Cisco FirePOWER Sensor upgrade failing

Recently I ran into an issue while applying minor upgrade on remote Firepower sensor from Management Center (FMC). I’ve tried it several times, it would start copying upgrade file over to the Sensor but then all the way at the end stop and fail with error Update Install failed.

Looking at the  /var/sf/updates/ may reveal that only partial file was copied over.

root@IPS:/var/sf/updates# ls -halt
total 940M
-rw-r–r–  1 root root 401M Nov  2 02:02 Cisco_Network_Sensor_Patch-6.0.1.2-37.sh
drwxrwxr-x  2 root www  4.0K Nov  2 01:46 .

When I compared it with the original file on FMC I noticed it was slightly smaller.

root@firepower:/Volume/home/admin# cd /var/sf/updates/
root@firepower:/var/sf/updates# ls -halt
total 1.7G
-rw-r–r–  1 www  www  413M Sep 24 14:00 Cisco_Network_Sensor_Patch-6.0.1.2-37.sh

There may be several reasons why the update was not copied successfully but fortunately, there is a workaround to get the file over and restart the upgrade process.

Components:
Firepower Management Center: 6.0.1.2
Sensor Patch: 6.0.1.2-37

First remove partial file from the sensor

root@IPS:/var/sf/updates# rm Cisco_Network_Sensor_Patch-6.0.1.2-37.sh

and retrieve Sensor UID.

root@IPS:/var/sf/updates# grep -i uuid /etc/sf/ims.conf
APPLIANCE_UUID=dab59d3e-xxx

Next, use below command to copy upgrade file from FMC to Sensor.

root@firepower:/var/sf/updates# sfmgr -c ‘PUTFILE /var/sf/updates/Cisco_Network_Sensor_Patch-6.0.1.2-37.sh /var/sf/updates/Cisco_Network_Sensor_Patch-6.0.1.2-37.sh’ -u dab59d3e-xxx

Successful execution will provide the following output.

<state>0</state><return>0</return><stderr></stderr>
<response>Transfer Completed</response>
</action>
</sfrequest>

Back on the Sensor confirm file size once copy operation is complete.

root@IPS:/var/sf/updates# ls -halt
total 952M
-rw-r–r–  1 root root 413M Nov  4 15:58 Cisco_Network_Sensor_Patch-6.0.1.2-37.sh

Another way to get upload file over to remote Sensor is with SCP command. To avoid overhead and minimize upload failures I’ve bypassed VPN tunnel and uploaded file to public hosting environment. The following command will start copying file down to Sensor and provide download status which in our case is critical due to many download failures. With -P you can indicate custom port.

root@IPS:/var/sf/updates# scp -P 2222 username@RemoteHostIP_or_Name:~/your_public_ftp_folder/Cisco_Network_Sensor_Patch-6.0.1.2-37.sh /var/sf/updates/

Cisco_Network_Sensor_Patch-6.0.1.2-37.sh       0%   13MB 422.9KB/s   51:58 ETA

Once file was copied successfully restart upgrade process on FMC GUI. File will be detected and upgrade process will start extracting it. You can check upgrade progress on Sensor by tailing status.log file under /var/log/sf/Patch#.

admin@IPS:/var/log/sf/Cisco_Network_Sensor_Patch-6.0.1.2$ tailf status.log
state:running
ui:Upgrade has begun.
ui:[ 0%] Running script 000_start/100_start_messages.sh…
ui:[ 1%] Running script 000_start/101_run_pruning.pl…

P.S. To retrieve files from the sensor first copy them to FMC

>expert
>sudo scp /var/common/file-to-be-copied admin@Firesight-IP:/var/tmp

and then retrieve it with scp client as described in this post.