Solved: Problems installing Firepower software on ASA

Colin Higgins · ‎08-11-2017

I have an ASA5555X with Firepower services

I've been trying to upgrade the software on this thing for 2 weeks, but have run through countless failures, crashes, etc.

currently, my sfr module is unresponsive

I was running 5.4. and was trying to go to 6.0+, but the FMC 1500 couldn't get the sensor to upgrade (I couldn't push policies either). The TAC instructed me to simply shutdown and uninstall the old SFR image on the firewall and do a new install. I put the boot image on the system, did the initial setup, and then launched the .pkg install process from http

The image unpacks and begins to install, but then I lose connectivity. If I do a "show module sfr" from the ASA it shows that it is in recover state (and type is unknown).

I tried this with 6.0 and 6.1 to same effect.

Am I not waiting long enough? (how long does it take). Or is something else going on?

Karsten Iwen · ‎08-12-2017

1) Which ASA version are you running? You need at least 9.5(2) for Firepower 6.2 and I would go directly to the last 9.6(3) interims-version.

2) Yes, it takes long. For sure, the 5555-X is quite powerful, but I remember from my 5545-X that I also had to wait about 15 minutes or so until I was able to proceed.

View solution in original post

Karsten Iwen · ‎08-12-2017

1) Which ASA version are you running? You need at least 9.5(2) for Firepower 6.2 and I would go directly to the last 9.6(3) interims-version.

2) Yes, it takes long. For sure, the 5555-X is quite powerful, but I remember from my 5545-X that I also had to wait about 15 minutes or so until I was able to proceed.

Colin Higgins · ‎08-12-2017

I am running 9.8(1) on the ASA

I think I discovered what the issue is, after much troubleshooting and debugging.

You cannot put version 6.0+ on the sensor directly using the re-image method. You have to go back to 5.4 and then do the patches and incremental upgrades (takes hours) using FMC. This means that if you have a hardware failure and need to get a new unit and bring it up to 6.2, you are looking at a very long replacement process.

Out of the 5 sensors I tried to bring to 6.0+, 4 didn't have an issue, and 2 failed outright.

This is not Cisco's finest hour. Many issues with the Firesight product.

Karsten Iwen · ‎08-12-2017

At least that is not how it should behave. I imaged plenty of modules directly with 6.2 and it worked as expected. Probably there is something else going wrong.

Colin Higgins · ‎08-14-2017

Well I thought I had it fixed after getting the 5.4 image on there.

Sensor is up and running, but I can't log into it. It won't take the default password, nor will it take my old passwords.

I have now been down almost 3 weeks with this problem.

Colin Higgins · ‎08-14-2017

edit:

you have to use the old Sourcefire password

Sourcefire

not Admin123

ugh

Karsten Iwen · ‎08-12-2017

> I am running 9.8(1) on the ASA

Are you using the latest interim-release? At least there was a Firepower related bug fixed in 9.8(1)5.

Marvin Rhoads · ‎08-12-2017

Recover state is normal and expected during the interim period when you have configured the boot image and are moving to the full installation package.

You can watch the package progress with the command "show module sfr log console".

Or, after waiting for some time, just session to the sfr module, accept the EULA and complete the setup.

Colin Higgins · ‎08-12-2017

Marvin: when tying to install anything 6.0 and over, the install never completes. Apparently this is a known issue (it crashes about 40 minutes in every time, and I saw this on multiple sensors)

I have it back to 5.4 and will try to get the patches applied by FMC and see if I can get the sensors up to 6.0+ that way (I hope)

Marvin Rhoads · ‎08-12-2017

That's odd. Like Karsten, I have re-imaged multiple ASA FirePOWER modules on 6.0, 6.1 and 6.2. I've not seen the crash issue. (Though now that I've said so my next one just might show me differently!)

I do note that you mentioned you're running 9.8(1). That's very new code and I haven't been recommending it for production deployments just yet.

Are you able to open a TAC case?

Colin Higgins · ‎08-12-2017

Marvin: the initial failure was when I was running 9.2.2, then I upgraded to 9.6.2

same thing

finally went all the way to 9.8(1)

I don't think it is an ASA code issue. I saw a few other people complaining about this issue on the forums and other websites. One guy said the only way to fix it was to re-image using 5.4 and use FMC from there.

I am hoping I don't see this again, because I have a lot of production sensors to upgrade (including ones on 5558X SSP-60 platforms that have 65k+ ACE entries on them--don't want those to have an issue)

I did open a TAC case--they were the ones who told me to re-image and go directly to 6.0

I think a new bug needs to be reported