Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

upgrade IDSM2 from 4.1(5)S225 to 5,1 using application partition

can i upgrade an IDSM2 (WS-SVC-IDSM2-BUN)in a 6513 from 4.1(5)S225 to 5.1 by copying the 5.1 application partition to the sensor

[from the cisco userguide]

Chapter 10 Configuring the Sensor Using the CLI

Reimaging Appliances and Modules

Reimaging the IDSM-2

This section contains the following topics:

• Catalyst Software, page 10-124

• Cisco IOS Software, page 10-126

Catalyst Software

To reimage the application partition, follow these steps:

Step 1 Obtain the application partition file from Software Center on Cisco.com and copy

it to an FTP server.

Step 2 Log in to the switch CLI.

Step 3 Boot the IDSM-2 to the maintenance partition:

cat6k> (enable) reset module_number cf:1

Step 4 Log in to the maintenance partition CLI:

login: guest

Password: cisco

Step 5 Reimage the application partition:

guest@hostname.localdomain# upgrade ftp://user@ftp server IP/directory

path/image file

Step 6 Specify the FTP server password.

After the application partition file has been downloaded, you are asked if you

want to proceed:

Upgrading will wipe out the contents on the hard disk. Do you want to

proceed installing it [y|n]:

Step 7 Type y to continue.

When the application partition file has been installed, you are returned to the

maintenance partition CLI.

Step 8 Exit the maintenance partition CLI and return to the switch CLI.

Step 9 Reboot the IDSM-2 to the application partition:

cat6k> (enable) reset module_number hdd:1

Step 10 When the IDSM-2 has rebooted, check the software version.

Step 11 Log in to the application partition CLI and initialize the IDSM-2.

See Initializing the Sensor, page 10-2, for the procedure.

IF NOT, THEN IS THERE A SHORT CUT FROM 4.1 to 5.1 ?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Bronze

Re: upgrade IDSM2 from 4.1(5)S225 to 5,1 using application parti

I was in the middle of editing my response when this came in, check again. There is the issue of "does the maint. partition need upgrading?" and I specified the patches and sig level to apply afterwards.

Cisco Employee

Re: upgrade IDSM2 from 4.1(5)S225 to 5,1 using application parti

Just wanted to clarify some things.

As Scott has already confirmed you can re-image using the method described and following Scott's advice on what additional updates to install.

BUT understand that any configuration you have your 4.1 sensor will be lost during that method of re-imaging to 5.1.

Another alternative is to first upgrade from 4.1(5)S225 to 5.0(1), and then to upgrade to 5.1(1).

The upgrade to 5.0(1) will convert the 4.1 configuration into a compatible 5.0 format.

I saw another post you made implying that you had to downgrade back to 4.1(5)S189 to do the 5.0(1) upgrade. This is not the case. You can upgrade directly from your current 4.1(5)S225 to 5.0(1).

You can install the IPS-K9-maj-5.0-1-S149.rpm.pkg file directly on your current 4.1(5)S225 sensor.

When S225 was installed on your 4.1(5) sensor, it also placed in storage the corresponding S225 update for your 5.0 sensor.

So when IPS-K9-maj-5.0-1-S149.rpm.pkg is installed on the sensor it will detect that stored off S225 for 5.0 and install it at the same time.

So once installed you will be immediately at 5.0(1)S225.

Once at 5.0(1)S225, then you can upgrade directly to 5.1(1) using the IPS-K9-min-5.1-1d.pkg upgrade.

(NOTE: 5.1-1d file was created to fix some upgrade bugs, but still installs the same 5.1(1) files as the original 5.1(1) upgrade package).

So you will wind up at 5.1(1)S225.

Now at this point I would recommend installing at least one later signature update (S226 or higher in your case) BEFORE installing the 5.1(1p1) patch.

And AFTER the signature update, then install the 5.1(1p1) Engineering Patch (contact the TAC for this patch).

Because of this specific upgrade path, the best way to avoid some issues is to install at least one signature update before installing the 5.1(1p1) patch. The signature update helps to ensure the sensor is ready for the 5.1(1p1) upgrade. Some of the files needed for the 5.1(1p1) upgrade have been seen to not get carried forward properly in the upgrade from 5.0(1) to 5.1(1), but a signature update corrects those issues.

NOTE: This precaution of installing the signature update BEFORE the 5.1(1p1) is only needed when upgrading from 5.0(1) to 5.1(1). If imaging directly to 5.1(1) using the maintenance partition, then the 5.1(1p1) can be installed before a signature update without an issue.

Once 5.1(1p1) is up and running and monitoring packets and generating alarms, then additional signature updates can be installed afterwards.

5 REPLIES
Community Member

Re: upgrade IDSM2 from 4.1(5)S225 to 5,1 using application parti

So if there is no short cut, then I should re-image the application partition to 4.1 s189 and then start the documented process of upgrading to 5.1 by going to 5.0 and applying a sigupdate and then upgrading to 5.1 ?

Bronze

Re: upgrade IDSM2 from 4.1(5)S225 to 5,1 using application parti

The short answer, Yes you can do what you propose.

I believe the application image you are looking for would be: WS-SVC-IDSM2-K9-sys-1.1-a-5.1-1.bin.gz

You may have to upgrade the maint. partition too. I don't keep up with the maint. partition, so check the readme's online.

After you recover the app partition to 5.1, apply the 5.1(1p1) patch, then apply a signature update S227 or greater and you should be completely updated.

Community Member

Re: upgrade IDSM2 from 4.1(5)S225 to 5,1 using application parti

scothrel, is there an issue with this proposed upgrade path? you said the short answer...i feel there is more to the answer you gave....

gprice

Bronze

Re: upgrade IDSM2 from 4.1(5)S225 to 5,1 using application parti

I was in the middle of editing my response when this came in, check again. There is the issue of "does the maint. partition need upgrading?" and I specified the patches and sig level to apply afterwards.

Cisco Employee

Re: upgrade IDSM2 from 4.1(5)S225 to 5,1 using application parti

Just wanted to clarify some things.

As Scott has already confirmed you can re-image using the method described and following Scott's advice on what additional updates to install.

BUT understand that any configuration you have your 4.1 sensor will be lost during that method of re-imaging to 5.1.

Another alternative is to first upgrade from 4.1(5)S225 to 5.0(1), and then to upgrade to 5.1(1).

The upgrade to 5.0(1) will convert the 4.1 configuration into a compatible 5.0 format.

I saw another post you made implying that you had to downgrade back to 4.1(5)S189 to do the 5.0(1) upgrade. This is not the case. You can upgrade directly from your current 4.1(5)S225 to 5.0(1).

You can install the IPS-K9-maj-5.0-1-S149.rpm.pkg file directly on your current 4.1(5)S225 sensor.

When S225 was installed on your 4.1(5) sensor, it also placed in storage the corresponding S225 update for your 5.0 sensor.

So when IPS-K9-maj-5.0-1-S149.rpm.pkg is installed on the sensor it will detect that stored off S225 for 5.0 and install it at the same time.

So once installed you will be immediately at 5.0(1)S225.

Once at 5.0(1)S225, then you can upgrade directly to 5.1(1) using the IPS-K9-min-5.1-1d.pkg upgrade.

(NOTE: 5.1-1d file was created to fix some upgrade bugs, but still installs the same 5.1(1) files as the original 5.1(1) upgrade package).

So you will wind up at 5.1(1)S225.

Now at this point I would recommend installing at least one later signature update (S226 or higher in your case) BEFORE installing the 5.1(1p1) patch.

And AFTER the signature update, then install the 5.1(1p1) Engineering Patch (contact the TAC for this patch).

Because of this specific upgrade path, the best way to avoid some issues is to install at least one signature update before installing the 5.1(1p1) patch. The signature update helps to ensure the sensor is ready for the 5.1(1p1) upgrade. Some of the files needed for the 5.1(1p1) upgrade have been seen to not get carried forward properly in the upgrade from 5.0(1) to 5.1(1), but a signature update corrects those issues.

NOTE: This precaution of installing the signature update BEFORE the 5.1(1p1) is only needed when upgrading from 5.0(1) to 5.1(1). If imaging directly to 5.1(1) using the maintenance partition, then the 5.1(1p1) can be installed before a signature update without an issue.

Once 5.1(1p1) is up and running and monitoring packets and generating alarms, then additional signature updates can be installed afterwards.

197
Views
4
Helpful
5
Replies
CreatePlease to create content