Cisco CSC – Upgrade the Operating System

KB ID 0000807 

Problem

Upgrading the operating system on the CSC module is pretty straight forward, as long as you have a valid support agreement for your hardware and a CCO account you can download the updates straight from Cisco (here).

Solution

WARNING: It’s rare that you can update straight to the latest version, by all means try, and the CSC module will simply error if it will not accept the version you are trying to update to.

WARNING 2: This may involve some downtime, especially if your CSC module is configured to fail-closed, you may wish to set it to fail-open during the upgrade to minimise disruption. Unless you have a dual failover firewall solution, in which case scroll down.

You can do this via command line if you wish, but it’s a lot simpler to do via the web console. You will need to download your updated software (with the .pkg extension NOT the .bin extension).

Once downloaded, log into the web portal of the CSC module https://{IP-Address}:8443 > Administration > Product Upgrade > Browse > Locate your update > Upload > Go an have a coffee, it will take a while.

Upgrading CSC Modules in a Failover Pair

If you have firewalls deployed in failover, then you will have two CSC modules to upgrade.

1. Just for ease I’m showing the command line and the web console view. Start by upgrading the CSC module in the Secondary Standby firewall, here I’m upgrading 6.3.1172.0 to 6.3.1172.4.

2. Now I take the same module to 6.6.1125.0.

3. Once I know the system has updated and is back online, I jump onto the Primary Active firewall and force a failover to the Secondary Standby firewall.

Check module status with;

[box]
show module 1 detail
[/box]

To force failover, on the Primary Active firewall.

[box]

configure terminal
no failover active

[/box]

4. Note: At this point the screen looks the same as above, but ‘physically’ the firewalls have swapped over, the Primary is now Standby and can be updated. Below I’m upgrading from 6.2.1599.0 to 6.2.1599.6.

5. Now we can see both modules are running the latest (at time of writing), product version.

6. Now to fail back simply issue the following command an the Secondary Active firewall;

[box]

configure terminal
no failover active

[/box]

7. You can also check the versions match with the following command;

[box]
show failover
[/box]

Related Articles, References, Credits, or External Links

NA