Updating FirePOWER Module (From ASDM)

KB ID 0001348 

Problem

Normally I don’t like upgrading the SFR this way. But then I tend to install new firewalls set them up and walk away, so its easier (and a LOT quicker) to simply image the module to the latest version and then set it up.

Like So; Re-Image and Update the Cisco FirePOWER Services Module

This week I had an existing customer, who has an ASA5508-X but wasn’t using his FirePOWER, I’d installed the controller licence when I set it up originally, (as a safe guard in case the licence got lost, which nearly always happens!) The firewall was pretty much up to date but the SFR was running 5.4.0 (at time of writing we are at 6.2.2). So Instead of imaging it I decided to upgrade it, this takes a LOOOOOOOONG TIME! (4-6 hours per upgrade) and you cannot simply upgrade straight to the latest version.

Thankfully this does not affect the firewall itself, (assuming you set the SFR to Fail Open).

FirePOWER Fail Open

Solution

First task is to find out what the latest version is, at time of writing thats 6.2.2, open the release notes for that version and locate the upgrade path, it looks like this;

ASA FirePower Upgrade Path

Well that’s a lot of upgrades! You may notice that there’s some ‘pre-installation packages’. Sometimes when you go to the downloads section at Cisco these are no-where to be found! This happens when a version gets updated, in the example above one of my steps is 6.0.1 pre installation package, this was no where to be found, so I actually used 6.0.1-29.

The files you need are the ones which end in .sh, i.e. Cisco_Network_Sensor_Patch-6.0.1-29.sh (DON’T Email me asking for updates you need a valid Cisco support agreement tied to your Cisco CCO login.)

Once you have downloaded your update, login to the ASDM > Configuration > ASA FirePOWER Configuration > Updates > Upload Update.

ASA FirePower Update Via ASDM

Upload your update, (this can take a while).

ASA FirePower Update Via Image

When uploaded > Select your update > Install, (if the install needs a reboot accept the warning).

Note: This is a reboot of the FirePOWER module, NOT the Firewall.

Apply FirePower Update to Cisco ASA

You can follow progress (to a point) from the task information popup (Once the SFR module goes down you wont see anything apart from an error, unless your version is 6.1.0 or  newer (which shows a nice progress bar). So;

  1. Don’t panic: it looks like it’s crashed for hours – it’s fine.
  2. There are other things you can look at if you’re nervous.

Apply FirePower Upgrade to Cisco ASA

Monitoring FirePOWER upgrades

What I like to do is SSH into the firewall and issue the following command;

debug module-boot

Then you can (after a long pause of nothing appearing to happen!) see what is going on.

FirePOWER Upgrading

You can also (before it falls over because of the upgrade) look at Monitoring > ASA FirePOWER Monitoring > Task Status.

FirePOWER View Update Task

If you are currently running 6.1.0 or above you get this which is a little better.

FirePOWER Upgrade Task Progress 6.2.0

Or you can connect directly to the FirePOWER module IP (you will need to know the admin password) to watch progress.

FirePOWER Upgrade Task Progress Web Portal

Back at the firewall, if you issue a ‘show module‘ command during the upgrade it looks like the module is broken! This will be the same of a few hours!

PETES-FW# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508            JAD2008761R
 sfr FirePOWER Services Software Module           ASA5508            JAD2008761R

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 00c8.8ba0.9b71 to 00c8.8ba0.9b90  1.0          1.1.8        9.7(1)
 sfr 00c8.8ba0.9b70 to 00c8.8ba0.9b89  N/A          N/A          6.0.0-1005

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Not Applicable   6.0.0-1005

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Unresponsive       Not Applicable

MANY HOURS LATER

PETES-FW# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508            JAD2008761R
 sfr FirePOWER Services Software Module           ASA5508            JAD2008761R

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 00c8.8ba0.9b71 to 00c8.8ba0.9b79  1.0          1.1.8        9.7(1)
 sfr 00c8.8ba0.9b70 to 00c8.8ba0.9b70  N/A          N/A          6.0.1-29

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Up               6.0.1-29

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Up                 Up

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

5 Comments

  1. Hi Pete, thank you for your posts, very helpful

    Post a Reply
  2. Thanks Pete, i found your post after i followed the same process, if i had read the post first, would have saved much worrying.

    Post a Reply
  3. I’m at 5.5 hours+ and wanted to help ease some folks anxiety while their ASA’s are performing these updates. You can SSH into the sfr module via the IP configured. Once there issue the “expert” command. This will open shell access. What worked for me were to issue the commands ‘cd /var/log/sf’ followed by ‘tail -f update.status’ (you can also tail -f from anywhere with the full path) and this will show you progress. I was stuck on an update of prior patches for about 2.5 hours. She’s clicking along now. Thank you for being amazing Pete!

    Post a Reply
    • Hi Chris thanks for the feedback – hope it all went well!

      Post a Reply

Leave a Reply to Jason M Cancel reply

Your email address will not be published. Required fields are marked *