01-04-2016 03:18 PM
We have a customer that is using CX software on a HA pair of ASA 5512-X's. They want to upgrade to the FirePower IPS. There is an upgrade SKU (ASA5512-FP-UPG) that is an upgrade kit. Through CCW, when you customize the options on that SKU, you are directed to select the Control License, Subscription License, Hardware, and Management Center components to add the relevant SKUs to the top-level upgrade kit SKU.
The Hardware section requires the selection of ASA5500X-SSD120=, the 120GB SSD drive, and fails to validate within CCW if you do not include it. Since these 5512-X's are already running CX software and thus already have 120GB SSD drives installed, wouldn't this be unnecessary?
Solved! Go to Solution.
01-04-2016 04:42 PM
Yes. You can re-use the existing SSD.
Perhaps try using the spare part codes (with an = after the part code).
01-05-2016 02:02 PM
Don't use the UPG SKU if the customer already has SSDs.
Instead order the no-cost Control (CTRL) license, the desired subscription license (IPS, URL Filtering and/or AMP in 1- or 3-year term), and a FireSIGHT Management Center license.
(Technically you can get away without a Management Center with ASA 9.5(1) and FirePOWER 6.0 but I don't recommend it personally as it doesn't scale very well.)
The customer will need to uninstall the CX software module and reimage with the FirePOWER boot and system images as described in this document:
http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html
01-04-2016 04:42 PM
Yes. You can re-use the existing SSD.
Perhaps try using the spare part codes (with an = after the part code).
05-23-2018 08:35 PM
Hello Philip,
Can we use HDD for sfr image?.
05-23-2018 08:37 PM
Hello Philipp,
Can we use HDD for sfr image?
01-05-2016 02:02 PM
Don't use the UPG SKU if the customer already has SSDs.
Instead order the no-cost Control (CTRL) license, the desired subscription license (IPS, URL Filtering and/or AMP in 1- or 3-year term), and a FireSIGHT Management Center license.
(Technically you can get away without a Management Center with ASA 9.5(1) and FirePOWER 6.0 but I don't recommend it personally as it doesn't scale very well.)
The customer will need to uninstall the CX software module and reimage with the FirePOWER boot and system images as described in this document:
http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html
01-05-2016 03:25 PM
Ok, thank you. I created the build in CCW manually, using the Control, Subscription, and Management Center licenses that the upgrade SKU included, and omitted the SSDs, so we should be good.
What was confusing was that the ordering guide says specifically that this is a CX to FirePower upgrade SKU, and having CX implies having existing SSD's, hence the confusion as to why those would be part of a CX to FirePower upgrade SKU unless they were perhaps different than the SSD's used by the CX software.
01-05-2016 03:54 PM
OK and yes, it is a bit confusing how it's described in the ordering guide and in CCW. They are they same SSD types though.
Only the 5585-X needs new hardware since the blade that goes in Slot 1 cannot be software reimaged like the software modules on the other models can.
01-14-2016 11:00 AM
I followed this process on a 5512-X with CX module and it all works until I get to the "sw-module module sfr recover boot". I get "Storage device not found. Install drive and try again".
I have ~3.6GB free on the SSD.
sh file system
File Systems:
Size(b) Free(b) Type Flags Prefixes
* 4118732800 3893551104 disk rw disk0: flash:
- - disk rw disk1:
- - network rw tftp:
- - opaque rw system:
- - network ro http:
- - network ro https:
- - network rw scp:
- - network rw ftp:
- - network wo cluster:
- - stub ro cluster_trace:
- - network rw smb:
01-14-2016 12:31 PM
Hi David. Does this relate to this thread? If not, could you start a new one?
01-14-2016 12:36 PM
I thought it did since he was asking about upgrading a 5512-X CX to Firepower, but I may be mistaken.
01-14-2016 08:26 PM
David,
What does "show module" indicate?
You need to uninstall the CX module software image prior to copying and loading the sfr boot image.
01-14-2016 08:32 PM
I shut it down and uninstalled it, rebooted the ASA and then uploaded the firepower image to the disk.
sh module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5512-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5512 FCH1732J44S
ips Unknown N/A FCH1732J44S
cxsc Unknown N/A FCH1732J44S
sfr Unknown N/A FCH1732J44S
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 c067.af03.5f0b to c067.af03.5f12 1.0 2.1(9)8 9.5(2)
ips c067.af03.5f09 to c067.af03.5f09 N/A N/A
cxsc c067.af03.5f09 to c067.af03.5f09 N/A N/A
sfr c067.af03.5f09 to c067.af03.5f09 N/A N/A
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable
cxsc Unknown No Image Present Not Applicable
sfr Unknown No Image Present Not Applicable
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
cxsc Unresponsive Not Applicable
sfr Unresponsive Not Applicable
Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Disabled perpetual
01-14-2016 08:42 PM
Hmm - OK, so far, so good.
Can you share:
show disk0:/
show inventory
.. and confirm you are loading the boot image something like this:
sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-5.3.1-152.img
01-14-2016 08:47 PM
show disk0:
--#-- --length-- -----date/time------ path
11 4096 Jan 14 2016 18:28:35 log
13 410 Jan 14 2016 18:28:46 log/asa-appagent.log
25 4096 Jun 17 2014 04:24:46 crypto_archive
135 5162176 Jun 17 2014 04:24:48 crypto_archive/crypto_eng0_arch_1.bin
26 4096 Aug 26 2013 08:27:26 coredumpinfo
27 59 Aug 26 2013 08:27:26 coredumpinfo/coredump.cfg
133 41848832 Jan 14 2016 18:43:04 asasfr-5500x-boot-6.0.0-1005.img
120 27109 Jun 18 2015 10:36:14 lab-config
122 38191104 Sep 06 2013 12:20:34 asa912-smp-k8.bin
123 12998641 Aug 26 2013 09:05:20 csd_3.5.2008-k9.pkg
124 4096 Aug 26 2013 09:05:22 sdesktop
137 1462 Aug 26 2013 09:05:22 sdesktop/data.xml
125 6487517 Aug 26 2013 09:05:22 anyconnect-macosx-i386-2.5.2014-k9.pkg
126 6689498 Aug 26 2013 09:05:24 anyconnect-linux-2.5.2014-k9.pkg
127 4678691 Aug 26 2013 09:05:24 anyconnect-win-2.5.2014-k9.pkg
128 82593792 Jan 14 2016 18:17:38 asa952-smp-k8.bin
129 25627616 Jan 14 2016 18:18:46 asdm-752.bin
4118732800 bytes total (3893551104 bytes free)
sh inventory
Name: "Chassis", DESCR: "ASA 5512-X with SW, 6 GE Data, 1 GE Mgmt, AC"
PID: ASA5512 , VID: V01 , SN: FGL173441PK
Yep, that's the syntax I used, but with 6.0 code
show module sfr recover
Module sfr recover parameters...
Boot Recovery Image: No
Image File Path: disk0:/asasfr-5500x-boot-6.0.0-1005.img
sw-module module sfr recover boot
Storage device not found. Install drive and try again.
01-15-2016 01:41 PM
All your preparatory steps and the current environment you have appear correct - with the exception that for some reason the system does not properly recognize the new boot image. At this point I would suspect a bug in the 6.0 software.
I've seen a few others having problems upgrading their 5506's to 6.0 (although I've done two of them successfully), so it wouldn't surprise me too much to see yet another issue with this new major release's first iteration.
I'd open a TAC case on it and see what they say. If you don't have that option available to you, you might try starting with the 5.4 boot image and seeing if that gives you the same problem.
Let us know.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide