Upgrade the Secure Firewall 3100/4200 Chassis
Use this procedure to upgrade the chassis on the Secure Firewall 3100/4200 in multi-instance mode. As you proceed, the system displays basic information about your selected chassis, as well as the current upgrade-related status. This includes any reasons why you cannot upgrade. If a chassis does not "pass" a stage, it does not appear in the next stage.
If you navigate away from the upgrade wizard, your progress is preserved and other users cannot start a new upgrade workflow for any chassis you have already selected. (Exception: if you are logged in with a CAC, your progress is cleared 24 hours after you log out.) To return to your workflow, choose .
Upgrade does not start until you complete the wizard and click Start Upgrade. All steps up to that point can be performed outside of a maintenance window, including copying upgrade packages and choosing upgrade options.
![]() Caution |
Do not deploy configuration changes during upgrade. Even if the system appears inactive, do not manually reboot or shut down. Do not restart an upgrade in progress. You could place the system in an unusable state and require a reimage. The system may reboot multiple times during the upgrade. This is expected behavior. If you encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC. |
Before you begin
Make sure you are ready to upgrade:
-
Determine if you can run the target version: Compatibility
-
Plan the upgrade path: Upgrade Path
-
Review upgrade guidelines: Upgrade Guidelines
-
Check infrastructure and network: Network and Infrastructure Checks
-
Check configurations, tasks, and overall deployment health: Configuration and Deployment Checks
-
Perform backups: Backups
Procedure
Step 1 |
On the management center, choose System ( The Product Upgrades page provides an upgrade-centered overview of your deployment—how many devices you have, when they were last upgraded, whether there is an upgrade in progress, and so on. The system lists upgrades that apply to you, with suggested releases specially marked (requires internet access on the management center). |
||
Step 2 |
(Optional) Get upgrade packages onto the management center, or put them on an internal server. Skip this step if your devices have internet access and can get upgrade packages directly from the internet. For other options, see Managing Upgrade Packages with the Management Center. |
||
Step 3 |
Launch the upgrade wizard. Click Upgrade next to the target version. If you are given a drop-down menu, choose Chassis. The chassis upgrade wizard appears. It has two panes: Device Selection on the left, and Device Details on the right. Click a device link in the Device Selection pane (such as '4 devices') to show the Device Details for those chassis. Your target version is pre-selected in the Upgrade to menu. The system determines which chassis can be upgraded to that version and displays them in the Device Details pane. The Device Selection pane also displays the FXOS and firmware versions contained in the upgrade package. |
||
Step 4 |
Select chassis to upgrade. In the Device Details pane, select the devices you want to upgrade and click Add to Selection. You can use the device links on the Device Selection pane to toggle the Device Details pane between selected chassis, remaining upgrade candidates, ineligible chassis (with reasons why), chassis that need the upgrade package, and so on. You can add and remove chassis from your selection, or click Reset to clear your selection and start over. Note that you do not have to remove ineligible chassis; they are automatically excluded from upgrade. |
||
Step 5 |
(Optional) Remove unneeded upgrade packages from your selected chassis. You must manually manage chassis upgrade packages. Right now is a good time to clean up.
|
||
Step 6 |
Copy upgrade packages. Click Copy Upgrade Package and wait for the transfer to complete. Where the package comes from depends on your deployment and previous configurations. For more information, see Copying Upgrade Packages to Devices. |
||
Step 7 |
Click Next to choose upgrade options.
|
||
Step 8 |
Reconfirm you are ready to upgrade. We recommend revisiting the configuration and deployment health checks you performed earlier: Configuration and Deployment Checks. |
||
Step 9 |
Click Start Upgrade and confirm your choice. For information on traffic handling during the upgrade, see Traffic Flow and Inspection for Chassis Upgrades. |
||
Step 10 |
Monitor the upgrade. The wizard shows your overall upgrade progress. For more information, see Monitor Device Upgrades. |
||
Step 11 |
Verify success. After the upgrade completes, verify success on . |
||
Step 12 |
(Optional) Examine configuration changes. Before you upgrade threat defense, you may want to review the changes made by the chassis upgrade:
|
||
Step 13 |
(Optional) In high availability deployments, examine device roles. Depending on how you performed the upgrade, high availability instances may have switched roles. Keeping in mind that any subsequent threat defense upgrade will also switch device roles, make any desired changes. |
What to do next
-
(Optional) Clear the wizard by clicking Clear Upgrade Information. Until you do this, the page continues to display details about the upgrade you just performed. After you clear the wizard, use the Upgrade tab on the Device Management page to see last-upgrade information, and the Advanced Deploy screens to see configuration changes.
-
Back up again: Backups