Re-Image and Update the Cisco FirePOWER Services Module

KB ID 0001164

Problem

This takes ages! Seriously, if it’s late in the afternoon you might want to do this tomorrow morning, or leave the re-imaging running overnight. (Remember if you set the FirePOWER module to ‘fail-closed’, you will lose internet access, so you might want to change that to ‘fail-open’ as well).

The process is a LOT EASIER to do in the ASDM, I’m not usually an advocate of the GUI, but if you can access the FirePOWER settings that way, it will do all the hard work for you, (see below).

See Updating FirePOWER Module (From ASDM)

Note: This ASDM upgrade will fail if the module is being managed by the FirePOWER Management center (FireSIGHT), you can update it from there, or remove the peer association, then update it.

Normally I only have to do this if something’s gone wrong, and I can’t contact the module, or I’ve go a lot of them to do, and I don’t have direct management access. This process works on the ‘baby ASA’s,’ i.e 5506-X and 5508-X, and also on the larger models i.e 5512-X upwards (but NOT the 5585-X, that has a hw-module not a sw-module).

Solution

Before you start you need three things;

  • A Boot Image file (i.e. asasfr-5500x-boot-6.0.0-1005.img) – download from Cisco.
  • A Firepower Software Package (i.e. asasfr-sys-6.0.0-1005.pkg) this is a BIG file (over a Gigabyte) – download from Cisco.
  • A Web Server, (or FTP server) setup, with the files above available for ‘download’ into the FirePOWER module. Note: If using Microsoft IIS you need to add .img and .pkg as downloadable MIME objects or it wont work.

Connect to the firewall via command line, and check that the module is ‘Up’ and take a note of the current software version;

[box]

Petes-ASA(config)# show module 

Mod  Card Type                                    Model              Serial No. 
---- -------------------------------------------- ------------------ -----------
   1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC   ASA5506            JAD200XXXXX
 sfr FirePOWER Services Software Module           ASA5506            JAD200XXXXX

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version     
---- --------------------------------- ------------ ------------ ---------------
   1 00f2.8bfb.fbc8 to 00f2.8bfb.fbd1  1.1          1.1.8        9.5(2)2
 sfr 00f2.8bfb.fbc7 to 00f2.8bfb.fbc7  N/A          N/A          5.4.1-211

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  UP	        5.4.1-211

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable        
 sfr UP Sys           Not Applicable        
Petes-ASA(config)# 

[/box]

Download the boot image from your web server into the ‘flash’ memory in the parent firewall.

[box]

Petes-ASA(config)# copy http flash

Address or name of remote host []? 10.3.0.84

Source filename []? asasfr-5500x-boot-6.3.0-3.img

Destination filename [asasfr-5500x-boot-6.0.0-1005.img]? {Enter}

Accessing http://10.3.0.84/asasfr-5500x-boot-6.3.0-3.img...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asasfr-5500x-boot-6.3.0-3.img...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
INFO: No digital signature found
41848832 bytes copied in 5.20 secs (8369766 bytes/sec)

[/box]

Then set that file as the boot image for the sourcefire module, and tell the module to perform a ‘recovery boot’.

[box]

Petes-ASA(config)# sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-6.4.0-1.img
Petes-ASA(config)# sw-module module sfr recover boot

Module sfr will be recovered. This may erase all configuration and all data
on that device and attempt to download/install a new image for it. This may take
several minutes.

Recover module sfr? [confirm]{Enter}
Recover issued for module sfr.

[/box]

Now it looks like nothing is happening, but the SFR module will restart with the recovery/boot image, you can see a little of what’s going on if you issue a debug command on the module,

[box]

Petes-ASA(config)# debug module-boot 
debug module-boot  enabled at level 1

IF YOU LOOK AT THE MODULES STATUS IT WILL SAY 'RECOVER'

Petes-ASA(config)# show module 

Mod  Card Type                                    Model              Serial No. 
---- -------------------------------------------- ------------------ -----------
   1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC   ASA5506            JAD200XXXXX
 sfr FirePOWER Services Software Module           ASA5506            JAD200XXXXX

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version     
---- --------------------------------- ------------ ------------ ---------------
   1 00f2.8bfb.fbc8 to 00f2.8bfb.fbd1  1.1          1.1.8        9.5(2)2
 sfr 00f2.8bfb.fbc7 to 00f2.8bfb.fbc7  N/A          N/A          5.4.1-211

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Not Applicable   5.4.1-211

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable        
 sfr Recover           Not Applicable        


SAMPLE DEBUG OUTPUT

Mod-sfr 657> *** EVENT: Disk Image created successfully.
Mod-sfr 658> *** TIME: 07:05:36 GMT/BST Mar 1 2016
Mod-sfr 659> ***
Mod-sfr 660> ***
Mod-sfr 661> *** EVENT: Start Parameters: Image: /mnt/disk0/vm/vm_1.img, ISO: -cdrom /mnt/disk0
Mod-sfr 662> /asasfr-5500x-boot-6.4.0-1.img, Num CPUs: 3, RAM: 2266MB, Mgmt MAC: 00:F2:8B:FB
Mod-sfr 663> :FB:C7, CP MAC: 00:00:00:02:00:01, HDD: -drive file=/dev/sda,cache=none,if=virtio,
Mod-sfr 664>  De
Mod-sfr 665> ***

<—Output Removed for the Sake of Brevity—>


Mod-sfr 50> Starting Advanced Configuration and Power Interface daemon: acpid.
Mod-sfr 51> acpid: starting up with proc fs
Mod-sfr 52> acpid: opendir(/etc/acpi/events): No such file or directory
Mod-sfr 53> starting Busybox inetd: inetd... done.
Mod-sfr 54> Starting ntpd: done
Mod-sfr 55> Starting syslogd/klogd: done

[/box]

This would be a good time to go get a coffee, it doesn’t take that long, the documentation at Cisco says 5 minutes, I’d wait at least 10! You then need to login to the SFR module and give it a basic config;

[box]

Petes-ASA(config)# session sfr console 
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.


Cisco FirePOWER Services Boot Image 6.4.0

asasfr login: admin
Password: Admin123


Cisco FirePOWER Services Boot 6.4.0 (1)
Type ? for list of commands
asasfr-boot>setup


Welcome to Cisco FirePOWER Services Setup 
 [hit Ctrl-C to abort]
Default values are inside []

Enter a hostname [asasfr]: Firepower-Module
Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: N
Enter an IPv4 address [192.168.8.8]: 192.168.1.253
Enter the netmask [255.255.255.0]: 255.255.255.0
Enter the gateway [192.168.8.1]: 192.168.1.254
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Stateless autoconfiguration will be enabled for IPv6 addresses.
Enter the primary DNS server IP address: 192.168.1.10
Do you want to configure Secondary DNS Server? (y/n) [n]: N
Do you want to configure Local Domain Name? (y/n) [n]: Y
Enter the local domain name: petenetlive.com
Do you want to configure Search domains? (y/n) [n]: Y
Enter the comma separated list for search domains: petenetlive.com
Do you want to enable the NTP service? [Y]: Y
Enter the NTP servers separated by commas: 194.35.252.7,130.88.202.49,93.93.131.118 
Do you want to enable the NTP symmetric key authentication? [N]: N
Please review the final configuration:


Hostname:Firepower-Module
Management Interface Configuration

IPv4 Configuration:static
IP Address:192.168.1.253
Netmask:255.255.25.0
Gateway:192.168.1.254

IPv6 Configuration:Stateless autoconfiguration

DNS Configuration:
Domain:petenetlive.com
Search:petenetlive.com
DNS Server:10.3.0.2

NTP configuration: 194.35.252.7[4C130.88.202.49   93.93.131.118
CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address
based on network prefix and a device identifier. Although this address is unlikely
to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.

Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying...
Restarting network services...
Restarting NTP service...
Done.
Press ENTER to continue...{Enter}

[/box]

Now you can install the software package on the SFR module. Note: the URL has TWO forward slashes in it not one, (Cisco update your documentation!)

UPDATE: (Thanks to Eli Davis) To avoid having to wait to confirm with the following step, use the ‘no confirm’ keyword. i.e. “system install noconfirm http://10.3.0.84/asasfr-sys-6.0.0-1005.pkg”.

WARNING You might want to set the SSH timeout to 45 minutes before you do this, or it will keep logging you out while you are waiting!

[box]

asasfr-boot>system install noconfirm http://10.3.0.84/asasfr-sys-6.4.0-102.pkg
   
Verifying.    .. 
Downloading.    ..   
Extracting.    ..  
Package Detail
Description:Cisco ASA-SFR 6.4.0-102 System Install
Requires reboot:Yes 

Do you want to continue with upgrade? [y]: Y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.

<——Output Removed for the Sake of Brevity——>


Mod-sfr 61>  login: [ 2498.828291] sd 0:0:0:0: [sda] 6291456 512-byte hardware sectors: (3.22 G
Mod-sfr 62> B/3.00 GiB)
Mod-sfr 63> [ 2498.832675] sd 0:0:0:0: [sda] Write Protect is off
Mod-sfr 64> [ 2498.835298] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't
Mod-sfr 65>  support DPO or FUA

Mod-sfr 808> ************ Attention *********
Mod-sfr 809>    Initializing the configuration database.  Depending on available
Mod-sfr 810>    system resources (CPU, memory, and disk), this may take 30 minutes 
Mod-sfr 811>    or more to complete.
Mod-sfr 812> ************ Attention *********
Mod-sfr 813> Executing S10database
Console session with module sfr terminated.

[/box]

May take 30 minutes! I waited 45 then drove 8 miles home reconnected and it was still going, (it’s a lot faster on the larger firewalls.) Just keep an eye on the status it will change from recover to up when its complete

[box]

Petes-ASA(config)#show module         

Mod  Card Type                                    Model              Serial No. 
---- -------------------------------------------- ------------------ -----------
   1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC   ASA5506            JAD200XXXXX
 sfr Unknown                                      N/A                JAD200XXXXX

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version     
---- --------------------------------- ------------ ------------ ---------------
   1 00f2.8bfb.fbc8 to 00f2.8bfb.fbd1  1.1          1.1.8        9.5(2)2
 sfr 00f2.8bfb.fbc7 to 00f2.8bfb.fbc7  N/A          N/A          

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable        
 sfr Recover            Not Applicable        


WAIT AGES UNTIL...

Petes-ASA# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC   ASA5506            JAD200XXXXX
 sfr FirePOWER Services Software Module           ASA5506            JAD200XXXXX

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 00f2.8bfb.fbc8 to 00f2.8bfb.fbd1  1.1          1.1.8        9.5(2)2
 sfr 00f2.8bfb.fbc7 to 00f2.8bfb.fbc7  N/A          N/A          6.0.0-1005

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Up               6.4.0-102

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Up                 Up

[/box]

Now you need to connect to the SFR and configure it, (yes again).

[box]

Petes-ASA# session sfr 
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.


Cisco ASA5506 v6.0.0 (build 1005)

firepower login: admin
Password: Admin123
Last login: Tue Mar  1 10:08:16 UTC 2016 on pts/0

Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved. 
Cisco is a registered trademark of Cisco Systems, Inc. 
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.4.0 (build 102)
Cisco ASA5506 v6.0.0 (build 1005)

Last login: Tue Mar  1 10:01:01 UTC 2016 on cron
Last login: Tue Mar  1 10:08:16 UTC 2016 on pts/0
You must accept the EULA to continue.
Press  to display the EULA: {Enter}
END USER LICENSE AGREEMENT

IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY.  IT IS VERY
IMPORTANT THAT YOU CHECK THAT YOU ARE PURCHASING CISCO SOFTWARE OR EQUIPMENT
FROM AN APPROVED SOURCE AND THAT YOU, OR THE ENTITY YOU REPRESENT
(COLLECTIVELY, THE "CUSTOMER") HAVE BEEN REGISTERED AS THE END USER FOR THE

--Output Removed for the Sake of Brevity - Press Space Bar (A LOT!)--

Please enter 'YES' or press  to AGREE to the EULA:  YES

System initialization in progress.  Please stand by.  
You must change the password for 'admin' to continue.
Enter new password: Password123
Confirm new password: Password123
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: Y
Do you want to configure IPv6? (y/n) [n]: N
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: {Enter}
Enter an IPv4 address for the management interface [192.168.45.45]: 192.168.1.123
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
Enter the IPv4 default gateway for the management interface []: 192.168.1.254
Enter a fully qualified hostname for this system [firepower]: Firepower-Module
Enter a comma-separated list of DNS servers or 'none' []: 192.168.1.10
Enter a comma-separated list of search domains or 'none' [example.net]: petenetlive.com
If your networking information has changed, you will need to reconnect.

For HTTP Proxy configuration, run 'configure network http-proxy'

Creating default Identity Policy.
Creating default SSL Policy.

Update policy deployment information
    - add device configuration
    - add network discovery
    - add system policy
    - add access control policy
    - applying access control policy

You can register the sensor to a Firepower Management Center and use the 
Firepower Management Center to manage it. Note that registering the sensor 
to a Firepower Management Center disables on-sensor Firepower Services 
management capabilities.

When registering the sensor to a Firepower Management Center, a unique 
alphanumeric registration key is always required.  In most cases, to register
a sensor to a Firepower Management Center, you must provide the hostname or 
the IP address along with the registration key.
'configure manager add [hostname | ip address ] [registration key ]'

However, if the sensor and the Firepower Management Center are separated by a
NAT device, you must enter a unique NAT ID, along with the unique registration
key.
'configure manager add DONTRESOLVE [registration key ] [ NAT ID ]'

Later, using the web interface on the Firepower Management Center, you must 
use the same registration key and, if necessary, the same NAT ID when you add 
this sensor to the Firepower Management Center.
> exit
Remote card closed command session. Press any key to continue.
 Command session with module sfr terminated.

Petes-ASA# 

[/box]

Back at the firewall prompt make sure you can ping it, (you did put a cable in the management interface didn’t you?)

[box]

Petes-ASA# ping 192.168.1.123
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.123, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Petes-ASA# wr mem
Building configuration...
Cryptochecksum: 6bcde85c dc7a074d 8e22978c 0620c211 

7149 bytes copied in 0.350 secs
[OK]

Petes-ASA# 

[/box]

Now you can manage the FirePOWER Services console from the ASDM, or add it onto the FirePOWER Management Center (FireSIGHT).

 

Related Articles, References, Credits, or External Links

Thanks to Eli Davis for the feedback.

Cisco SFR Session – Cannot Exit To Command Line

Deploy Cisco FirePOWER Management Center (Appliance)

89 thoughts on “Re-Image and Update the Cisco FirePOWER Services Module

  1. Hi Pete,
    I’m currently battling with Firepower for the first time and your other articles have helped me out greatly. I’m trying to upgrade from version 5.4.x.x upto 6.0.1
    The module WAS on 5.4.1 out of the box and it gave me a “This update is intended for software versions greater than or equal to 6.0.0 and less than 6.0.1-29” when I first tried it.
    I thought, maybe I need to be on a later version of the 5.4.x.x train, so updated to 5.4.1.6-37 (which incidentally took 5hrs, good job this system is not live yet!)
    I’ve just tried the 6.0.1-29 upgrade again and I’m getting the same message.
    This is all just doing things locally via ASDM, no Firesight involved.
    How do I get upto version 6.0.1?

    Any ideas?

    Thanks
    Mark…

    • They they take an annoying amount of time – set your policy to fail-open if anyone wants to use this in production!!
      Use the CLI and get a matching boot/recover image and install package – then just reformat it with version 6

      Regards,

      Pete

      • Thanks for the quick reply Pete, much appreciated.
        I’ve since realised that there is a 6.0.0-1005 that I needed to go to first (along with its pre install patch *rolleyes*!)
        This seems to be working now but, yes, taking a looooooonnnnnng time!

        I have some more to do so will try the CLI method next.
        Thanks again.

        Mark…

  2. Hi Pete

    My SFR module is on 5.4.1. To save some time with the upgrade I`d like to re-image it with the above method to 6.1.0. The question is – Will I lose my installed licenses?

    Thanks
    Greg

  3. Hi Pete,

    Just a quick dumb question, you downloaded the system image from a HTTP server via the management interface right? Thanks.

  4. I just want to thank you for this wonderful article. I have performed SFR upgrades before reading this guide, but this one is by far the best. Especially thank you for “debug module-boot”, as seeing some output is more entertaining than looking into repeating 3 dots.

    Thank you again for this amazing guide!

  5. Hi,
    After upgrading sfr module from 5.4.1 to 6.0.0 with your help (thank you by the way) I open ASDM 7.6(1), but I’m facing with strange thing. ASDM launches good but after when I see HOME menu I can’t enter configuration mode it’s not pressable and ASDM can’t load configuration. I see just HOME menu of ASDM.
    Could you advice what should I do?
    Thanks in advance

  6. Hi,

    Could you help me to set the time in sfr module? We haven’t NTP servers in network and I want manually set the time or sync sfr time with the ASA time.

    • You can’t sync with the ASA, If you have a Cisco switch in the network you can set that up as a Time Server, (not supported on all models so check).

      Pete

  7. Hi Pete, thank you for your article!

    I tried to update my 5506-x with Cisco_Network_Sensor_Patch-6.1.0.1-53.sh, (sw version is 6.1.0-330) but install seems to be stuck, it says [73%] Running script 800_post/900_localize.sh…and it lasts for two days already. Any ideas why it is happens?

    Appreciate you help!

    • Hi, I’m assuming its still broken? If so, (and if you don’t have TAC support,) I’d download the IMG and PKG file and re-image it.

  8. Great article, Pete. You took so much of the anxiety out of upgrading our new 5516s. Thanks for writing up this article!

  9. Has anyone been able to get 6.1 running successfully on a 5506-x? I’ve tried two different 5506-x SFR modules using both the upgrade from the management center as well as ASDM, both failed the upgrade multiple times. Trying to run the above process with the 6.1 boot images also fails. TAC was useless and having to have the modules back up by Monday morning I ended up using the 6.0 boot image. 6.1 works fine on the 5515, but no luck for me on 5506.

  10. How can I upgrade on a 5585?
    This process works on the ‘baby ASA’s,’ i.e 5506-X and 5508-X, and also on the larger models i.e 5512-X upwards (but NOT the 5585-X, that has a hw-module not a sw-module).

    • The 5585-X has its FirePOWER on a completely separate ‘blade’ (hw-module) you reboot and image that like you would a firewall. See this article.

      Regards,

      Pete

  11. You might want to set the SSH timeout to 45 minutes before you do this, or it will keep logging you out while you are waiting!
    Where can ‘i Configure this option !!!

  12. I am making the process of reloading etc because the ASDM couldn’t contact the Firepower module (Error “Cannot connect to the ASA….etc, etc).
    I have the pkg file in the flash.
    The command “system install…” does not accept disk0:, it is waiting for a http ip address.
    How can I reinstall the software package from the Flash (without going to Cisco website)?

    Do I need to reinstall it or just with the “recovery boot” I will fix the problem?
    Thank you

    • The pkg file is usually over a Gigabyte, it wont fit in the flash, hence the need to use http.

      Pete

      • Ok, Pete.
        Thanks
        I deleted the PKG from the Flash and tried to install it from a FTP Server with the command >system install noconfirm ftp:/x.x.x./asasfr-sys-6.0.0-1005.pkg
        and after Verifying !!!! message it got
        111
        Upgrade aborted.

        I have already checked the MD5 Checksum numbers and I am using the same version for IMG and PKG
        I read in another article from you that yo got that issue and you solved it.
        I have tried with Solarwind TFTP and CoreFTP
        What did you do? What can I do?
        Thank you

        • I always use an http server, usually one it says Downloading > Verifying everything’s good!

          Pete

        • Hi Hector, did your issue resolved? I am having the same issue. Please post the procedure if you have completed it.

  13. Hello,
    I have just followed your instructions and have a working re-imaged SFR. Thank you so much,
    Cheers

  14. Thanks Pete. I was thinking mine was hosed since it kept sitting in recover with not much indication of life while installing the package file.

    Just left it overnight instead of worrying about it and it’s alive again. Cisco likes to set their time estimates on best case scenarios with these things it seems and if you are running a smaller device like a 5508X just plan on waiting forever and leave it in fail open.

  15. Hi Pete,

    Thank You for the article. After the system install, it showed extracting… and hung in there for several minutes, afterwards becoming unresponsive and staying like that without showing anything on console and not responding. What should I do?

    • Be patient, if it does not start after a while then re-download the .pkg file and re-image again.

      Pete

  16. I’m at the stage of trying to install the .pkg. As noted, it needs to be either http or ftp. Our servers sit on a different subnet and the sfr module does not have a route to it. I can ping the ASA from asafr-boot> but not the rest of the internal network. Access is established between the ASA and the rest of the internal network. The instructions I have for setting a static route only work after the system software has been installed. Is there a way to set a static route from the asafr-boot> CLI?

      • I have these. They do work when the sfr system software has been installed, but not when you’re trying to load the system software from within the sfr module. I’m at a asafr-boot> prompt, not the > prompt as shown in these documents. The configure command isn’t available and there is no option to get to a shell prompt either. There is a setup command for configuring basic IP information, a config command for setting NTP, and a system command for installing the .pkg file which installs the sourcefire system software into the module. I would think the work around is to place an FTP/HTTP server on the same subnet, but there should be a way to add a static route before loading the package file.

        • Well normally the SFR is on the same VLAN as the inside interface, and that’s its default gateway?

  17. Hi Pete, thanks for the great article. This will help me a lot when I re-image my firepower next week. I’m planning to re-image my 5516x with firepower module version 5.4.1 straight to 6.2.2 because there are too many steps in upgrade path. One thing I’m not sure is, I currently have a service policy that redirects all the traffic(match any) to firepower for inspection. Should I remove that rule before I start re-imaging or it doesn’t matter?

      • Thanks Pete. Sounds like I am going to have to place a web server on the switch connected to the ASA and on the same subnet. Doesn’t appear to be a way to add a route from the sfr boot image configuration unfortunately.

    • Hi Chuc, do you manage to re-image 5.4.1 straight to 6.2.2? I, my SFR is still in recovery mode for quite some time.

  18. thank you for the this article
    I was fighting with the firepower module
    setting it up fresh solved my problems

    many thanks from Germany

  19. Pete, you mention that this process is easier if using ASDM. We are able to access our module this way (ASA 5508-x w/ FP services). I’m relatively notice so my question is, will this reimage require a reboot of the entire device or just the module? Our ASA is in production (set to fail-open) but we just need to know whether to schedule an outage or if this can be done during working hours.

    • Updating from the ASDM only does minor updates, (unless you supply it with the files for a major update).
      Yes if set to fail-open you can do this during working hours, the SFR module runs independently of the firewall OS 🙂

      Pete

  20. How do I upgrade FirePOWER from version V6.2.0.2 to version V6.2.2.1 , they does not show up in ASDM but in FMC.

    So how do I do that with FMC, the Cisco community confused me that we have to upgrade the sensor as well?

  21. Although a couple of years old now – this article helped me considerably with a precarious upgrade of remote box. Easy to follow, accurate and funny

  22. Hi Pete,

    Great article, the best I have seen yet on this subject!

    Tomorrow evening i’ll be upgrading a firepower module running on ASA 5525-X (ASA with firepower services) and currently on 5.4.0-764. I would like to follow your re-image process (all CLI not ASDM) and get this directly to version 6.2.0.2-51, as I don’t fancy sitting through the 4/5 step upgrade path via FMC :-).

    I’m able to work with the firewall being completely offline, so don’t need to worry about downtime (this is actually a secondary firewall which has been offline for some time, and I’m trying to match the firepower version running on the primary firewall before re-introducing HA). Couple of questions I have would be;

    1. Roughly how long should this process take?
    2. I’ll need to use FTP instead of HTTP for .pkg file, any issues there?
    3. All licences (protect, control, malware, URL) are on the FMC, so I shouldn’t worry about losing any licencing as part of the module re-image process, right?
    4. Is there anything else I should be aware of, or should this “just work”?

    Any advice you can offer would be most appreciated. Thank you.

    • 1. 5525 has a bit more grunt so its a fair bit faster than the smaller/cheaper ones, even though I’d planning at least a couple of hours!
      2. FTP is fine you will need to supply the username and password though probably, (check the syntax, I never use FTP).
      3. Licensing is ‘off’ the firewall so you are good!
      4. It’s pretty straight forward it just takes a while 🙂

      • Thanks for your response Pete.

        I went ahead with the process at the weekend and it worked just fine. One thing I would add for anyone using FTP; don’t include the username and password within the ftp command, instead just use – system install noconfirm ftp://X.X.X.X/asasfr-sys-X.X.X.X.pkg, then you’ll be prompted for the ftp username and password thereafter (I used FileZilla as ftp source).

        The initial boot image took about 10 minutes, then the package took about 45 minutes. When complete, my module was running 6.2.0, at which point i registered it with the FMC, and applied patch 6.2.0.2-51, which took about 45 minutes as well.

        Thanks again for your help, much appreciated.

  23. I still can’t believe the 5585-X will only let you use TFTP to upgrade! There are USB ports on the front of it, you’d think they’d allow you to use those, or a more secure method, as corporate policies often don’t allow TFTP servers unless you jump through hoops!
    I guess it doesn’t help that the support doc is from 2015!

    Any hot tips?

    • The USB can be used to upgrade the ASA Code and the ASDM, but not the FirEPOWER module, which is a pain, you are stuck with ftp, http, and https. I have a website that I keep this stuff on, that I use for imaging FirePOWER modules, for this very reason.

      P

  24. Hi Pete, I am in the process of the performing system install on to the FP module but not sure if this is doing anything? when trying to access #session sfr console, it is saying that Module is in “Recover” state. Please try again later.
    Is this the image that it is downloading?

    Many thanks
    Regards
    Meera

    • It does take hours! did you enable debugging on the module, that’s what usually tells me if theres something happening, though even that will produce nothing for long periods of time!

      P

  25. Hi Team,

    I am trying the same method which is suggested. Currently, I am running ASA 5516-X. I already upload the SFR image in my ASA.
    when we mentioned recover SFR image. I want to know that my current ASA configuration will be deleted or it remains the same.
    Currently, my ASA is in production and I want to add a Firepower module on the Live production environment without downtime. Is any downtime is expected or not.

    • The asa config has nothing to do with the FirePOWER config, just make sure you don’t have fail-closed in the main ASA config for the SFR.

      P

  26. Hi Pete, i have asa 5506-X and i tried to install version same with you 6.4.0 file img and pkg. but i’ve been waiting for almost 22 hours since i installed, and sfr module still recover status.
    could you give me any suggestion for my case?

    sh module

    Mod Card Type Model Serial No.
    —- ——————————————– —————— ———–
    1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506 JAD22130CCC
    sfr Unknown N/A JAD22130CCC

    Mod MAC Address Range Hw Version Fw Version Sw Version
    —- ——————————— ———— ———— —————
    1 7872.5d00.e2f0 to 7872.5d00.e2f9 2.1 1.1.12 9.8(2)
    sfr 7872.5d00.e2ef to 7872.5d00.e2ef N/A N/A

    Mod SSM Application Name Status SSM Application Version
    —- —————————— —————- ————————–

    Mod Status Data Plane Status Compatibility
    —- —————— ——————— ————-
    1 Up Sys Not Applicable
    sfr Recover Not Applicable

    • Annoying isn’t it! give it another 12 hours, then repeat the re-imagine is it’s not complete. I know it’s terrible, but it’s all we have to work with 🙁

      • okay, i’ll be waiting for. and i’ll tell you later whatever the result. thanks for your respone..

  27. Hi Pete,

    Thanks for the awesome article, I have the following questions please:

    I have a pair of 5545X ASA firewalls in HA (active/standby)
    I have a separate pair of 5525X ASA firewalls in HA (active/standby)

    I am in the process of inserting SSDs in the above appliances so we can run FirePower. My questions are:

    If the SSD’s are installed, will that trigger a reboot?
    If there is a mismatch of FirePower versions, will this break the HA? so if i format the SSD and run the boot image and the package file on the standby first will the HA pair break cause Active will complain of mismatch?

    Or should i start the firepower upgrade on the active?

    Many Thanks
    Shah

    • >>If the SSD’s are installed, will that trigger a reboot? – No
      >>If there is a mismatch of FirePower versions, will this break the HA? so if i format the SSD and run the boot image – There will be an Error yes, hardware and software has to match
      >>Or should i start the firepower upgrade on the active?
      Personally Id do the standby, licence it, make it active, then repeat.

      Pete

  28. after the recovery, I am unable to console into the firewall, only the firepower module. Is there a way to make it to console into the firewall again and not the Firepower module?

    • I’ve written an article on how to exit the SFR if you’re stuck in it (search is top right)

      P

  29. Hi, I have 5515’s in active/standby which currently have ips module installed. I want to upgrade to firepower. I believe upgrading the module on the standby first will cause failover error on ha due to mismatch. My question is, will this prevent me from failing over using no failover active? Could I upgrade the module on active firewall after standby so hardware now matches and restore failover without any downtime?

    • Been a while, I used to upgrade the SBY then fail over – then upgrade the PRI and fail back – I cant remember ever having any problems?

  30. Hi
    I am facing a serious problem with sfr in ASA 5525.I want to reimage the module but after the command sw-module module sfr recover boot the status is still recovery after 10 hours waiting.when i try session sfr the output is the following
    “Opening command session with module sfr.
    Module sfr did not respond to session request.”

  31. Hiya, many years later and this is still relevant 🙂
    I’m looking to upgrade this ASA (and Firepower) that I inherited and am researching on how to do it right.
    This is one of the better articles. Thank you.

    We have two ASA’s in a failover pair, somebody tried to update FP through the FMC and one worked with the other failing. I’ve tried it all and the next step is to re-install FP.

    I found this article;
    https://community.cisco.com/t5/security-blogs/reimage-firepower-module-in-cisco-5500-x-firewall-models/ba-p/3760395

    Which suggests removing the module first.
    If we follow the method here, will I keep the Firepower settings, licenses etc?
    Or is this the same as removing it anyway? In which case, I’d add that step so I’m sure to have a clean install

    Thanks,
    H

    • This procedure will wipe and reinstall the SFR – if you have an FMC then the licences will stay there and you will need to re-add the firewalls (remember to update the FMC to the same major release as the updated SFR modules). Buy if the licences are held with the firewalls (managed by ASDM) then re-imaging the module will wipe the licence.

      • Thank you Pete.
        We use the FMC and not ASDM to manage Firepower so I think we’ll be good. I’ll dig out the licenses in any case as this place is very good at making drama out of any small error.

        Do you think I should remove the device form the FMC before starting?

        • You can remove it – either way an FMC cannot manage a SFR that has a newer version anyway 🙂

          • No probs. Thanks.
            I’ll be bringing the FP module up to the level of the FMC since the upgrade on this module failed (the other three worked fine).
            From there, I can upgrade them all in sync once again

  32. Hi Pete,

    I was able to successfully upgrade the SFR from 6.2.2-81 to 6.6.5-81. However, while doing post upgrade checks i noticed that i was unable to take the management access of the Firewall via ASDM. The error says “ASA did not get a response in the last 60 secs”. I tried it multiple times.
    I shutdown the module & was able to get the management of the FW. I am not able to find out the reason. FW model is a 5516-X.

Leave a Reply

Your email address will not be published. Required fields are marked *