Uninstall Version 6.2.2.x


Warning

If you enabled security certifications compliance before the upgrade, you cannot uninstall Version 6.2.2.2. If you want to go back to an earlier patch, you must either restore from a pre-upgrade backup, or reimage to Version 6.2.2 and then upgrade to your target patch.


Order of Uninstallation

Uninstall the update in the reverse order that you installed it. That is, first uninstall the update from managed devices, then from Firepower Management Centers.

You must uninstall updates locally. You cannot use a Firepower Management Center to uninstall the update from a managed device.

Track the Uninstallation

To watch the uninstallation process, access the device through the shell and navigate to the /var/log/sf/<uninstaller file name folder> directory, then execute the tail –f main_upgrade_script.log shell command. Once the uninstallation process is complete, the system generates a upgrade completed message in the file main_upgrade_script.log.

Uninstall Firepower Threat Defense Devices in High Availability

Firepower Threat Defense devices in high availability pairs must run the same Firepower version.

You cannot uninstall Firepower Threat Defense devices in high availability. Before you uninstall, you must break the high availability and uninstall each device independently, then reform the high availability pair.

Uninstall from Clustered Firepower Threat Defense Devices

To avoid dropping traffic, uninstall from the slave units before uninstalling from the master unit of a cluster.

Note

If the uninstallation process on a clustered device fails, do not restart the uninstall or change configurations on its peer. Instead, contact Cisco TAC.


Procedure


Step 1

Verify the Firepower Threat Defense devices within the cluster are healthy and operating normally. Determine which member of the cluster is the master and which member is the slave.

Step 2

Uninstall the update from each slave unit one at a time.

While the slave unit uninstalls, the other slave units and the master unit continue to process traffic.

Step 3

On the master unit, uninstall the software.

While the master unit uninstalls, one of the slave units becomes the master and continues to process traffic.

Step 4

Once the uninstall completes on the master unit, the termporary master unit returns to the slave state and reforms the cluster.


Uninstall the Update from Clustered 7000 and 8000 Series Devices

Clustered devices, devices in high availability pairs and Firepower Management Centers in high availability pairs must run the same Firepower version. Although the uninstallation process triggers an automatic failover, appliances in mismatched pairs or clusters do not share configuration information, nor do they install or uninstall updates as part of their synchronization. If you need to uninstall an update from redundant appliances, plan to perform the uninstallations in immediate succession.


Note

If the uninstallation process on a clustered device fails, do not restart the uninstall or change configurations on its peer. Instead, contact Cisco TAC.


To ensure continuity of operations, uninstall the update from clustered devices one at a time.

Procedure


Step 1

Uninstall the update from the secondary appliance.

While the secondary appliance uninstalls, the active appliance continues to forward traffic to the Firepower Management Center.

Step 2

Uninstall the update from the active appliance.

While the active appliance uninstalls, the secondary appliance temporarily becomes active and continues to forward traffic to the Firepower Management Center. Once the uninstall completes, the secondary appliances returns and the appliances reform the cluster.

Step 3

Once the uninstall completes on the secondary unit, the termporary primary unit returns to the secondary state and reforms the cluster.


Uninstall the Update from Stacked 7000 and 8000 Series Devices

All devices in a stack must run the same Firepower version. Uninstalling the update from any of the stacked devices causes the devices in that stack to enter a limited, mixed-version state.

To minimize impact on your deployment, we recommend you uninstall an update from stacked devices simultaneously. The stack resumes normal operation when the uninstallation completes on all devices in the stack.

Uninstall the Update from Devices Deployed Inline

Managed devices do not perform traffic inspection, switching, routing, or related functions while the update is being uninstalled. Depending on how your devices are configured and deployed, the uninstallation process may also affect traffic flow and link state. See Pre-Update Configuration and Event Backups for more information.

Uninstall Firepower Management Centers in High Availability

Firepower Management Centers in high availability pairs must run the same Firepower version. Although the uninstallation process triggers an automatic failover, appliances in mismatched pairs or clusters do not share configuration information, nor do they install or uninstall updates as part of their synchronization. If you need to uninstall an update from redundant appliances, plan to perform the uninstallations in immediate succession.


Note

If the uninstallation process on Firepower Management Centers in a high availability pair fails, do not restart the uninstall or change configurations on its peer. Instead, contact Cisco TAC.


To ensure continuity of operations, uninstall the update from paired Firepower Management Centers one at a time.

Procedure


Step 1

Pause high availability synchronization, as described in Pausing Communication Between Paired Firepower Management Centers

Step 2

Uninstall the update from the standby Firepower Management Center first.

The uninstallation completes.

Step 3

Uninstall the update from the active Firepower Management Center.

The uninstallation completes.

Step 4

Resume high availability synchronization, as described in Restarting Communication Between Paired Firepower Management Centers

Step 5

Click Make Me Active for the Firepower Management Center you want act as active. The Firepower Management Center you do not make active automatically switches to standby mode. Communication between the Firepower Management Center peers automatically restarts.


After the Uninstall

After you uninstall the update, there are several steps you should take to ensure that your deployment is performing properly, such as verifying that the uninstall succeeded and that all appliances in your deployment are communicating successfully.

Uninstall Firepower Threat Defense Devices and Firepower Threat Defense Virtual Devices Managed by Firepower Management Center

Uninstalling the update reboots the device. Depending on how your devices are configured and deployed, the update process may also affect traffic flow. For more information, see Pre-Update Configuration and Event Backups.

Procedure


Step 1

Read and understand Order of Uninstallation.

Step 2

Log into the device as admin, via SSH or through the virtual console.

Step 3

Initiate connection between Firepower 2100 Series, Firepower 4100 Series, and Firepower 9300 Security Appliances and the console before you uninstall.

  1. For Firepower 2100 Series devices, type connect ftd .

  2. For Firepower 4100 Series devices and Firepower 9300 Security Appliances, type connect module <slot number> console and then connect ftd .

Step 4

At the CLI prompt, type expert to access the bash shell.

Step 5

At the bash shell prompt, type sudo su -.

Step 6

Type the admin password to continue the process with root privileges.

Step 7

At the prompt, enter the following on a single line: install_update.pl --detach/var/sf/updates/filename_Patch_Uninstaller-<version>-<build>.REL.tar

The uninstallation process begins.
Note 

If you encounter issues with the uninstallation, do not restart the uninstallation. Instead, contact Cisco TAC.

Step 8

After the uninstallation is complete, the device reboots.

Step 9

Log into the managing Firepower Management Center and select Devices > Device Management. Confirm that the device where you uninstalled the update has the correct software version.

Step 10

Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.


Uninstall ASA FirePOWER Modules Managed by a Firepower Management Center

Uninstalling the update reboots the device. Depending on how your devices are configured and deployed, the update process may also affect traffic flow. For more information, see Pre-Update Configuration and Event Backups.

Procedure


Step 1

Read and understand Order of Uninstallation.

Step 2

Log into the device as admin, via SSH or through the virtual console.

Step 3

At the CLI prompt, type session sfr console.

Step 4

At the CLI prompt, type expert to access the bash shell.

Step 5

At the bash shell prompt, type sudo su -.

Step 6

Type the admin password to continue the process with root privileges.

Step 7

At the prompt, enter the following on a single line: install_update.pl --detach/var/sf/updates/filename_Patch_Uninstaller-<version>-<build>.REL.tar

The uninstallation process begins.
Note 

If you encounter issues with the uninstallation, do not restart the uninstallation. Instead, contact Cisco TAC.

Step 8

After the uninstallation is complete, the device reboots.

Step 9

Log into the managing Firepower Management Center and select Devices > Device Management. Confirm that the device where you uninstalled the update has the correct software version.

Step 10

Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.


Uninstall 7000 Series and 8000 Series Managed devices

Uninstalling the update reboots the device. Depending on how your devices are configured and deployed, the update process may also affect traffic flow. For more information, see Pre-Update Configuration and Event Backups.

Procedure


Step 1

Read and understand Order of Uninstallation.

Step 2

Log into the device as admin, via SSH or through the virtual console.

Step 3

At the CLI prompt, type expert to access the bash shell.

Step 4

At the bash shell prompt, type sudo su -.

Step 5

Type the admin password to continue the process with root privileges.

Step 6

At the prompt, enter the following on a single line: install_update.pl --detach/var/sf/updates/filename_Patch_Uninstaller-<version>-<build>.REL.tar

The uninstallation process begins.
Note 

If you encounter issues with the uninstallation, do not restart the uninstallation. Instead, contact Cisco TAC.

Step 7

After the uninstallation is complete, the device reboots.

Step 8

Log into the managing Firepower Management Center and select Devices > Device Management. Confirm that the device where you uninstalled the update has the correct software version.

Step 9

Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.


Uninstall NGIPSv Devices

Uninstalling the update reboots the device. Depending on how your devices are configured and deployed, the update process may also affect traffic flow. For more information, see Pre-Update Configuration and Event Backups.

Procedure


Step 1

Read and understand Order of Uninstallation.

Step 2

Log into the device as admin, via SSH or through the virtual console.

Step 3

At the CLI prompt, type expert to access the bash shell.

Step 4

At the bash shell prompt, type sudo su -.

Step 5

Type the admin password to continue the process with root privileges.

Step 6

At the prompt, enter the following on a single line: install_update.pl --detach/var/sf/updates/filename_Patch_Uninstaller-<version>-<build>.REL.tar

The uninstallation process begins.
Note 

If you encounter issues with the uninstallation, do not restart the uninstallation. Instead, contact Cisco TAC.

Step 7

After the uninstallation is complete, the device reboots.

Step 8

Log into the managing Firepower Management Center and select Devices > Device Management. Confirm that the device where you uninstalled the update has the correct software version.

Step 9

Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.


Uninstall Firepower Management Centers

Uninstalling the update results in a device running the previous version. For information on uninstalling a previous version, see to the Firepower System Release Notes for that version.

Procedure


Step 1

Read and understand Order of Uninstallation.

Step 2

On the managing Firepower Management Center, make sure that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.

Step 3

On the managed device, click the system status icon and view the Tasks tab in the Message Center to make sure there are no tasks in progress.

Tasks that are running when the uninstallation begins are stopped, become failed tasks, and cannot be resumed; you must manually delete them from the Tasks tab after the uninstallation completes.
Step 4

Choose System > Updates.

Step 5

Click the install icon next to the uninstaller that matches the update you want to remove, then confirm that you want to uninstall the update and reboot the device.

You can monitor the uninstallation progress in the Tasks tab of the Message Center.
Note 

Do not use the UI to perform any other tasks until the uninstallation is complete and the device reboots. Before the uninstallation completes, the web interface may become unavailable and the device may log you out. This is expected behavior; log in again to view the Tasks tab. If the uninstallation is still running, do not use the web interface until the uninstallation is complete. If you encounter issues with the uninstallation (for example, if the Tasks tab indicates that the update has failed or if the Tasks tab shows no progress for several minutes), do not restart the uninstallation. Instead, contact Cisco TAC.

Step 6

After the uninstallation is complete, the appliance reboots.

Step 7

Clear your browser cache and force a reload of the browser. Otherwise, the user interface may exhibit unexpected behavior.

Step 8

Log in to the device.

Step 9

Choose Help > About and confirm that the correct software version is listed.

Step 10

On the managing Firepower Management Center, verify that the appliances in your deployment successfully communicate with the Firepower Management Center and that there are no issues reported by the health monitor.


Uninstall ASA FirePOWER Modules Managed By ASDM

Uninstalling the update results in a device running the previous version. For information on uninstalling a previous version, see to the Firepower System Release Notes for that version.

Uninstalling the update reboots the device. Depending on how your devices are configured and deployed, the update process may also affect traffic flow. For more information, see Pre-Update Configuration and Event Backups.

Procedure


Step 1

Read and understand Order of Uninstallation.

Step 2

Log into the device as admin, through SSH or the virtual console.

Step 3

At the CLI prompt, type expert to access the bash shell.

Step 4

At the bash shell prompt, type sudo su -.

Step 5

Type the admin password to continue the process with root privileges.

Step 6

At the prompt, enter the following on a single line: install_update.pl --detach/var/sf/updates/filename_Patch_Uninstaller-<version>-<build>.REL.tar

The uninstallation process begins.
Note 

If you encounter issues with the uninstallation, do not restart the uninstallation. Instead, contact Cisco TAC.

Step 7

After the uninstallation finishes, the device reboots.

Step 8

Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.


Uninstall Firepower Threat Defense Devices Managed By Firepower Device Manager

You cannot uninstall Firepower Threat Defense devices managed by Firepower Device Manager. You must reimage the appliance. See the Firepower Threat Defense Command Reference Guide for more information.