08-11-2017 12:35 PM - edited 03-10-2019 06:54 AM
I have an ASA5555X with Firepower services
I've been trying to upgrade the software on this thing for 2 weeks, but have run through countless failures, crashes, etc.
currently, my sfr module is unresponsive
I was running 5.4. and was trying to go to 6.0+, but the FMC 1500 couldn't get the sensor to upgrade (I couldn't push policies either). The TAC instructed me to simply shutdown and uninstall the old SFR image on the firewall and do a new install. I put the boot image on the system, did the initial setup, and then launched the .pkg install process from http
The image unpacks and begins to install, but then I lose connectivity. If I do a "show module sfr" from the ASA it shows that it is in recover state (and type is unknown).
I tried this with 6.0 and 6.1 to same effect.
Am I not waiting long enough? (how long does it take). Or is something else going on?
Solved! Go to Solution.
08-12-2017 04:13 AM
1) Which ASA version are you running? You need at least 9.5(2) for Firepower 6.2 and I would go directly to the last 9.6(3) interims-version.
2) Yes, it takes long. For sure, the 5555-X is quite powerful, but I remember from my 5545-X that I also had to wait about 15 minutes or so until I was able to proceed.
08-12-2017 04:13 AM
1) Which ASA version are you running? You need at least 9.5(2) for Firepower 6.2 and I would go directly to the last 9.6(3) interims-version.
2) Yes, it takes long. For sure, the 5555-X is quite powerful, but I remember from my 5545-X that I also had to wait about 15 minutes or so until I was able to proceed.
08-12-2017 07:07 AM
I am running 9.8(1) on the ASA
I think I discovered what the issue is, after much troubleshooting and debugging.
You cannot put version 6.0+ on the sensor directly using the re-image method. You have to go back to 5.4 and then do the patches and incremental upgrades (takes hours) using FMC. This means that if you have a hardware failure and need to get a new unit and bring it up to 6.2, you are looking at a very long replacement process.
Out of the 5 sensors I tried to bring to 6.0+, 4 didn't have an issue, and 2 failed outright.
This is not Cisco's finest hour. Many issues with the Firesight product.
08-12-2017 08:31 AM
At least that is not how it should behave. I imaged plenty of modules directly with 6.2 and it worked as expected. Probably there is something else going wrong.
08-14-2017 06:46 AM
Well I thought I had it fixed after getting the 5.4 image on there.
Sensor is up and running, but I can't log into it. It won't take the default password, nor will it take my old passwords.
I have now been down almost 3 weeks with this problem.
08-14-2017 06:58 AM
edit:
you have to use the old Sourcefire password
Sourcefire
not Admin123
ugh
08-12-2017 08:59 AM
> I am running 9.8(1) on the ASA
Are you using the latest interim-release? At least there was a Firepower related bug fixed in 9.8(1)5.
08-12-2017 07:15 AM
Recover state is normal and expected during the interim period when you have configured the boot image and are moving to the full installation package.
You can watch the package progress with the command "show module sfr log console".
Or, after waiting for some time, just session to the sfr module, accept the EULA and complete the setup.
08-12-2017 08:22 AM
Marvin: when tying to install anything 6.0 and over, the install never completes. Apparently this is a known issue (it crashes about 40 minutes in every time, and I saw this on multiple sensors)
I have it back to 5.4 and will try to get the patches applied by FMC and see if I can get the sensors up to 6.0+ that way (I hope)
08-12-2017 08:40 AM
That's odd. Like Karsten, I have re-imaged multiple ASA FirePOWER modules on 6.0, 6.1 and 6.2. I've not seen the crash issue. (Though now that I've said so my next one just might show me differently!)
I do note that you mentioned you're running 9.8(1). That's very new code and I haven't been recommending it for production deployments just yet.
Are you able to open a TAC case?
08-12-2017 09:30 AM
Marvin: the initial failure was when I was running 9.2.2, then I upgraded to 9.6.2
same thing
finally went all the way to 9.8(1)
I don't think it is an ASA code issue. I saw a few other people complaining about this issue on the forums and other websites. One guy said the only way to fix it was to re-image using 5.4 and use FMC from there.
I am hoping I don't see this again, because I have a lot of production sensors to upgrade (including ones on 5558X SSP-60 platforms that have 65k+ ACE entries on them--don't want those to have an issue)
I did open a TAC case--they were the ones who told me to re-image and go directly to 6.0
I think a new bug needs to be reported
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: