This guide steps through the basics of re-imaging the Cisco ASA Content Security and Control (CSC) Security Services Module with the latest image file. This process takes roughly 30 minutes to complete (not including the downloading of the upgrade files from cisco.com) and it leaves the CSC module with a fresh installation of code.
Different upgrade methods
There are two types of upgrade files available for the CSC module: BIN files and PKG files.
BIN files - BIN files are used to re-image the module. The files include the full installation of code present on the module. The BIN files will bring the module to a certain maintenance version such as 6.3.1172.0 or 6.6.1125.0.
PKG files - PKG files contain incremental bug fixes beyond the main release version available in BIN files. For example the csc6.3.1172.4.pkg will bring the module from 6.3.1172.0 up to 6.3.1172.4. PKG files contain just bug fixes and minor changes. You should read the PKG release notes to determine what is the minimum version of code the PKG can be installed on. Some package upgrades have very specific versions that must be installed prior to upgrade, the realease notes will outline that in detail:
This process will bring the CSC module down during the re-image process. If you have your CSC scanning policy configured with 'fail-close'. The traffic matching that policy will be blocked until the re-image process is completed and the module is back on-line. More information about the difference between 'fail-close' and its opposite, 'fail-open', can be found here:
Port IP Address [0.0.0.0]: 192.168.1.250 VLAN ID : Gateway IP Address [0.0.0.0]: ciscoasa(config)#
NOTE: Leave the gateway as 0.0.0.0 if the TFTP and CSC port are on the same Layer-3 subnet. If they are on different subnets, set the gateway to the next-hop router between the subnets.
When you are prepared to start the re-image process, enter the command hw-module module 1 recover boot:
ciscoasa(config)# hw-module module 1 recover boot The module in slot 1 will be recovered. This may erase all configuration and all data on that device and attempt to download a new image for it. Recover module in slot 1? [confirm] ciscoasa(config)# Recover issued for module in slot 1
Issue the command debug module in order to watch the re-image progress: