software

3. Download the logical device software image:

   download image URL

   Specify the URL for the file being imported using one of the following syntax:

   • ftp://username@server/path

   • scp://username@server/path

   • sftp://username@server/path

   • tftp://server:port-num/path

4. To monitor the download process:

   show download-task

5. To view the downloaded applications:

   up

   show app

   Make note of the ASA version for the software package you downloaded. You will need to use the exact version string to enable the application in a later step.

Firepower-chassis # scope ssa
Firepower-chassis /ssa # scope app-software
Firepower-chassis /ssa/app-software # download image scp://user@192.168.1.1/images/cisco-asa.9.4.1.65.csp
Firepower-chassis /ssa/app-software # show download-task

Downloads for Application Software:
    File Name                      Protocol   Server               Userid          State
    ------------------------------ ---------- -------------------- --------------- -----
    cisco-asa.9.4.1.65.csp         Scp        192.168.1.1          user            Downloaded

Firepower-chassis /ssa/app-software # up

Firepower-chassis /ssa # show app

Application:
    Name       Version    Description Author     Deploy Type CSP Type    Is Default App
    ---------- ---------- ----------- ---------- ----------- ----------- --------------
    asa        9.4.1.41   N/A                    Native      Application No
    asa        9.4.1.65   N/A                    Native      Application Yes

Upgrade the ASA logical device image:

1. Enter Security Services mode:

   top

   scope ssa

2. Set the scope to the security module you are updating:

   scope slotslot_number

3. Set the scope to the ASA application:

   For FXOS 2.3.1 and earlier: scope app-instance asa

   For FXOS 2.4.1 and later: scope app-instance asa instance_name

4. Set the Startup version to the version you want to update:

   set startup-version version_number

5. Commit the configuration:

   commit-buffer

   Commits the transaction to the system configuration. The application image is updated and the application restarts.

To verify the status of the security modules/security engine and any installed applications, see Verify the Installation.

(Optional) Make the unit that you just upgraded the active unit as it was before the upgrade:

1. On the Firepower security appliance that contains the standby ASA logical device, connect to the module CLI using a console connection or a Telnet connection.

   connect module slot_number { console | telnet}

   To connect to the security engine of a device that does not support multiple security modules, always use 1 as the slot_number .

   Example:

   
   Firepower# connect module 1 console
   Telnet escape character is '~'.
   Trying 127.5.1.1...
   Connected to 127.5.1.1.
   Escape character is '~'.
   
   CISCO Serial Over LAN:
   Close Network Connection to Exit
   
   Firepower-module1> 
   
   

2. Connect to the application console.

   connect asa

   Example:

   
   Firepower-module1> connect asa
   Connecting to asa(asa1) console... hit Ctrl + A + D  to return to bootCLI
   [...]
   asa>
   
   

3. Make this unit active:

   failover active

4. Save the configuration:

   write memory

5. Verify that the unit is active:

   show failover

Make both failover groups active on the primary unit.

1. Launch ASDM on the primary unit (or the unit with failover group 1 active) by connecting to the management address in failover group 1.

2. Choose Monitoring > Failover > Failover Group 2, and click Make Active.

3. Stay connected to ASDM on this unit for later steps.

On the Firepower security appliance that contains the secondary ASA logical device, upload the new FXOS platform bundle image and ASA software image:

1. Connect to the Firepower Chassis Manager on the secondary unit.

2. Choose System > Updates.

   The Available Updates area shows a list of the packages available on the chassis.

3. Click Upload Image.

4. Click Choose File to navigate to and select the image that you want to upload.

5. Click Upload.

   The selected image is uploaded to the chassis.

After the new FXOS platform bundle image has successfully uploaded, upgrade the FXOS bundle on the Firepower security appliance that contains the secondary ASA logical device:

1. Click the Upgrade icon for the FXOS platform bundle to which you want to upgrade.

   The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings.

2. Click Yes to confirm that you want to proceed with installation.

   FXOS unpacks the bundle and upgrades/reloads the components.

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI (see Monitor the Upgrade Progress).

After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).

Upgrade the ASA logical device image:

1. Choose Logical Devices.

   The Logical Devices page opens to show a list of configured logical devices on the chassis.

2. Click the Set Version icon for the logical device that you want to update to open the Update Image Version dialog box.

3. For the New Version, choose the software version to which you want to update.

4. Click OK.

After the upgrade process finishes, verify that the applications are online and have upgraded successfully:

1. Choose Logical Devices.

2. Verify the application version and operational status.

Make both failover groups active on the secondary unit.

1. Launch ASDM on the primary unit (or the unit with failover group 1 active) by connecting to the management address in failover group 1.

2. Choose Monitoring > Failover > Failover Group 1, and click Make Standby.

3. Choose Monitoring > Failover > Failover Group 2, and click Make Standby.

On the Firepower security appliance that contains the primary ASA logical device, upload the new FXOS platform bundle image and ASA software image:

1. Connect to the Firepower Chassis Manager on the primary unit.

2. Choose System > Updates.

   The Available Updates area shows a list of the packages available on the chassis.

3. Click Upload Image to open the Upload Image dialog box.

4. Click Choose File to navigate to and select the image that you want to upload.

5. Click Upload.

   The selected package is uploaded to the chassis.

6. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.

After the new FXOS platform bundle image has successfully uploaded, upgrade the FXOS bundle on the Firepower security appliance that contains the primary ASA logical device:

1. Click the Upgrade icon for the FXOS platform bundle to which you want to upgrade.

   The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings.

2. Click Yes to confirm that you want to proceed with installation.

   FXOS unpacks the bundle and upgrades/reloads the components.

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI (see Monitor the Upgrade Progress).

After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).

Upgrade the ASA logical device image:

1. Choose Logical Devices.

   The Logical Devices page opens to show a list of configured logical devices on the chassis.

2. Click the Set Version icon for the logical device that you want to update to open the Update Image Version dialog box.

3. For the New Version, choose the software version to which you want to update.

4. Click OK.

After the upgrade process finishes, verify that the applications are online and have upgraded successfully:

1. Choose Logical Devices.

2. Verify the application version and operational status.

If the failover groups are configured with Preempt Enabled, they automatically become active on their designated unit after the preempt delay has passed. If the failover groups are not configured with Preempt Enabled, you can return them to active status on their designated units using the ASDM Monitoring > Failover > Failover Group # pane.

Connect to the FXOS CLI on the secondary unit, either the console port (preferred) or using SSH.

Make both failover groups active on the primary unit.

1. Connect to the module CLI using a console connection or a Telnet connection.

   connect module slot_number { console | telnet}

   To connect to the security engine of a device that does not support multiple security modules, always use 1 as the slot_number .

   Example:

   
   Firepower# connect module 1 console
   Telnet escape character is '~'.
   Trying 127.5.1.1...
   Connected to 127.5.1.1.
   Escape character is '~'.
   
   CISCO Serial Over LAN:
   Close Network Connection to Exit
   
   Firepower-module1> 
   
   

2. Connect to the application console.

   connect asa

   Example:

   
   Firepower-module1> connect asa
   Connecting to asa(asa1) console... hit Ctrl + A + D  to return to bootCLI
   [...]
   asa>
   
   

3. Make both failover groups active on the primary unit.

   enable

   The enable password is blank by default.

   no failover active group 1

   no failover active group 2

   Example:

   asa> enable
   Password: <blank>
   asa# no failover active group 1
   asa# no failover active group 2
   
   

Exit the application console to the FXOS module CLI.

Return to the supervisor level of the FXOS CLI.

1. Enter ~

   You exit to the Telnet application.

2. To exit the Telnet application, enter:

   telnet>quit

1. Enter Ctrl-], .

On the Firepower security appliance that contains the secondary ASA logical device, download the new FXOS platform bundle image and ASA software image:

1. Connect to the FXOS CLI.

2. Enter firmware mode:

   scope firmware

3. Download the FXOS platform bundle software image:

   download image URL

   Specify the URL for the file being imported using one of the following syntax:

   • ftp://username@server/ path/ image_name

   • scp://username@server/ path/ image_name

   • sftp://username@server/ path/ image_name

   • tftp://server: port-num/ path/ image_name

4. To monitor the download process:

   scope download-task image_name

   show detail

Firepower-chassis # scope firmware
Firepower-chassis /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

After the new FXOS platform bundle image has successfully downloaded, upgrade the FXOS bundle:

1. If necessary, return to firmware mode:

   top

   scope firmware

2. Make note of the version number for the FXOS platform bundle you are installing:

   show package

3. Enter auto-install mode:

   scope auto-install

4. Install the FXOS platform bundle:

   install platform platform-vers version_number

   version_number is the version number of the FXOS platform bundle you are installing--for example, 2.3(1.58).

5. The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings.

   Enter yes to confirm that you want to proceed with verification.

6. Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

   FXOS unpacks the bundle and upgrades/reloads the components.

7. To monitor the upgrade process, see Monitor the Upgrade Progress.

After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).

Download the new ASA software image to the chassis:

1. Enter Security Services mode:

   top

   scope ssa

2. Enter Application Software mode:

   scope app-software

3. Download the logical device software image:

   download image URL

   Specify the URL for the file being imported using one of the following syntax:

   • ftp://username@server/path

   • scp://username@server/path

   • sftp://username@server/path

   • tftp://server:port-num/path

4. To monitor the download process:

   show download-task

5. To view the downloaded applications:

   up

   show app

   Make note of the ASA version for the software package you downloaded. You will need to use the exact version string to enable the application in a later step.

Firepower-chassis # scope ssa
Firepower-chassis /ssa # scope app-software
Firepower-chassis /ssa/app-software # download image scp://user@192.168.1.1/images/cisco-asa.9.4.1.65.csp
Firepower-chassis /ssa/app-software # show download-task

Downloads for Application Software:
    File Name                      Protocol   Server               Userid          State
    ------------------------------ ---------- -------------------- --------------- -----
    cisco-asa.9.4.1.65.csp         Scp        192.168.1.1          user            Downloaded

Firepower-chassis /ssa/app-software # up

Firepower-chassis /ssa # show app

Application:
    Name       Version    Description Author     Deploy Type CSP Type    Is Default App
    ---------- ---------- ----------- ---------- ----------- ----------- --------------
    asa        9.4.1.41   N/A                    Native      Application No
    asa        9.4.1.65   N/A                    Native      Application Yes

Upgrade the ASA logical device image:

1. Enter Security Services mode:

   top

   scope ssa

2. Set the scope to the security module you are updating:

   scope slotslot_number

3. Set the scope to the ASA application:

   For FXOS 2.3.1 and earlier: scope app-instance asa

   For FXOS 2.4.1 and later: scope app-instance asa instance_name

4. Set the Startup version to the version you want to update:

   set startup-version version_number

5. Commit the configuration:

   commit-buffer

   Commits the transaction to the system configuration. The application image is updated and the application restarts.

To verify the status of the security modules/security engine and any installed applications, see Verify the Installation.

Make both failover groups active on the secondary unit.

1. Connect to the module CLI using a console connection or a Telnet connection.

   connect module slot_number { console | telnet}

   To connect to the security engine of a device that does not support multiple security modules, always use 1 as the slot_number .

   Example:

   
   Firepower# connect module 1 console
   Telnet escape character is '~'.
   Trying 127.5.1.1...
   Connected to 127.5.1.1.
   Escape character is '~'.
   
   CISCO Serial Over LAN:
   Close Network Connection to Exit
   
   Firepower-module1> 
   
   

2. Connect to the application console.

   connect asa

   Example:

   
   Firepower-module1> connect asa
   Connecting to asa(asa1) console... hit Ctrl + A + D  to return to bootCLI
   [...]
   asa>
   
   

3. Make both failover groups active on the secondary unit.

   enable

   The enable password is blank by default.

   failover active group 1

   failover active group 2

   Example:

   asa> enable
   Password: <blank>
   asa# failover active group 1
   asa# failover active group 2
   
   

Exit the application console to the FXOS module CLI.

Return to the supervisor level of the FXOS CLI.

1. Enter ~

   You exit to the Telnet application.

2. To exit the Telnet application, enter:

   telnet>quit

1. Enter Ctrl-], .

On the Firepower security appliance that contains the primary ASA logical device, download the new FXOS platform bundle image and ASA software image:

1. Connect to the FXOS CLI.

2. Enter firmware mode:

   scope firmware

3. Download the FXOS platform bundle software image:

   download image URL

   Specify the URL for the file being imported using one of the following syntax:

   • ftp://username@server/ path/ image_name

   • scp://username@server/ path/ image_name

   • sftp://username@server/ path/ image_name

   • tftp://server: port-num/ path/ image_name

4. To monitor the download process:

   scope download-task image_name

   show detail

Firepower-chassis # scope firmware
Firepower-chassis /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

After the new FXOS platform bundle image has successfully downloaded, upgrade the FXOS bundle:

1. If necessary, return to firmware mode:

   up

2. Make note of the version number for the FXOS platform bundle you are installing:

   show package

3. Enter auto-install mode:

   scope auto-install

4. Install the FXOS platform bundle:

   install platform platform-vers version_number

   version_number is the version number of the FXOS platform bundle you are installing--for example, 2.3(1.58).

5. The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings.

   Enter yes to confirm that you want to proceed with verification.

6. Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

   FXOS unpacks the bundle and upgrades/reloads the components.

7. To monitor the upgrade process, see Monitor the Upgrade Progress.

After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).

Download the new ASA software image to the chassis:

1. Enter Security Services mode:

   top

   scope ssa

2. Enter Application Software mode:

   scope app-software

3. Download the logical device software image:

   download image URL

   Specify the URL for the file being imported using one of the following syntax:

   • ftp://username@server/path

   • scp://username@server/path

   • sftp://username@server/path

   • tftp://server:port-num/path

4. To monitor the download process:

   show download-task

5. To view the downloaded applications:

   up

   show app

   Make note of the ASA version for the software package you downloaded. You will need to use the exact version string to enable the application in a later step.

Firepower-chassis # scope ssa
Firepower-chassis /ssa # scope app-software
Firepower-chassis /ssa/app-software # download image scp://user@192.168.1.1/images/cisco-asa.9.4.1.65.csp
Firepower-chassis /ssa/app-software # show download-task

Downloads for Application Software:
    File Name                      Protocol   Server               Userid          State
    ------------------------------ ---------- -------------------- --------------- -----
    cisco-asa.9.4.1.65.csp         Scp        192.168.1.1          user            Downloaded

Firepower-chassis /ssa/app-software # up

Firepower-chassis /ssa # show app

Application:
    Name       Version    Description Author     Deploy Type CSP Type    Is Default App
    ---------- ---------- ----------- ---------- ----------- ----------- --------------
    asa        9.4.1.41   N/A                    Native      Application No
    asa        9.4.1.65   N/A                    Native      Application Yes

Upgrade the ASA logical device image:

1. Enter Security Services mode:

   top

   scope ssa

2. Set the scope to the security module you are updating:

   scope slotslot_number

3. Set the scope to the ASA application:

   For FXOS 2.3.1 and earlier: scope app-instance asa

   For FXOS 2.4.1 and later: scope app-instance asa instance_name

4. Set the Startup version to the version you want to update:

   set startup-version version_number

5. Commit the configuration:

   commit-buffer

   Commits the transaction to the system configuration. The application image is updated and the application restarts.

To verify the status of the security modules/security engine and any installed applications, see Verify the Installation.

If the failover groups are configured with Preempt Enabled, they automatically become active on their designated unit after the preempt delay has passed. If the failover groups are not configured with Preempt Enabled, you can return them to active status on their designated units using the ASDM Monitoring > Failover > Failover Group # pane.

Determine which chassis has the control unit. You will upgrade this chassis last:

1. Connect to Firepower Chassis Manager.

2. Choose Logical Devices.

3. Click the plus sign (+) to see the attributes for the security modules included in the cluster.

4. Verify that the control unit is on this chassis. There should be an ASA instance with CLUSTER-ROLE set to "Master".

Connect to Firepower Chassis Manager on a chassis in the cluster that does not have the control unit.

Upload the new FXOS platform bundle image and ASA software image:

1. In Firepower Chassis Manager, choose System > Updates.

   The Available Updates area shows a list of the packages available on the chassis.

2. Click Upload Image.

3. Click Choose File to navigate to and select the image that you want to upload.

4. Click Upload.

   The selected image is uploaded to the chassis.

5. Wait for the images to successfully upload before continuing.

(FXOS 2.4.1 or earlier) Disable each app-instance for all security modules on the chassis:

1. Choose Logical Devices.

2. Click the Disable slider for each application to disable each app-instance included in the cluster.

   The Cluster Operational Status changes to not-in-cluster.

Upgrade the FXOS bundle:

1. Choose System > Updates.

2. Click the Upgrade icon for the FXOS platform bundle to which you want to upgrade.

   The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings.

3. Click Yes to confirm that you want to proceed with installation.

   FXOS unpacks the bundle and upgrades/reloads the components.

Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI (see Monitor the Upgrade Progress).

After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).

Upgrade the ASA logical device image on each security module:

1. Choose Logical Devices.

   The Logical Devices page opens to show a list of configured logical devices on the chassis.

2. Click the Set Version icon for the logical device that you want to update to open the Update Image Version dialog box.

3. For the New Version, choose the software version to which you want to update.

4. Click OK.

After the upgrade process finishes, verify that the applications are online and have upgraded successfully:

1. Choose Logical Devices.

2. Verify the application version and operational status.

(FXOS 2.4.1 or earlier) Re-enable clustering for all security modules on the chassis:

1. Choose Logical Devices.

2. Click the Enable switch for each security module included in the cluster.

   The Cluster Operational Status changes to in-cluster.

Repeat steps 2-10 for all remaining chassis in the cluster that do not have the control unit.

After all chassis in the cluster that do not have the control unit have been upgraded, repeat steps 2-10 on the chassis with the control unit, being sure to disable clustering on the data units first, and then finally the control unit.

For distributed VPN clustering mode, after the cluster has stabilized you can redistribute active sessions among all modules in the cluster using the ASA console on the control unit.

Determine which chassis has the control unit. You will upgrade this chassis last:

1. Connect to the FXOS CLI.

2. Verify that the control unit is on this chassis. There should be an ASA instance with Cluster Role set to “Master”:

   scope ssa

   show app-instance

Connect to the FXOS CLI on a chassis in the cluster that does not have the control unit.

Disable each app-instance for all security modules on the chassis. For each of the ASA application(s) on the chassis, perform the following steps:

1. Scope to the ASA application instance on a given slot:

   scope slot slot_number

   scope app-instance asa

   Note	To connect to the security engine of a device that does not support multiple security modules, always use 1 as the slot_number .

2. Disable the ASA application:

   disable

3. Commit the configuration:

   commit-buffer

Download the new FXOS platform bundle image to the chassis:

1. Enter firmware mode:

   scope firmware

2. Download the FXOS platform bundle software image:

   download image URL

   Specify the URL for the file being imported using one of the following syntax:

   • ftp://username@server/ path/ image_name

   • scp://username@server/ path/ image_name

   • sftp://username@server/ path/ image_name

   • tftp://server: port-num/ path/ image_name

3. To monitor the download process:

   scope download-task image_name

   show detail

Firepower-chassis # scope firmware
Firepower-chassis /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware/download-task # show detail
Download task:
    File Name: fxos-k9.2.3.1.58.SPA
    Protocol: scp
    Server: 192.168.1.1
    Userid:
    Path:
    Downloaded Image Size (KB): 853688
    State: Downloading
    Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Return to the supervisor level of the FXOS CLI.

1. Enter ~

   You exit to the Telnet application.

2. To exit the Telnet application, enter:

   telnet>quit

1. Enter Ctrl-], .

Upgrade the FXOS bundle:

1. If necessary, return to firmware mode:

   top

   scope firmware

2. Make note of the version number for the FXOS platform bundle you are installing:

   show package

3. Enter auto-install mode:

   scope auto-install

4. Install the FXOS platform bundle:

   install platform platform-vers version_number

   version_number is the version number of the FXOS platform bundle you are installing--for example, 2.3(1.58).

5. The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings.

   Enter yes to confirm that you want to proceed with verification.

6. Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

   FXOS unpacks the bundle and upgrades/reloads the components.

7. To monitor the upgrade process, see Monitor the Upgrade Progress.

After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).

Download the new ASA software image to the chassis:

1. Enter Security Services mode:

   top

   scope ssa

2. Enter Application Software mode:

   scope app-software

3. Download the logical device software image:

   download image URL

   Specify the URL for the file being imported using one of the following syntax:

   • ftp://username@server/path

   • scp://username@server/path

   • sftp://username@server/path

   • tftp://server:port-num/path

4. To monitor the download process:

   show download-task

5. To view the downloaded applications:

   up

   show app

   Make note of the ASA version for the software package you downloaded. You will need to use the exact version string to enable the application in a later step.

Firepower-chassis # scope ssa
Firepower-chassis /ssa # scope app-software
Firepower-chassis /ssa/app-software # download image scp://user@192.168.1.1/images/cisco-asa.9.4.1.65.csp
Firepower-chassis /ssa/app-software # show download-task

Downloads for Application Software:
    File Name                      Protocol   Server               Userid          State
    ------------------------------ ---------- -------------------- --------------- -----
    cisco-asa.9.4.1.65.csp         Scp        192.168.1.1          user            Downloaded

Firepower-chassis /ssa/app-software # up

Firepower-chassis /ssa # show app

Application:
    Name       Version    Description Author     Deploy Type CSP Type    Is Default App
    ---------- ---------- ----------- ---------- ----------- ----------- --------------
    asa        9.4.1.41   N/A                    Native      Application No
    asa        9.4.1.65   N/A                    Native      Application Yes

Upgrade the ASA logical device image:

1. Enter Security Services mode:

   top

   scope ssa

2. Set the scope to the security module you are updating:

   scope slotslot_number

3. Set the scope to the ASA application:

   For FXOS 2.3.1 and earlier: scope app-instance asa

   For FXOS 2.4.1 and later: scope app-instance asa instance_name

4. Set the Startup version to the version you want to update:

   set startup-version version_number

5. Commit the configuration:

   commit-buffer

   Commits the transaction to the system configuration. The application image is updated and the application restarts.

To verify the status of the security modules/security engine and any installed applications, see Verify the Installation.

After the upgraded security module come online, re-enable clustering for all security modules on the chassis:

1. Connect to the module CLI using a console connection or a Telnet connection.

   connect module slot_number { console | telnet}

   To connect to the security engine of a device that does not support multiple security modules, always use 1 as the slot_number .

   Example:

   
   Firepower# connect module 1 console
   Telnet escape character is '~'.
   Trying 127.5.1.1...
   Connected to 127.5.1.1.
   Escape character is '~'.
   
   CISCO Serial Over LAN:
   Close Network Connection to Exit
   
   Firepower-module1> 
   
   

2. Connect to the application console.

   connect asa

   Example:

   
   Firepower-module1> connect asa
   Connecting to asa(asa1) console... hit Ctrl + A + D  to return to bootCLI
   [...]
   asa>
   
   

3. Disable clustering on one of the security modules:

   cluster group name

   enable

   write memory

4. Repeat step 12 for each security module on this chassis.

Exit the application console to the FXOS module CLI.

Return to the supervisor level of the FXOS CLI.

1. Enter ~

   You exit to the Telnet application.

2. To exit the Telnet application, enter:

   telnet>quit

1. Enter Ctrl-], .

Repeat steps 2-14 for all remaining chassis in the cluster that do not have the control unit.

After all chassis in the cluster that do not have the control unit have been upgraded, repeat steps 2-14 on the chassis with the control unit, being sure to disable clustering on the data units first, and then finally the control unit.

For distributed VPN clustering mode, after the cluster has stabilized you can redistribute active sessions among all modules in the cluster using the ASA console on the control unit.