Manually Upgrading a Cisco SFR Module
Manually upgrading a SFR module requires SSH access to the SFR module, a SCP/SFTP server, and the upgrade file from cisco.com.
1.) Gain root access to the module.
SSH to the SFR module’s IP address and login with the administrative credentials. Once you are provided a prompt, use the “expert” command to enter a bash prompt. Then SU into root.
> expert
admin@clientSFR:~$ sudo su -
Password:
Last login: Wed Oct 2 02:42:29 UTC 2019 on pts/0
root@clientSFR:~#2.) Download the upgrade file to /var/sf/updates.
Now that you have root access, you will need to download the patch to the SFR module. To do this, I used an SCP server running on my desktop. A decent SCP/SFTP server that I use is the free “Solarwinds SFTP & SCP Server.” Once you have the server up and running with the files available, you can use the scp command to download the file to the SFR module. Once downloaded generate a MD5 or SHA512 checksum to verify the file contents are correct and then compare the checksum with the one provided on Cisco’s download site. (The upgrade depicted in the example is version 6.2.3.10)
root@clientSFR:~# scp justin@172.16.1.254:/Cisco_Network_Sensor_Patch-6.2.3.10-59.sh.REL.tar /var/sf/updates/
The authenticity of host '172.16.1.254 (172.16.1.254)' can't be established.
RSA key fingerprint is SHA256:<Server's Fingerprint Not Shown>
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.254' (RSA) to the list of known hosts.
justin@172.16.1.254's password:
Cisco_Network_Sensor_Patch-6.2.3.10-59.sh.REL 10% 51MB 603.6KB/s 12:04 ETA
Cisco_Network_Sensor_Patch-6.2.3.10-59.sh.REL 30% 145MB 586.4KB/s 09:41 ETA
<!-- LINES OMITTED -->
root@clientSFR:~# md5sum /var/sf/updates/Cisco_Network_Sensor_Patch-6.2.3.10-59.sh.REL.tar
05ac75426c12b80c03885ff7733c15db /var/sf/updates/Cisco_Network_Sensor_Patch-6.2.3.10-59.sh.REL.tar
root@clientSFR:~# sha512sum /var/sf/updates/Cisco_Network_Sensor_Patch-6.2.3.10-59.sh.REL.tar
12e40937a90e8a826615b1a7e95913277045449695efe981e0c125f1ec35d6a3ad8a7c8f1bbf9e78bbc73afa8938cf11ddece5f8b302472500cd4dcc78c2e97d /var/sf/updates/Cisco_Network_Sensor_Patch-6.2.3.10-59.sh.REL.tar3.) Start the upgrade process.
Everything is now ready for upgrading. The file is located on the SFR module and has been verified against corruption. To start the upgrade, the “install_update.pl” script is used.
root@clientSFR:~# install_update.pl /var/sf/updates/Cisco_Network_Sensor_Patch-6.2.3.10-59.sh.REL.tar
ARGV[0] = /var/sf/updates/Cisco_Network_Sensor_Patch-6.2.3.10-59.sh.REL.tar
install_update.pl begins. bundle_filepath: /var/sf/updates/Cisco_Network_Sensor_Patch-6.2.3.10-59.sh.REL.tar
Verifying archive integrity... All good.
Uncompressing Cisco Network Sensor Patch / Wed Feb 6 14:41:31 UTC 2019.....
............................................................................
............................................................................
............................................................................
............................................................................
............................................................................
............................................................................
..........
[190522 14:07:48:925] MAIN_UPGRADE_SCRIPT_START
[190522 14:07:49:249] #####################################
[190522 14:07:49:253] # UPGRADE STARTING
[190522 14:07:49:258] #####################################
[190522 14:07:49:395] BEGIN 000_start/000_check_sign_type.sh
[190522 14:07:51:594] END 000_start/000_check_sign_type.sh
[190522 14:07:51:666] BEGIN 000_start/000_check_update.sh
[190522 14:07:52:876] END 000_start/000_check_update.sh
[190522 14:07:52:954] BEGIN 000_start/100_start_messages.sh
[190522 14:07:54:843] END 000_start/100_start_messages.sh
<!-- LINES OMITTED -->
<!-- THIS GOES ON FOR AWHILE. -->
NOTE: Monitoring the upgrade.
The upgrade can take awhile to complete. If you’re like me, you’ll need to step away from the screen from time to time. When you come back, you will find that your SSH session has timed out. Luckily, once the upgrade script starts it creates a directory structure that contains a status.log file. The upgrade script pipes the output to this file, so the upgrade can be monitored using this file. In the output below, I used the tailf command to constantly output updates. Keep in mind the below upgrade was for 6.2.3.10, so the directory structure depicts this.
root@clientSFR:/# tailf /var/log/sf/Cisco_Network_Sensor_Patch-6.2.3.10/status.log
ui:[92%] Running script 999_finish/988_reconfigure_model.sh...
ui:[92%] Running script 999_finish/989_flip_mbr.sh...
ui:[93%] Running script 999_finish/989_update_ngfw_conf_aquila.sh...
ui:[94%] Running script 999_finish/989_update_ngfw_conf_aquila_ssp.sh...
ui:[94%] Running script 999_finish/990_restart_bird_after_reboot.pl...
ui:[95%] Running script 999_finish/999_disable_upgrade_ui.sh...
ui:[95%] Running script 999_finish/999_enable_syncd.sh...
ui:[96%] Running script 999_finish/999_leave_maintenance_mode.pl...
ui:[97%] Running script 999_finish/999_p_Stop_Sybase.sh...
ui:[97%] Running script 999_finish/999_rm_old_var.sh...
ui:[98%] Running script 999_finish/999_y_must_be_next_to_last_to_generate_integrity_data.sh...
ui:[98%] Running script 999_finish/999_z_complete_upgrade_message.sh...
ui:[98%] Upgrade complete
ui:[99%] Running script 999_finish/999_z_must_remain_last_finalize_boot.sh...
ui:[99%] Running script 999_finish/999_zz_install_bundle.sh...
ui:[100%] The system will now reboot.
ui:System will now reboot.
ui:[100%] Installation completed successfully.
ui:Upgrade has completed.
state:finishedOriginal — https://justinhulsman.wordpress.com/2019/10/02/firepower-network-sensor-upgrade-failed/