Uninstall a Patch

You can uninstall most patches. If you need to return to an earlier major or maintenance release, you must reimage.

Uninstalling a patch returns you to the version you upgraded from, and does not change configurations. Because the FMC must run the same or newer version as its managed devices, uninstall patches from devices first. Uninstall is not supported for hotfixes.

Patches That Support Uninstall

Uninstalling specific patches can cause issues, even when the uninstall itself succeeds. These issues include:

  • Inability to deploy configuration changes after uninstall.

  • Incompatibilities between the operating system and the software.

  • FSIC (file system integrity check) failure when the appliance reboots, if you patched with security certifications compliance enabled (CC/UCAPL mode).


Caution

If security certifications compliance is enabled and the FSIC fails, the software does not start, remote SSH access is disabled, and you can access the appliance only via local console. If this happens, contact Cisco TAC.

Version 7.0 Patches That Support Uninstall

Uninstall is currently supported for all Version 7.0 patches.

Version 6.7 Patches That Support Uninstall

Uninstall is currently supported for all Version 6.7 patches.

Version 6.6 Patches That Support Uninstall

Uninstall is currently supported for all Version 6.6 patches.

Version 6.5 Patches That Support Uninstall

This table lists supported uninstall scenarios for Version 6.5 patches. Uninstalling returns you to the patch level you upgraded from. If uninstall will take you farther back than what is supported, we recommend you reimage and then upgrade to your desired patch level.

Table 1. Version 6.5.0 Patches That Support Uninstall

Current Version

Farthest Back You Should Uninstall

FTD/FTDv

ASA FirePOWER

NGIPSv

FMC/FMCv

6.5.0.2+

6.5.0

6.5.0

6.5.0.1

6.5.0.1

6.5.0

6.5.0

Version 6.4 Patches That Support Uninstall

This table lists supported uninstall scenarios for Version 6.4 patches. Uninstalling returns you to the patch level you upgraded from. If uninstall will take you farther back than what is supported, we recommend you reimage and then upgrade to your desired patch level.

Table 2. Version 6.4.0 Patches That Support Uninstall

Current Version

Farthest Back You Should Uninstall

FTD/FTDv

Firepower 7000/8000

ASA FirePOWER

NGIPSv

FMC/FMCv

6.4.0.5+

6.4.0.4

6.4.0.4

6.4.0.4

6.4.0.4

6.4.0.3

6.4.0

6.4.0.2

6.4.0

6.4.0.1

6.4.0

6.4.0

6.4.0

Version 6.3 Patches That Support Uninstall

This table lists supported uninstall scenarios for Version 6.3 patches. Uninstalling returns you to the patch level you upgraded from. If uninstall will take you farther back than what is supported, we recommend you reimage and then upgrade to your desired patch level.

Table 3. Version 6.3.0 Patches That Support Uninstall

Current Version

Farthest Back You Should Uninstall

6.3.0.5

6.3.0.1 through 6.3.0.4

6.3.0

Version 6.2.3 Patches That Support Uninstall

This table lists supported uninstall scenarios for Version 6.2.3 patches. Uninstalling returns you to the patch level you upgraded from. If uninstall will take you farther back than what is supported, we recommend you reimage and then upgrade to your desired patch level.

Table 4. Version 6.2.3 Patches That Support Uninstall

Current Version

Farthest Back You Should Uninstall

FTD/FTDv

Firepower 7000/8000

ASA FirePOWER

NGIPSv

FMC/FMCv

6.2.3.16+

6.2.3.15

6.2.3.15

6.2.3.15

6.2.3.15

6.2.3.12 through 6.2.3.14

6.2.3

6.2.3.11

6.2.3.11

6.2.3.11

6.2.3

6.2.3.8 through 6.2.3.10

6.2.3

6.2.3.7

6.2.3.7

6.2.3.7

6.2.3

6.2.3.1 through 6.2.3.6

6.2.3

6.2.3

6.2.3

Version 6.2.2 Patches That Support Uninstall

This table lists supported uninstall scenarios for Version 6.2.2 patches. Uninstalling returns you to the immediately preceding patch, even if you upgraded from an earlier patch. If uninstall will take you farther back than what is supported, we recommend you reimage and then upgrade to your desired patch level.

Table 5. Version 6.2.2 Patches That Support Uninstall

Current Version

Farthest Back You Should Uninstall

6.2.2.3 through 6.2.2.5

6.2.2.2

6.2.2.2

6.2.2.1

6.2.2

Uninstall Order for High Availability/Scalability

In high availability/scalability deployments, minimize disruption by uninstalling from one appliance at a time. Unlike upgrade, the system does not do this for you. Wait until the patch has fully uninstalled from one unit before you move on to the next.

Table 6. Uninstall Order for FMC High Availability

Configuration

Uninstall Order

FMC high availability

With synchronization paused, which is a state called split-brain, uninstall from peers one at a time. Do not make or deploy configuration changes while the pair is split-brain.

  1. Pause synchronization (enter split-brain).

  2. Uninstall from the standby.

  3. Uninstall from the active.

  4. Restart synchronization (exit split-brain).
Table 7. Uninstall Order for FTD High Availability and Clusters

Configuration

Uninstall Order

FTD high availability

You cannot uninstall a patch from devices configured for high availability. You must break high availability first.

  1. Break high availability.

  2. Uninstall from the former standby.

  3. Uninstall from the former active.

  4. Reestablish high availability.

FTD cluster

Uninstall from one unit at a time, leaving the control unit for last. Clustered units operate in maintenance mode while the patch uninstalls.

  1. Uninstall from the data modules one at a time.

  2. Make one of the data modules the new control module.

  3. Uninstall from the former control.
Table 8. Uninstall Order for ASA with FirePOWER Services in ASA Failover Pairs/Clusters

Configuration

Uninstall Order

ASA active/standby failover pair, with ASA FirePOWER

Always uninstall from the standby.

  1. Uninstall from the ASA FirePOWER module on the standby ASA device.

  2. Fail over.

  3. Uninstall from the ASA FirePOWER module on the new standby ASA device.

ASA active/active failover pair, with ASA FirePOWER

Make both failover groups active on the unit you are not uninstalling.

  1. Make both failover groups active on the primary ASA device.

  2. Uninstall from the ASA FirePOWER module on the secondary ASA device.

  3. Make both failover groups active on the secondary ASA device.

  4. Uninstall from the ASA FirePOWER module on the primary ASA device.

ASA cluster, with ASA FirePOWER

Disable clustering on each unit before you uninstall. Uninstall from one unit at a time, leaving the control unit for last.

  1. On a data unit, disable clustering.

  2. Uninstall from the ASA FirePOWER module on that unit.

  3. Reenable clustering. Wait for the unit to rejoin the cluster.

  4. Repeat for each data unit.

  5. On the control unit, disable clustering. Wait for a new control unit to take over.

  6. Uninstall from the ASA FirePOWER module on the former control unit.

  7. Reenable clustering.

Uninstall Device Patches with FMC

Use the Linux shell (expert mode) to uninstall patches. You must have access to the device shell as the admin user for the device, or as another local user with CLI configuration access. You cannot use an FMC user account. If you disabled shell access, contact Cisco TAC to reverse the lockdown.


Caution

Do not make or deploy configuration changes during uninstall. Even if the system appears inactive, do not manually reboot, shut down, or restart an uninstall in progress. You could place the system in an unusable state and require a reimage. If you encounter issues with the uninstall, including a failed uninstall or unresponsive appliance, contact Cisco TAC.

Before you begin

Procedure

Step 1

If the device's configurations are out of date, deploy now from the FMC.

Deploying before you uninstall reduces the chance of failure. Make sure the deployment and other essential tasks complete. Tasks running when the uninstall begins are stopped, become failed tasks, and cannot be resumed. You can manually delete failed status messages later.

Step 2

Access the Firepower CLI on the device. Log in as admin or another CLI user with configuration access.

You can either SSH to the device's management interface (hostname or IP address) or use the console. If you use the console, some devices default to the operating system CLI and require an extra step to access the Firepower CLI, as listed in the following table.

Firepower 1000 series

connect ftd

Firepower 2100 series

connect ftd

Firepower 4100/9300

connect module slot_number console, then connect ftd (first login only)

ASA FirePOWER

session sfr
Step 3

Use the expert command to access the Linux shell.

Step 4

Verify the uninstall package is in the upgrade directory.

ls /var/sf/updates

Patch uninstallers are named like upgrade packages, but have Patch_Uninstaller instead of Patch in the file name. When you patch a device, the uninstaller for that patch is automatically created in the upgrade directory. If the uninstaller is not there, contact Cisco TAC.

Step 5

Run the uninstall command, entering your password when prompted.

sudo install_update.pl --detach /var/sf/updates/uninstaller_name

Caution 

The system does not ask you to confirm. Entering this command starts the uninstall, which includes a device reboot. Interruptions in traffic flow and inspection during an uninstall are the same as the interruptions that occur during an upgrade. Make sure you are ready. Note that using the --detach option ensures the uninstall process is not killed if your SSH session times out, which can leave the device in an unstable state.

Step 6

Monitor the uninstall until you are logged out.

For a detached uninstall, use tail or tailf to display logs:

  • FTD: tail /ngfw/var/log/sf/update.status

  • ASA FirePOWER and NGIPSv: tail /var/log/sf/update.status

Otherwise, monitor progress in the console or terminal.

Step 7

Verify uninstall success.

After the uninstall completes, confirm that the devices have the correct software version. On the FMC, choose Devices > Device Management.

Step 8

In high availability/scalability deployments, repeat steps 2 through 6 for each unit.

For clusters, never uninstall from the control unit. After you uninstall from all the data units, make one of them the new control, then uninstall from the former control.

Step 9

Redeploy configurations.

Exception: Do not deploy to mixed-version high availability pairs or device clusters. Deploy before you uninstall from the first device, but not again until you have uninstalled the patch from all group members.

What to do next

  • For high availability, reestablish high availability.

  • For clusters, if you have preferred roles for specific devices, make those changes now.

Uninstall Standalone FMC Patches

We recommend you use the web interface to uninstall FMC patches. If you cannot use the web interface, you can use the Linux shell as either the admin user for the shell, or as an external user with shell access. If you disabled shell access, contact Cisco TAC to reverse the lockdown.


Caution

Do not make or deploy configuration changes during uninstall. Even if the system appears inactive, do not manually reboot, shut down, or restart an uninstall in progress. You could place the system in an unusable state and require a reimage. If you encounter issues with the uninstall, including a failed uninstall or unresponsive appliance, contact Cisco TAC.

Before you begin

  • If uninstalling will put the FMC at a lower patch level than its managed devices, uninstall patches from the devices first.

  • Make sure your deployment is healthy and successfully communicating.

Procedure

Step 1

Deploy to managed devices whose configurations are out of date.

Deploying before you uninstall reduces the chance of failure.

Step 2

Under Available Updates, click the Install icon next to the uninstall package, then choose the FMC.

Patch uninstallers are named like upgrade packages, but have Patch_Uninstaller instead of Patch in the file name. When you patch the FMC, the uninstaller for that patch is automatically created. If the uninstaller is not there, contact Cisco TAC.

Step 3

Click Install, then confirm that you want to uninstall and reboot.

You can monitor uninstall progress in the Message Center until you are logged out.

Step 4

Log back in when you can and verify uninstall success.

If the system does not notify you of the uninstall's success when you log in, choose Help > About to display current software version information.

Step 5

Redeploy configurations to all managed devices.

Uninstall High Availability FMC Patches

We recommend you use the web interface to uninstall FMC patches. If you cannot use the web interface, you can use the Linux shell as either the admin user for the shell, or as an external user with shell access. If you disabled shell access, contact Cisco TAC to reverse the lockdown.

Uninstall from high availability peers one at a time. With synchronization paused, first uninstall from the standby, then the active. When the standby starts the uninstall, its status switches from standby to active, so that both peers are active. This temporary state is called split-brain and is not supported except during upgrade and uninstall.


Caution

Do not make or deploy configuration changes while the pair is split-brain. Your changes will be lost after you restart synchronization. Do not make or deploy configuration changes during uninstall. Even if the system appears inactive, do not manually reboot, shut down, or restart an uninstall in progress. You could place the system in an unusable state and require a reimage. If you encounter issues with the uninstall, including a failed uninstall or unresponsive appliance, contact Cisco TAC.

Before you begin

  • If uninstalling will put the FMCs at a lower patch level than their managed devices, uninstall patches from the devices first.

  • Make sure your deployment is healthy and successfully communicating.

Procedure

Step 1

On the active FMC, deploy to managed devices whose configurations are out of date.

Deploying before you uninstall reduces the chance of failure.

Step 2

On the active FMC, pause synchronization.

  1. Choose System > Integration.

  2. On the High Availability tab, click Pause Synchronization.

Step 3

Uninstall the patch from peers one at a time — first the standby, then the active.

Follow the instructions in Uninstall Standalone FMC Patches, but omit the initial deploy, stopping after you verify uninstall success on each peer. In summary, for each peer:

  1. On the System > Updates page, uninstall the patch.

  2. Monitor progress until you are logged out, then log back in when you can.

  3. Verify uninstall success.
Step 4

On the FMC you want to make the active peer, restart synchronization.

  1. Choose System > Integration.

  2. On the High Availability tab, click Make-Me-Active.

  3. Wait until synchronization restarts and the other FMC switches to standby mode.

Step 5

Redeploy configurations to all managed devices.