Solved: ASA CX to FirePower Upgrade Kit - SSDs Required?

jwillard99 · ‎01-04-2016

We have a customer that is using CX software on a HA pair of ASA 5512-X's. They want to upgrade to the FirePower IPS. There is an upgrade SKU (ASA5512-FP-UPG) that is an upgrade kit. Through CCW, when you customize the options on that SKU, you are directed to select the Control License, Subscription License, Hardware, and Management Center components to add the relevant SKUs to the top-level upgrade kit SKU.

The Hardware section requires the selection of ASA5500X-SSD120=, the 120GB SSD drive, and fails to validate within CCW if you do not include it. Since these 5512-X's are already running CX software and thus already have 120GB SSD drives installed, wouldn't this be unnecessary?

Philip D'Ath · ‎01-04-2016

Yes. You can re-use the existing SSD.

Perhaps try using the spare part codes (with an = after the part code).

View solution in original post

Marvin Rhoads · ‎01-05-2016

Don't use the UPG SKU if the customer already has SSDs.

Instead order the no-cost Control (CTRL) license, the desired subscription license (IPS, URL Filtering and/or AMP in 1- or 3-year term), and a FireSIGHT Management Center license.

(Technically you can get away without a Management Center with ASA 9.5(1) and FirePOWER 6.0 but I don't recommend it personally as it doesn't scale very well.)

The customer will need to uninstall the CX software module and reimage with the FirePOWER boot and system images as described in this document:

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

View solution in original post

Philip D'Ath · ‎01-04-2016

Yes. You can re-use the existing SSD.

Perhaps try using the spare part codes (with an = after the part code).

ccg-security · ‎05-23-2018

Hello Philip,

Can we use HDD for sfr image?.

ccg-security · ‎05-23-2018

Hello Philipp,

Can we use HDD for sfr image?

Marvin Rhoads · ‎01-05-2016

Don't use the UPG SKU if the customer already has SSDs.

Instead order the no-cost Control (CTRL) license, the desired subscription license (IPS, URL Filtering and/or AMP in 1- or 3-year term), and a FireSIGHT Management Center license.

(Technically you can get away without a Management Center with ASA 9.5(1) and FirePOWER 6.0 but I don't recommend it personally as it doesn't scale very well.)

The customer will need to uninstall the CX software module and reimage with the FirePOWER boot and system images as described in this document:

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

jwillard99 · ‎01-05-2016

Ok, thank you. I created the build in CCW manually, using the Control, Subscription, and Management Center licenses that the upgrade SKU included, and omitted the SSDs, so we should be good.

What was confusing was that the ordering guide says specifically that this is a CX to FirePower upgrade SKU, and having CX implies having existing SSD's, hence the confusion as to why those would be part of a CX to FirePower upgrade SKU unless they were perhaps different than the SSD's used by the CX software.

Marvin Rhoads · ‎01-05-2016

OK and yes, it is a bit confusing how it's described in the ordering guide and in CCW. They are they same SSD types though.

Only the 5585-X needs new hardware since the blade that goes in Slot 1 cannot be software reimaged like the software modules on the other models can.

David Niemann · ‎01-14-2016

I followed this process on a 5512-X with CX module and it all works until I get to the "sw-module module sfr recover boot". I get "Storage device not found. Install drive and try again".

I have ~3.6GB free on the SSD.

sh file system

File Systems:

     Size(b)     Free(b)      Type      Flags Prefixes
* 4118732800    3893551104    disk      rw      disk0: flash:
             -             - disk      rw      disk1:
             -             - network   rw      tftp:
             -             - opaque    rw      system:
             -             - network   ro      http:
             -             - network   ro      https:
             -             - network   rw      scp:
             -             - network   rw      ftp:
             -             - network   wo      cluster:
             -             - stub      ro      cluster_trace:
             -             - network   rw      smb:

Philip D'Ath · ‎01-14-2016

Hi David. Does this relate to this thread? If not, could you start a new one?

David Niemann · ‎01-14-2016

I thought it did since he was asking about upgrading a 5512-X CX to Firepower, but I may be mistaken.

Marvin Rhoads · ‎01-14-2016

David,

What does "show module" indicate?

You need to uninstall the CX module software image prior to copying and loading the sfr boot image.

David Niemann · ‎01-14-2016

I shut it down and uninstalled it, rebooted the ASA and then uploaded the firepower image to the disk.

sh module

Mod Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   0 ASA 5512-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5512            FCH1732J44S
ips Unknown                                      N/A                FCH1732J44S
cxsc Unknown                                      N/A                FCH1732J44S
sfr Unknown                                      N/A                FCH1732J44S

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   0 c067.af03.5f0b to c067.af03.5f12 1.0          2.1(9)8      9.5(2)
ips c067.af03.5f09 to c067.af03.5f09 N/A          N/A
cxsc c067.af03.5f09 to c067.af03.5f09 N/A          N/A
sfr c067.af03.5f09 to c067.af03.5f09 N/A          N/A

Mod SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown                        No Image Present Not Applicable
cxsc Unknown                        No Image Present Not Applicable
sfr Unknown                        No Image Present Not Applicable

Mod Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   0 Up Sys             Not Applicable
ips Unresponsive       Not Applicable
cxsc Unresponsive       Not Applicable
sfr Unresponsive       Not Applicable

Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Disabled perpetual

Marvin Rhoads · ‎01-14-2016

Hmm - OK, so far, so good.

Can you share:

show disk0:/
show inventory

.. and confirm you are loading the boot image something like this:

sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-5.3.1-152.img

David Niemann · ‎01-14-2016

show disk0:
--#-- --length-- -----date/time------ path
   11 4096        Jan 14 2016 18:28:35 log
   13 410         Jan 14 2016 18:28:46 log/asa-appagent.log
   25 4096        Jun 17 2014 04:24:46 crypto_archive
135 5162176     Jun 17 2014 04:24:48 crypto_archive/crypto_eng0_arch_1.bin
   26 4096        Aug 26 2013 08:27:26 coredumpinfo
   27 59          Aug 26 2013 08:27:26 coredumpinfo/coredump.cfg
133 41848832    Jan 14 2016 18:43:04 asasfr-5500x-boot-6.0.0-1005.img
120 27109       Jun 18 2015 10:36:14 lab-config
122 38191104    Sep 06 2013 12:20:34 asa912-smp-k8.bin
123 12998641    Aug 26 2013 09:05:20 csd_3.5.2008-k9.pkg
124 4096        Aug 26 2013 09:05:22 sdesktop
137 1462        Aug 26 2013 09:05:22 sdesktop/data.xml
125 6487517     Aug 26 2013 09:05:22 anyconnect-macosx-i386-2.5.2014-k9.pkg
126 6689498     Aug 26 2013 09:05:24 anyconnect-linux-2.5.2014-k9.pkg
127 4678691     Aug 26 2013 09:05:24 anyconnect-win-2.5.2014-k9.pkg
128 82593792    Jan 14 2016 18:17:38 asa952-smp-k8.bin
129 25627616    Jan 14 2016 18:18:46 asdm-752.bin

4118732800 bytes total (3893551104 bytes free)

sh inventory
Name: "Chassis", DESCR: "ASA 5512-X with SW, 6 GE Data, 1 GE Mgmt, AC"
PID: ASA5512 , VID: V01 , SN: FGL173441PK

Yep, that's the syntax I used, but with 6.0 code

show module sfr recover
Module sfr recover parameters...
Boot Recovery Image: No
Image File Path: disk0:/asasfr-5500x-boot-6.0.0-1005.img

sw-module module sfr recover boot

Storage device not found. Install drive and try again.

Marvin Rhoads · ‎01-15-2016

All your preparatory steps and the current environment you have appear correct - with the exception that for some reason the system does not properly recognize the new boot image. At this point I would suspect a bug in the 6.0 software.

I've seen a few others having problems upgrading their 5506's to 6.0 (although I've done two of them successfully), so it wouldn't surprise me too much to see yet another issue with this new major release's first iteration.

I'd open a TAC case on it and see what they say. If you don't have that option available to you, you might try starting with the 5.4 boot image and seeing if that gives you the same problem.

Let us know.