Back at the beginning of the year I had to do a firewall design that included an ASA5585-X, I did some searching to find out how the ports were numbered but came up blank. So I took an (incorrect) educated guess.
I unboxed and fired one up today, and ran though the port numbering and orientation, and discovered the correct numbering.
Solution
Note: This ASA5585-X also has a CX module fitted. The bottom ‘blade’ is the ASA firewall, and the one at the TOP is the CX module. With the CX module fitted, we have an extra eight gigabit Ethernet ports, and two more ten gigabit Ethernet ports.
Port Numbering
Click for larger image
Related Articles, References, Credits, or External Links
Every piece of documentation I found on upgrading CXSSP modules was for doing so on models other than the ASA5585-X. The (current) latest CLI guide says;
“For the ASA 5585-X hardware module, you must install or upgrade your image from within the ASA CX module. See the ASA CX module documentation for more information.”
Yeah good luck finding that!
Solution
Before I saw the information above I tried to upgrade the CX module from the ASA and this is the error you get when you try;
[box]PetesASA(config)# hw-module module 1 recover configure url tftp://10.0.41.100/asacx-5500x-boot-9.3.1.1-112.img ERROR: Module in slot 1 does not support recovery[/box]
Then, I tried the update from within the CX module, and got the following error;
Note: If you have not already found out, the default username is admin and the default password is Admin123.
Turns out that was an error in 3CDaemon that I use as an FTP server, once I fixed that, I was cooking on gas.
Upgrade the ASA 5585-X CX SSP Module
1. Connect to the CX modules console port, and you can view the version.
[box] Cisco ASA CX 9.1.2
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg
If you require further assistance please contact us by sending email to
export@cisco.com.
You can access the Web UI from your browser using the following URL(s):
https://192.168.8.8/
asacx login:
[/box]
2. Now the CX module has its default IP of 192.168.8.8, I need to change this, I’ll do that from command line on the ASA like so.
[box] PetesASA(config)# session 1 do setup host ip 10.0.41.34/24,10.1.41.1
Syntax
session 1 do setup host ip {IP Address}/{Subnet Mask},{Default Gateway}
[/box]
3. At this point make sure that Management port 1/0 on the CX module is connected to the network.
4. You can simply ping the new IP, or view it in the ASDM. (Note: here you can also view the CX software version).
5. Now the CX module and your FTP server are on the same network, and you have downloaded the CX software from Cisco, you can perform the upgrade, (from the console session on the CX module).
Note: Don’t press any keys (unless asked to), while this is going on, or it has a habit of aborting!
NOTE: If this device is being managed by a PRSM server, you must also apply the same upgrade package to the PRSM server or you will not be able to deploy configurations from the PRSM server to this device.
Do you want to continue with upgrade? [y]:y
Doing so might leave system in unusable state.
Upgrading
Starting upgrade process …[ 459.563380] kjournald starting. Commit interval 5 seconds
[ 459.648202] EXT3 FS on sde3, internal journal
[ 459.700274] EXT3-fs: mounted filesystem with ordered data mode.
Populating new system image
Copying over new application components
Cleaning up old application components
Reboot is required to complete the upgrade. Press ‘Enter’ to reboot the system. {Enter}
Broadcast message from root (console) (Fri Oct 3 08:20:59 2014):
The system is going down for reboot NOW!
[/box]
6. Post reboot you can see the new version from the console connection.
[box] Cisco ASA CX 9.3.1.1
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg
If you require further assistance please contact us by sending email to
export@cisco.com.
You can access the Web UI from your browser using the following URL(s):
https://10.0.41.34/
https://[fe80::5af3:9cff:fe05:d2e4]/
asacx login:
[/box]
You can also check the version has updated from within the ASDM.
Related Articles, References, Credits, or External Links
Last time I had to do one of these the process was very straight forward, one command and the ASA got its new image from FTP, extracted it, and then installed it.
I had a CX module fail last week, and Cisco shipped me out a replacement. After installing it and running the setup, I needed to upgrade it (it will be managed by PRSM). It was running version 9.0.2 (probably been on the shelf a while!). And every time I tried to run a system upgrade it told me this, (regardless of what version I tried to install).
[box]This package is not applicable to release 9.0.2.[/box]
If I tried to set a boot image in the ASA, I got the following errors;
[box] Module 1 cannot be recovered.
OR
ERROR: Module in slot 1 does not support recovery
[/box]
Well there is a boot image especially for the 5585-X CX module, so how do you use it?
Solution
Remember the ASA-SSP-CX unit is basically the same hardware as the ASA, you need to boot that card to ROMMON, then install the boot image via TFTP. Once that’s loaded you can run setup and install the new software package.
1. As you can see this one’s running a very old OS.
[box] Petes-CX>show version
Cisco ASA CX Platform 9.0.2 (103)
Cisco Prime Security Manager 9.0.2 (103) for Petes-CX firewall
Petes-CX>
[/box]
2. Reload the module and as it starts to boot, send a ‘break’ keystroke.
[box] Petes-CX>system reload
Are you sure you want to reload the system? [N]: y
Broadcast message from root (console) (Mon Jan 19 14:47:09 2015):
The system is going down for reboot NOW!
INIT: SwitchingStopping OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 3862)
.
Stopping Advanced Configuration and Power Interface daemon: no /usr/sbin/acpid found; none killed
stopping Busybox inetd: inetd… stopped inetd (pid 3875)
done.
Stopping Vixie-cron.
Stopping ntpd: stopped process in pidfile ‘/var/run/ntp.pid’ (pid 3880)
done
Stopping syslogd/klogd: done
Deconfiguring network interfaces… done.
Stopping CGroup Rules Engine Daemon…stopped /usr/sbin/cgrulesengd (pid 3865)
Success
CGRE[3865]: Stopped CGroup Rules Engine Daemon at Mon Jan 19 14:47:13 2015
Stopping cgconfig service: Success
Sending all processes the TERM signal…
Sending all processes the KILL signal…
Unmounting remote filesystems…
Deactivating swap…
Unmounting local filesystems…
umount2: Device or resource busy
——————————————
–Output Removed for the Sake of Brevity–
——————————————
The system is restarting…
CISCO SYSTEMS
Embedded BIOS Version 2.0(13)0 20:40:45 10/21/11
USB storage device found … SMART eUSB USB Device
Total memory : 12 GB
Total number of CPU cores : 8
CPLD revision 0008h
Cisco Systems ROMMON Version (2.0(13)0) #0: Fri Oct 21 20:01:34 CDT 2011
Use BREAK or ESC to interrupt boot.Use SPACE to begin boot immediately.Boot in 10 seconds.
Boot interrupted.
Management0/0
Link is UP
MAC Address: 6c20.5658.928c
Use ? for help.
rommon #0>
[/box]
3. Remember in ROMMON mode you need to set up all the network settings to copy in the boot image (where 192.168.1.10 will be the CX,and .101 is the TFTP server).
Note: This is the BOOT image, it will have a .img file extension.
Cisco ASA CX Boot 9.3.2.1 (9)
Type ? for list of commands
Petes-CX-boot>
[/box]
WARNING the following procedure will erase all the settings from your CX module
6. Partition the CX module drive. (This takes a long time, good time to put the kettle on!)
[box]
Petes-CX-boot>partition
WARNING: You are about to erase all policy configurations and data.
You cannot undo this action.
Are you sure you want to proceed? [y/n]:y
Logical volume “data” successfully removed
Logical volume “var” successfully removed
Logical volume “packages” successfully removed
——————————————
–Output Removed for the Sake of Brevity–
——————————————
Persistent partition is there so create symbolic link /etc/ntp.conf
Persistent partition is there so create symbolic link /etc/hosts
Petes-CX-boot>
[/box]
7. Run the basic setup.
[box]
Petes-CX-boot>setup
Welcome to Cisco Prime Security Manager Setup
[hit Ctrl-C to abort]
Default values are inside []
Enter a hostname [asacx]: Petes-CX
Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: N
Enter an IPv4 address [192.168.8.8]: 192.168.1.10
Enter the netmask [255.255.255.0]: 255.255.255.0
Enter the gateway [192.168.8.1]: 192.168.1.1
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Stateless autoconfiguration will be enabled for IPv6 addresses.
Enter the primary DNS server IP address: 192.168.1.20
Do you want to configure Secondary DNS Server? (y/n) [n]: Y
Enter the secondary DNS server IP address: 192.168.1.21
Do you want to configure Local Domain Name? (y/n) [n]: Y
Enter the local domain name: petenetlive.com
Do you want to configure Search domains? (y/n) [n]: Y
Enter the comma separated list for search domains: petenetlive.com
Do you want to enable the NTP service? [Y]: Y
Enter the NTP servers separated by commas: 192.168.1.31,192.168.1.32
Do you want to enable the NTP symmetric key authentication? [N]: N
Please review the final configuration:
Hostname:Petes-CX
Management Interface Configuration
IPv4 Configuration:static
IP Address:192.168.1.10
Netmask:255.255.255.0
Gateway:192.168.1.1
IPv6 Configuration:Stateless autoconfiguration
DNS Configuration:
Domain:petenetlive.com
Search:
petenetlive.com
DNS Server:
192.168.1.20
192.168.1.21
NTP configuration:
192.168.1.31,192.168.1.32
CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address based on network prefix and a device identifier. Although this address is unlikely to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.
Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying…
Restarting network services…
Restarting NTP service…
Done.
Press ENTER to continue…
Petes-CX-boot>
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.
Upgrading..
Starting upgrade process ..
Populating new system image..
Copying over new application components..
Cleaning up old application components..
Reboot is required to complete the upgrade. Press ‘Enter’ to reboot the system.