Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

CX Install Issues

We just installed an HA pair of ASA 5525x devices, equiped with the IPS and CX module.  I know currently only one module is supported with a future software update coming that will enable the other.  We are primarily concerned with CX for now so I am looking for some input on configuring it.

 

I have attempted to go through the procedure of shutting down the IPS, uninstalling the IPS, rebooting the ASA, and then installing the CX.  However, according to the logs, the CX reload completes, but I am unable to access it from the console of the ASA.  I get no login prompt or anything of the sort.

 

Also, I read somewhere that the HA replication does not pertain to the CX module, so we will need to use an external server in order to run PRSM and manage the CX.  Does this external server need to be in the management network, since generally the Management interface is not capable of routing other subnets?

 

Thanks for your help.

 

Cheers!

 

Mark

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

 Your cxsc_console_logs.txt

 

Your cxsc_console_logs.txt ends with a cx module login prompt. Your modules.txt shows the CX module is in recovery state.

Did you start with a boot loader CX image or the full system image? The former (e.g., asacx-5500x-boot-9.2.1.2-69.img is the current latest build) should be used for a fresh install / reformat.

If you did, then you can proceed with completing the process. You will need to "session cxsc console" from the ASA, partition the SSD ("partition" from the cxsc prompt), and then complete the software installation ("system install ftp://<username>@<host>/<cx full system image matching the bootloader>.pkg"). Once that downloads and the install completes (takes about 5 minutes), your "show module" should indicate the cxsc is Up / Up. When it is, you can proceed with the "setup" macro from the cx console prompt.

 

During the setup process you will be asked to set the CX's default gateway etc. While this uses the same physcial interfaces as the ASA's management0/0, it has it's own setup and can use it to reach hosts (e.g. PRSM, ntp server, cisco.com server for WSE data and signature updates) not on the ASA management subnet. In fact, if you cannot reach external resources from the CX module (the cisco.com ones) your functionality will be severaly compromised since that is how the WSE and AVC bits keep up to date.

 

2 REPLIES
Hall of Fame Super Silver

 Your cxsc_console_logs.txt

 

Your cxsc_console_logs.txt ends with a cx module login prompt. Your modules.txt shows the CX module is in recovery state.

Did you start with a boot loader CX image or the full system image? The former (e.g., asacx-5500x-boot-9.2.1.2-69.img is the current latest build) should be used for a fresh install / reformat.

If you did, then you can proceed with completing the process. You will need to "session cxsc console" from the ASA, partition the SSD ("partition" from the cxsc prompt), and then complete the software installation ("system install ftp://<username>@<host>/<cx full system image matching the bootloader>.pkg"). Once that downloads and the install completes (takes about 5 minutes), your "show module" should indicate the cxsc is Up / Up. When it is, you can proceed with the "setup" macro from the cx console prompt.

 

During the setup process you will be asked to set the CX's default gateway etc. While this uses the same physcial interfaces as the ASA's management0/0, it has it's own setup and can use it to reach hosts (e.g. PRSM, ntp server, cisco.com server for WSE data and signature updates) not on the ASA management subnet. In fact, if you cannot reach external resources from the CX module (the cisco.com ones) your functionality will be severaly compromised since that is how the WSE and AVC bits keep up to date.

 

Community Member

Marvin, Thank you!

Marvin,

 

Thank you!  Sheepishly, I admit that I was waiting for a prompt to appear, but instead, all I had to do was type the username and password and I was OK.  The fact that the log showed that it was waiting for a login and the module still showed "Recover" threw me off.

 

I have the system partitioned now and am FTPing the running image now.

 

Thanks again.

 

Mark

175
Views
0
Helpful
2
Replies
CreatePlease to create content