Upgrading images within IOS has long been a confusion point for many people, especially around the time that high-profile security vulnerabilities are announced. The complexities in upgrading IOS images include choosing the correct image, understanding the correct procedure to download the image onto the device, and understanding the recovery scenario if an upgrade fails. The IOS AutoUpgrade Manager automates this upgrade process for you, removing the points of confusion for you.

With the availability of Warm Reload and Warm Upgrade functionality, it is possible to implement a safe automatic upgrade of IOS images (without support of a network management tool like CiscoWorks, etc). When Cisco IOS Auto-Upgrade Manager is invoked from a command line or web interface, it will attempt to connect over the internet using XML to the Intelligent Download Application (IAD) Server on CCO. Information about the current image running on the device, basic details about what type of download is required, and CCO username/password information will be uploaded to IDA.

IOS Auto-Upgrade Manager will then manage the upgrade process from beginning to end performing the following tasks:

• Locating and downloading the image
• Checking all requirements
• Managing Flash memory space
• Validating the image
• Scheduling a Warm-Upgrade
• Providing Roll-back support should the upgrade fail

IOS Auto-Upgrade Manager is supported in 12.4(15)T and above and in the initial phase of IOS Auto-Upgrade Manager, two download options are available:

1. Download a specific image from CCO
2. Download a specific image from a local server

In order to download a specific Cisco IOS software image from www.cisco.com using the CLI you must use one of the following methods:

• Interactive Mode
• Single CLI Mode

The IOS Auto-Upgrade Manager guides you through the process of upgrading to a new Cisco IOS image in the interactive mode. When you choose automatic upgrade, you are required to answer a few questions in the interactive mode to complete the device upgrade. You can initiate interactive mode by issuing the upgrade automatic command without any options. The non-interactive single line CLI is for advanced users. You can download and upgrade to a new Cisco IOS software image from a Cisco or non-Cisco server by using the upgrade automatic getversion command and specifying all the required arguments. Both the interactive mode and single line CLI mode can be used to download images from Cisco and non-Cisco servers though.

So lets take a look @ what’s needed in order to configure this feature (and more importantly what’s not documented).

I’ll tell you I spent the better part of an afternoon testing this and only after the help of some Software Engineers did I get this work because the documentation has not been updated to reflect the proper steps yet. Also I’d like to send a big a thanks out to David Prall, CCIE #6508 (R/S, SP & Security) for taking the time to help me troubleshoot this as well.

Now the first (and most important) step in configuring the IOS Auto-Update feature is to configure the router with the proper SSL certificate. This is the step that caused me all the headache, now according to the documentation you need to follow these steps using MS Internet Explorer: 

1. Pull down the Tools menu in Internet Explorer (IE) and select Internet Options.
2. Under the Advanced tab, select “Warn if changing between secure and not secure mode.”
3. Enter the URL: https://www.cisco.com in IE. When a security alert pop-up box appears, click “No” for the question “You are about to leave a secure Internet connection. Do you want to continue?”.
4. Double-click the lock icon on the status bar of IE.
5. Select the Details tab of the certificate window displayed.
6. Save the certificate in the Base-64 encoded format to a file (such as cisco.cert).
7. Open the cisco.cert file in a Notepad to get the certificate data that you need to configure on your router.

However if you follow these step you will not get this feature to work as two important steps have been left out. In fact you will receive an error similar to the following:

################################################################################
Welcome to the Cisco IOS Auto Upgrade Manager. To upgrade your device, please
answer the following questions. To accept the default value for a question, simply hit
################################################################################
If you would like to download an image directly from Cisco Server over the Internet, a valid Cisco login account will be required.

Download from Cisco server? [yes]:
Enter the filename of the IOS image that you wish to upgrade to:
Image Name?c2800nm-advipservicesk9-mz.124-15.T5.bin

Please enter your Cisco username and password for entitlement verification. If you need to acquire a Cisco username/password, please go to http://www.cisco.com or contact your device administrator.
Cisco username:******
Cisco password:******

Contacting cisco.com. Wait..

Authorization fail: Make sure that you have configured a CA trustpoint and authenticated a valid SSL certificate.
Failed to contact cisco.com.
Upgrade failed.

The proper steps to follow in order to get this to work are to do the following using MS Internet Explorer:

1. Pull down the Tools menu in Internet Explorer (IE) and select Internet Options.
2. Under the Advanced tab, select “Warn if changing between secure and not secure mode.”
3. Enter the URL: https://www.cisco.com in IE. When a security alert pop-up box appears, click “No” for the question “You are about to leave a secure Internet connection. Do you want to continue?”.
4. Double-click the lock icon on the status bar of IE.
5. Click on the Certification Path tab
6. You will now see a certification chain. Select the ‘Verizon Class 3 Secure Server CA’ CA cert and click on “View Certificate” and this will open a separate details window for the cert.
7. Then, click on Details tab for the cert 
8. Next click “Copy to File” which will open a certificate export wizard which can be used to save the certificate in Base-64 encoded X.509 format..
9. Open the cisco.cert file in a Notepad to get the certificate data that you need to configure on your router.

Steps 5 & 6:

Step 7 & 8:

Step 8:

Once you have performed all 9 steps you are ready to configure your router for Auto-Update. You first have to import the certificate you just exported on the router and this is done using the following configuration:

ISR-2811(config)#crypto pki trustpoint cisco_ssl_cer
ISR-2811(ca-trustpoint)# enrollment terminal
ISR-2811(ca-trustpoint)# revocation-check none
ISR-2811(ca-trustpoint)#exit
ISR-2811(config)#crypto pki authenticate cisco_ssl_cer

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
<<<Paste the content of the cert in notepad here>>>
-----END CERTIFICATE-----

Certificate has the following attributes:
Fingerprint MD5: 10FC635D F6263E0D F325BE5F 79CD6767
Fingerprint SHA1: 742C3192 E607E424 EB454954 2BE1BBC5 3E6174E2

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

ISR-2811(config)#exit

Now the certificate has been successfully pasted into the router, you next need to enable the router for autoupgrade. This is done using the ‘autoupgrade‘ command. The autoupgrade command allows to specify what url location you would like to use to download the image from. If you are downloading the image directly from CCO you do not need to configure/modify the default for this command. This is done using the following command:

ISR-2811#config t
Enter configuration commands, one per line. End with CNTL/Z.
ISR-2811(config)#autou
ISR-2811(config)#autoupgrade ?
    disk-cleanup    Set Auto Upgrade Manager disk cleanup options
    ida             Set Auto Upgrade Manager IDA related information
    status          Set Auto Upgrade Manager status related information

ISR-2811(config)#autoupgrade ida ?
    url             Set Auto Upgrade Manager IDA url

ISR-2811(config)#autoupgrade ida url

You also have the capability to configure the router to send status updates regarding Auto-Upgrade via email using the ’autoupgrade status email’ command. Once you have configured the parameters of the Auto-Upgrade Manager on the router you are ready to perform the upgrade. Remember earlier I mentioned that you can initiate two types of upgrades: Interactice Mode & Single CLI Mode. Interactive Mode is started using the ‘upgrade automatic’ command and the router will begin to walk you through a series a prompts and perform the upgrade automatically based on your answers. The nice thing about the automatic upgrade is that it allows to do a warm-upgrade of the router immediately, schedule a warm-upgrade or perform the upgrade manually when your ready, all through a prompt. In order to see the upgrade performed via the Interactive Mode click the following link: Interactive Mode Sample.

In order to perform the Single CLI Mode upgrade I issue the following command:

upgrade automatic getversion cisco username mycconame password myccopassword image c2800nm-advipservicesk9-mz.124-15.T5.bin at now disk-management auto

This command downloads an IOS software image from the Cisco website (www.cisco.com) and reloads the router immediately after the download. It also will delete the flash files automatically if there is not enough disk space. To see the upgrade performed via the Single CLI Mode click the following link: Single CLI Mode Sample.

As a side note, you can also configure the router to download the image from a TFTP server, FTP Server or HTTP Server of your choice.