The specified module ‘MSOnline’ was not loaded.

KB ID 0001637

Problem

I was trying to do some Azure Powershell this morning, I’d executed a Connect-MsolService command and got a;

The term ‘Connect-MsolService’, function, script file, or operable program.

A quick Google for that turned up ‘You need to run an Import-Module MSOnline‘ command, but doing that simply gave me;

[box]

PS C:\Users> Import-Module MSOnline
Import-Module : The specified module 'MSOnline' was not loaded because no valid module file was found in any module
directory.
At line:1 char:1
+ Import-Module MSOnline
+ ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (MSOnline:String) [Import-Module], FileNotFoundException
    + FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand

[/box]

Solution

Well before you can run Import-Module MSOnline, run Install-Module MSOnline, you may need to answer ‘Y’ to proceed.

Then, run Import-Module MSOnline and you are good to go!

Related Articles, References, Credits, or External Links

NA

Cisco Error ‘%PHY-4-SFP_NOT_SUPPORTED’

KB ID 0001347 

Problem

This is another question I see getting asked a lot in forums!

You see something like the following;

[box]

000032: *Sep 28 09:35:32.507 UTC: %PHY-4-SFP_NOT_SUPPORTED: The SFP in Gi3/0/50 is not supported (PNL-3750-Stack)
000033: *Sep 28 09:35:32.507 UTC: %PM-4-ERR_DISABLE: gbic-invalid error detected  on Gi3/0/50, putting Gi3/0/50 in err-disable state (PNL-3750-Stack)

[/box]

The usual response is ‘Enable unsupported SFP’s’, and while that sometimes is the answer, it’s not always the answer!

 

Solution

1. Firstly Check the Modules and the Switches, Are you tying to plug a 10GB SFP+ into a slot that only supports SFP, (that includes plugging a twinax cable into an old switch!) In your ‘show run’ you should see TenGigabitEthernet (if your using SFP+ modules). Some switches with network modules list the same interface twice (once as 10GB interfaces and once at 1GB modules, I’ve blogged about that before see THIS ARTICLE, and to confuse things even further, the four interface versions, are grouped as two pairs with each pair consisting of one SFP slot and one SFP+ slot.)

2. Make sure your cable is NOT a CAB-SFP-50CM, (unless you are connecting a 3560 to ANOTHER 3560).

3. Are you using a 2960-S? If so you may need to update the IOS to use SFP+ (assuming your model supports SFP+ not all 2960-S models do).

4. Are you plugging into a Nexus switch with a 1GB connection? If so check the other end for the following error;

Description: Gi1/1/15: This port has been disabled because Non Compliant Gigabit Interface Converter (GBIC) connector detected.

If so, you may need to Manually set the speed on the 5K to 1000, (it wont auto-sense).

5. Is it a non-cisco branded SFP? If so it may still work, (but you will get no joy if you log a TAC call) with the following commands;

[box]

Petes-SW(config)#service internal
Petes-SW(config)#no errdisable detect cause gbic-invalid
Petes-SW(config)#service unsupported-transceiver

[/box]

If you are still in doubt check the Compatibility Matrix.

Related Articles, References, Credits, or External Links

NA

Cisco Firepower Services – Change IP and DNS Addresses

KB ID 0001173 

Problem

If you change your internal LAN addresses its easy to re-ip the firewall but what about the FirePOWER module? If you manage your SFR from the ASDM it will tell you what the IP is, but it won’t let you change it?

 

Solution

Change the FirePOWER Module IP Address

Log into the firewall, then open a session with the SFR module. find the physical address of the module (usually eth0, but check).

[box]

Petes-ASA# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.


GRAINGER-SFR login: admin
Password:{your password}
Last login: Thu Apr  7 08:11:00 UTC 2016 on pts/0

Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Linux OS v5.4.1 (build 12)
Cisco ASA5506 v5.4.1 (build 211)

> show interfaces
--------------------[ outside ]---------------------
Physical Interface        : GigabitEthernet1/1
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ inside ]---------------------
Physical Interface        : GigabitEthernet1/2
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ cplane ]---------------------
IPv4 Address              : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : 00:C8:8B:C1:0E:0C
IPv4 Address              : 192.168.1.100
---------------------[ tunl0 ]----------------------
----------------------------------------------------
>

[/box]

To change the IP you need to supply the IP address, subnet mask, default gateway, and physical interface like so;

[box]

> configure network ipv4 manual 192.168.1.99 255.255.255.0 192.168.1.1 eth0
Setting IPv4 network configuration.
Network settings changed.

[/box]

You can check its worked with a ‘show interfaces command’.

[box]

> show interfaces
--------------------[ outside ]---------------------
Physical Interface        : GigabitEthernet1/1
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ inside ]---------------------
Physical Interface        : GigabitEthernet1/2
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ cplane ]---------------------
IPv4 Address              : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : 00:C8:8B:C1:0E:0C
IPv4 Address              : 192.168.1.99
---------------------[ tunl0 ]----------------------
----------------------------------------------------

>

[/box]

Or you can use the ‘show interfaces {interface-name}‘ command.

[box]

> show interfaces eth0
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : 00:C8:8B:C1:0E:0C
IPv4 Address              : 192.168.1.99
IPv4 Broadcast            : 192.168.1.255
RX Packets                : 261
RX Errors                 : 0
RX Drops                  : 0
RX Overruns               : 0
RX Frame                  : 0
TX Packets                : 214
TX Errors                 : 0
TX Drops                  : 0
TX Overruns               : 0
TX Carrier                : 0
Collisions                : 0
----------------------------------------------------


[/box]

Change the FirePOWER Module IP Address

This is a little more convoluted, there is a command to do this, Note: You can enter multiple servers separated by commas.

[box]

> configure network dns servers 8.8.8.8,8.8.4.4

[/box]

But you also need to restart the nscd daemon in the underlying linux, to do that you need to get into ‘expert mode’.

[box]

> expert

admin@PETES-SFR:~$ sudo /etc/rc.d/init.d/nscd restart

Password:{Enter Your Password}

Stopping nscd…                                                     [  OK  ]

Starting nscd…                                                       [  OK  ]

admin@PETES-SFR:~$

[/box]

Related Articles, References, Credits, or External Links

Cisco FirePOWER – Adding a Static Route

Re-Image and Update the Cisco FirePOWER Services Module

KB ID 0001164

Problem

This takes ages! Seriously, if it’s late in the afternoon you might want to do this tomorrow morning, or leave the re-imaging running overnight. (Remember if you set the FirePOWER module to ‘fail-closed’, you will lose internet access, so you might want to change that to ‘fail-open’ as well).

The process is a LOT EASIER to do in the ASDM, I’m not usually an advocate of the GUI, but if you can access the FirePOWER settings that way, it will do all the hard work for you, (see below).

See Updating FirePOWER Module (From ASDM)

Note: This ASDM upgrade will fail if the module is being managed by the FirePOWER Management center (FireSIGHT), you can update it from there, or remove the peer association, then update it.

Normally I only have to do this if something’s gone wrong, and I can’t contact the module, or I’ve go a lot of them to do, and I don’t have direct management access. This process works on the ‘baby ASA’s,’ i.e 5506-X and 5508-X, and also on the larger models i.e 5512-X upwards (but NOT the 5585-X, that has a hw-module not a sw-module).

Solution

Before you start you need three things;

  • A Boot Image file (i.e. asasfr-5500x-boot-6.0.0-1005.img) – download from Cisco.
  • A Firepower Software Package (i.e. asasfr-sys-6.0.0-1005.pkg) this is a BIG file (over a Gigabyte) – download from Cisco.
  • A Web Server, (or FTP server) setup, with the files above available for ‘download’ into the FirePOWER module. Note: If using Microsoft IIS you need to add .img and .pkg as downloadable MIME objects or it wont work.

Connect to the firewall via command line, and check that the module is ‘Up’ and take a note of the current software version;

[box]

Petes-ASA(config)# show module 

Mod  Card Type                                    Model              Serial No. 
---- -------------------------------------------- ------------------ -----------
   1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC   ASA5506            JAD200XXXXX
 sfr FirePOWER Services Software Module           ASA5506            JAD200XXXXX

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version     
---- --------------------------------- ------------ ------------ ---------------
   1 00f2.8bfb.fbc8 to 00f2.8bfb.fbd1  1.1          1.1.8        9.5(2)2
 sfr 00f2.8bfb.fbc7 to 00f2.8bfb.fbc7  N/A          N/A          5.4.1-211

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  UP	        5.4.1-211

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable        
 sfr UP Sys           Not Applicable        
Petes-ASA(config)# 

[/box]

Download the boot image from your web server into the ‘flash’ memory in the parent firewall.

[box]

Petes-ASA(config)# copy http flash

Address or name of remote host []? 10.3.0.84

Source filename []? asasfr-5500x-boot-6.3.0-3.img

Destination filename [asasfr-5500x-boot-6.0.0-1005.img]? {Enter}

Accessing http://10.3.0.84/asasfr-5500x-boot-6.3.0-3.img...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asasfr-5500x-boot-6.3.0-3.img...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
INFO: No digital signature found
41848832 bytes copied in 5.20 secs (8369766 bytes/sec)

[/box]

Then set that file as the boot image for the sourcefire module, and tell the module to perform a ‘recovery boot’.

[box]

Petes-ASA(config)# sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-6.4.0-1.img
Petes-ASA(config)# sw-module module sfr recover boot

Module sfr will be recovered. This may erase all configuration and all data
on that device and attempt to download/install a new image for it. This may take
several minutes.

Recover module sfr? [confirm]{Enter}
Recover issued for module sfr.

[/box]

Now it looks like nothing is happening, but the SFR module will restart with the recovery/boot image, you can see a little of what’s going on if you issue a debug command on the module,

[box]

Petes-ASA(config)# debug module-boot 
debug module-boot  enabled at level 1

IF YOU LOOK AT THE MODULES STATUS IT WILL SAY 'RECOVER'

Petes-ASA(config)# show module 

Mod  Card Type                                    Model              Serial No. 
---- -------------------------------------------- ------------------ -----------
   1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC   ASA5506            JAD200XXXXX
 sfr FirePOWER Services Software Module           ASA5506            JAD200XXXXX

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version     
---- --------------------------------- ------------ ------------ ---------------
   1 00f2.8bfb.fbc8 to 00f2.8bfb.fbd1  1.1          1.1.8        9.5(2)2
 sfr 00f2.8bfb.fbc7 to 00f2.8bfb.fbc7  N/A          N/A          5.4.1-211

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Not Applicable   5.4.1-211

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable        
 sfr Recover           Not Applicable        


SAMPLE DEBUG OUTPUT

Mod-sfr 657> *** EVENT: Disk Image created successfully.
Mod-sfr 658> *** TIME: 07:05:36 GMT/BST Mar 1 2016
Mod-sfr 659> ***
Mod-sfr 660> ***
Mod-sfr 661> *** EVENT: Start Parameters: Image: /mnt/disk0/vm/vm_1.img, ISO: -cdrom /mnt/disk0
Mod-sfr 662> /asasfr-5500x-boot-6.4.0-1.img, Num CPUs: 3, RAM: 2266MB, Mgmt MAC: 00:F2:8B:FB
Mod-sfr 663> :FB:C7, CP MAC: 00:00:00:02:00:01, HDD: -drive file=/dev/sda,cache=none,if=virtio,
Mod-sfr 664>  De
Mod-sfr 665> ***

<—Output Removed for the Sake of Brevity—>


Mod-sfr 50> Starting Advanced Configuration and Power Interface daemon: acpid.
Mod-sfr 51> acpid: starting up with proc fs
Mod-sfr 52> acpid: opendir(/etc/acpi/events): No such file or directory
Mod-sfr 53> starting Busybox inetd: inetd... done.
Mod-sfr 54> Starting ntpd: done
Mod-sfr 55> Starting syslogd/klogd: done

[/box]

This would be a good time to go get a coffee, it doesn’t take that long, the documentation at Cisco says 5 minutes, I’d wait at least 10! You then need to login to the SFR module and give it a basic config;

[box]

Petes-ASA(config)# session sfr console 
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.


Cisco FirePOWER Services Boot Image 6.4.0

asasfr login: admin
Password: Admin123


Cisco FirePOWER Services Boot 6.4.0 (1)
Type ? for list of commands
asasfr-boot>setup


Welcome to Cisco FirePOWER Services Setup 
 [hit Ctrl-C to abort]
Default values are inside []

Enter a hostname [asasfr]: Firepower-Module
Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: N
Enter an IPv4 address [192.168.8.8]: 192.168.1.253
Enter the netmask [255.255.255.0]: 255.255.255.0
Enter the gateway [192.168.8.1]: 192.168.1.254
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Stateless autoconfiguration will be enabled for IPv6 addresses.
Enter the primary DNS server IP address: 192.168.1.10
Do you want to configure Secondary DNS Server? (y/n) [n]: N
Do you want to configure Local Domain Name? (y/n) [n]: Y
Enter the local domain name: petenetlive.com
Do you want to configure Search domains? (y/n) [n]: Y
Enter the comma separated list for search domains: petenetlive.com
Do you want to enable the NTP service? [Y]: Y
Enter the NTP servers separated by commas: 194.35.252.7,130.88.202.49,93.93.131.118 
Do you want to enable the NTP symmetric key authentication? [N]: N
Please review the final configuration:


Hostname:Firepower-Module
Management Interface Configuration

IPv4 Configuration:static
IP Address:192.168.1.253
Netmask:255.255.25.0
Gateway:192.168.1.254

IPv6 Configuration:Stateless autoconfiguration

DNS Configuration:
Domain:petenetlive.com
Search:petenetlive.com
DNS Server:10.3.0.2

NTP configuration: 194.35.252.7[4C130.88.202.49   93.93.131.118
CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address
based on network prefix and a device identifier. Although this address is unlikely
to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.

Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying...
Restarting network services...
Restarting NTP service...
Done.
Press ENTER to continue...{Enter}

[/box]

Now you can install the software package on the SFR module. Note: the URL has TWO forward slashes in it not one, (Cisco update your documentation!)

UPDATE: (Thanks to Eli Davis) To avoid having to wait to confirm with the following step, use the ‘no confirm’ keyword. i.e. “system install noconfirm http://10.3.0.84/asasfr-sys-6.0.0-1005.pkg”.

WARNING You might want to set the SSH timeout to 45 minutes before you do this, or it will keep logging you out while you are waiting!

[box]

asasfr-boot>system install noconfirm http://10.3.0.84/asasfr-sys-6.4.0-102.pkg
   
Verifying.    .. 
Downloading.    ..   
Extracting.    ..  
Package Detail
Description:Cisco ASA-SFR 6.4.0-102 System Install
Requires reboot:Yes 

Do you want to continue with upgrade? [y]: Y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.

<——Output Removed for the Sake of Brevity——>


Mod-sfr 61>  login: [ 2498.828291] sd 0:0:0:0: [sda] 6291456 512-byte hardware sectors: (3.22 G
Mod-sfr 62> B/3.00 GiB)
Mod-sfr 63> [ 2498.832675] sd 0:0:0:0: [sda] Write Protect is off
Mod-sfr 64> [ 2498.835298] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't
Mod-sfr 65>  support DPO or FUA

Mod-sfr 808> ************ Attention *********
Mod-sfr 809>    Initializing the configuration database.  Depending on available
Mod-sfr 810>    system resources (CPU, memory, and disk), this may take 30 minutes 
Mod-sfr 811>    or more to complete.
Mod-sfr 812> ************ Attention *********
Mod-sfr 813> Executing S10database
Console session with module sfr terminated.

[/box]

May take 30 minutes! I waited 45 then drove 8 miles home reconnected and it was still going, (it’s a lot faster on the larger firewalls.) Just keep an eye on the status it will change from recover to up when its complete

[box]

Petes-ASA(config)#show module         

Mod  Card Type                                    Model              Serial No. 
---- -------------------------------------------- ------------------ -----------
   1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC   ASA5506            JAD200XXXXX
 sfr Unknown                                      N/A                JAD200XXXXX

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version     
---- --------------------------------- ------------ ------------ ---------------
   1 00f2.8bfb.fbc8 to 00f2.8bfb.fbd1  1.1          1.1.8        9.5(2)2
 sfr 00f2.8bfb.fbc7 to 00f2.8bfb.fbc7  N/A          N/A          

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable        
 sfr Recover            Not Applicable        


WAIT AGES UNTIL...

Petes-ASA# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC   ASA5506            JAD200XXXXX
 sfr FirePOWER Services Software Module           ASA5506            JAD200XXXXX

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 00f2.8bfb.fbc8 to 00f2.8bfb.fbd1  1.1          1.1.8        9.5(2)2
 sfr 00f2.8bfb.fbc7 to 00f2.8bfb.fbc7  N/A          N/A          6.0.0-1005

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Up               6.4.0-102

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Up                 Up

[/box]

Now you need to connect to the SFR and configure it, (yes again).

[box]

Petes-ASA# session sfr 
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.


Cisco ASA5506 v6.0.0 (build 1005)

firepower login: admin
Password: Admin123
Last login: Tue Mar  1 10:08:16 UTC 2016 on pts/0

Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved. 
Cisco is a registered trademark of Cisco Systems, Inc. 
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.4.0 (build 102)
Cisco ASA5506 v6.0.0 (build 1005)

Last login: Tue Mar  1 10:01:01 UTC 2016 on cron
Last login: Tue Mar  1 10:08:16 UTC 2016 on pts/0
You must accept the EULA to continue.
Press  to display the EULA: {Enter}
END USER LICENSE AGREEMENT

IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY.  IT IS VERY
IMPORTANT THAT YOU CHECK THAT YOU ARE PURCHASING CISCO SOFTWARE OR EQUIPMENT
FROM AN APPROVED SOURCE AND THAT YOU, OR THE ENTITY YOU REPRESENT
(COLLECTIVELY, THE "CUSTOMER") HAVE BEEN REGISTERED AS THE END USER FOR THE

--Output Removed for the Sake of Brevity - Press Space Bar (A LOT!)--

Please enter 'YES' or press  to AGREE to the EULA:  YES

System initialization in progress.  Please stand by.  
You must change the password for 'admin' to continue.
Enter new password: Password123
Confirm new password: Password123
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: Y
Do you want to configure IPv6? (y/n) [n]: N
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: {Enter}
Enter an IPv4 address for the management interface [192.168.45.45]: 192.168.1.123
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
Enter the IPv4 default gateway for the management interface []: 192.168.1.254
Enter a fully qualified hostname for this system [firepower]: Firepower-Module
Enter a comma-separated list of DNS servers or 'none' []: 192.168.1.10
Enter a comma-separated list of search domains or 'none' [example.net]: petenetlive.com
If your networking information has changed, you will need to reconnect.

For HTTP Proxy configuration, run 'configure network http-proxy'

Creating default Identity Policy.
Creating default SSL Policy.

Update policy deployment information
    - add device configuration
    - add network discovery
    - add system policy
    - add access control policy
    - applying access control policy

You can register the sensor to a Firepower Management Center and use the 
Firepower Management Center to manage it. Note that registering the sensor 
to a Firepower Management Center disables on-sensor Firepower Services 
management capabilities.

When registering the sensor to a Firepower Management Center, a unique 
alphanumeric registration key is always required.  In most cases, to register
a sensor to a Firepower Management Center, you must provide the hostname or 
the IP address along with the registration key.
'configure manager add [hostname | ip address ] [registration key ]'

However, if the sensor and the Firepower Management Center are separated by a
NAT device, you must enter a unique NAT ID, along with the unique registration
key.
'configure manager add DONTRESOLVE [registration key ] [ NAT ID ]'

Later, using the web interface on the Firepower Management Center, you must 
use the same registration key and, if necessary, the same NAT ID when you add 
this sensor to the Firepower Management Center.
> exit
Remote card closed command session. Press any key to continue.
 Command session with module sfr terminated.

Petes-ASA# 

[/box]

Back at the firewall prompt make sure you can ping it, (you did put a cable in the management interface didn’t you?)

[box]

Petes-ASA# ping 192.168.1.123
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.123, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Petes-ASA# wr mem
Building configuration...
Cryptochecksum: 6bcde85c dc7a074d 8e22978c 0620c211 

7149 bytes copied in 0.350 secs
[OK]

Petes-ASA# 

[/box]

Now you can manage the FirePOWER Services console from the ASDM, or add it onto the FirePOWER Management Center (FireSIGHT).

 

Related Articles, References, Credits, or External Links

Thanks to Eli Davis for the feedback.

Cisco SFR Session – Cannot Exit To Command Line

Deploy Cisco FirePOWER Management Center (Appliance)

Outlook Error 0x800CCC0F – Using POP3 To Exchange – Behind a Cisco CSC (Trend InterScan) Module

KB ID 0000642 

Problem

I upgraded a clients firewall and CSC software a couple of weeks ago, and ever since “some” users saw the following errors,

Error 0x800CCC0F

Task ‘{email address} – Sending’ reports error (0x800CCC0F): #The connection to the server was interrupted. If the problem continues, contact your server administrator or Internet service provider (ISP).’

Eventually it would time out altogether with the following error,

Error 0x800CCC0B

Task ‘{email address} – Sending’ reported error (0x800CCC0B): ‘Unknown Error 0x800CCC0B’

Solution

All I could discern from Googling the error, was that the AV (In this case the Trend Micro InterScan for Cisco CSC SSM), in the Cisco CSC Module) was probably the culprit.

I tried stopping the POP3 Service on the CSC that did NOT fix the error.

I confirmed that the CSC module was the root cause of the problem, by disabling the entire module with the following command on the Cisco ASA firewall;

[box]hw-module module 1 shutdown[/box]

Warning: If you do this, your CSC settings must be set to “csc fail-open” or web and email traffic will stop! Once you have confirmed this IS the problem you can re-enable the module with the following command.

[box]hw-module module 1 reset[/box]

I tried from my office and it worked fine, I could not replicate the error, I tried from various servers and Citrix box’s from other clients who kindly let me test from their network. Still I could not replicate the error! I went home and that was the first time I could see the same error their users were seeing. Sadly this led me on a wild goose chase, (I use Outlook 2007 at home and Outlook 2010 everywhere else so I (wrongly) assumed that was the problem).

Breakthrough!

As I could now replicate the error, I could at least do some testing, I attempted a send/receive and looked at the CSC Logging.

Note: To view CSC Logging, connect to the ASDM > Monitoring > Logging > Trend Micro Content Security > Continue > Enter the password > OK > View.

Every time it failed, I saw my public IP being logged with a RejectWithErrorCide-550 and RBL-Fail,QIL-NA. At last something I could work with.

This error indicates a problem with the Email Reputation system, I logged into the CSC web management console > and located this.

Then I disabled the ‘SMTP Anti-spam (Email Reputation)’, and everything started to work.

Conclusion

I understand the need for this system, but the nature of POP3 email clients, dictates they can connect in from anywhere, usually from a home ISP account on a DHCP address. I know from experience that major ISP’s IP ranges get put in RBL block lists (I checked by popping my IP in here, and sure enough it was blocked).

If you are going to use POP3 then you need to leave this system disabled, but to be honest, if you have Exchange, simply swap over to Outlook Anywhere and stop using POP3.

Related Articles, References, Credits, or External Links

Special thanks to Jenny Ames for her patience while I fought with this over a number of days.

Cisco CSC – Upgrade the Operating System

KB ID 0000807 

Problem

Upgrading the operating system on the CSC module is pretty straight forward, as long as you have a valid support agreement for your hardware and a CCO account you can download the updates straight from Cisco (here).

Solution

WARNING: It’s rare that you can update straight to the latest version, by all means try, and the CSC module will simply error if it will not accept the version you are trying to update to.

WARNING 2: This may involve some downtime, especially if your CSC module is configured to fail-closed, you may wish to set it to fail-open during the upgrade to minimise disruption. Unless you have a dual failover firewall solution, in which case scroll down.

You can do this via command line if you wish, but it’s a lot simpler to do via the web console. You will need to download your updated software (with the .pkg extension NOT the .bin extension).

Once downloaded, log into the web portal of the CSC module https://{IP-Address}:8443 > Administration > Product Upgrade > Browse > Locate your update > Upload > Go an have a coffee, it will take a while.

Upgrading CSC Modules in a Failover Pair

If you have firewalls deployed in failover, then you will have two CSC modules to upgrade.

1. Just for ease I’m showing the command line and the web console view. Start by upgrading the CSC module in the Secondary Standby firewall, here I’m upgrading 6.3.1172.0 to 6.3.1172.4.

2. Now I take the same module to 6.6.1125.0.

3. Once I know the system has updated and is back online, I jump onto the Primary Active firewall and force a failover to the Secondary Standby firewall.

Check module status with;

[box]
show module 1 detail
[/box]

To force failover, on the Primary Active firewall.

[box]

configure terminal
no failover active

[/box]

4. Note: At this point the screen looks the same as above, but ‘physically’ the firewalls have swapped over, the Primary is now Standby and can be updated. Below I’m upgrading from 6.2.1599.0 to 6.2.1599.6.

5. Now we can see both modules are running the latest (at time of writing), product version.

6. Now to fail back simply issue the following command an the Secondary Active firewall;

[box]

configure terminal
no failover active

[/box]

7. You can also check the versions match with the following command;

[box]
show failover
[/box]

Related Articles, References, Credits, or External Links

NA

Cisco ASA 5585-X Port Numbering

KB ID 0001004 

Problem

Back at the beginning of the year I had to do a firewall design that included an ASA5585-X, I did some searching to find out how the ports were numbered but came up blank. So I took an (incorrect) educated guess.

I unboxed and fired one up today, and ran though the port numbering and orientation, and discovered the correct numbering.

Solution

Note: This ASA5585-X also has a CX module fitted. The bottom ‘blade’ is the ASA firewall, and the one at the TOP is the CX module. With the CX module fitted, we have an extra eight gigabit Ethernet ports, and two more ten gigabit Ethernet ports.

Port Numbering

Click for larger image

Related Articles, References, Credits, or External Links

NA

 

Cisco ASA 5500-X Restart the FirePOWER Service Module

KB ID 0001101 

Problem

I’ve only just recently started to work with these, the advantage of them is they are great for SOHO and SMB, and they don’t need additional SSD drives installing.

Note: This also procedure works on the larger ASA5500-X firewalls that have Firepower installed on an internal SSD drive, (i.e. 5512,5515,5525, and 5545 etc.)

While getting them to work with a Sourcefire appliance, I had to ‘bounce’ the module a few times.

Note: the following procedure will not affect traffic flowing through the firewall unless you have your SFR module set to ‘fail-closed’.

Solution

1. First things first, check the status of the module.

[box]

Petes-ASA> enable
Password: *******
Petes-ASA# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506            JAD1912XXXX
 sfr FirePOWER Services Software Module           ASA5506            JAD1912XXXX

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 a46c.2a99.dfbe to a46c.2a99.eeee  1.0          1.1.1        9.3(2)2
 sfr a46c.2a99.dfbd to a46c.2a99.ffff  N/A          N/A          5.4.1-211

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Up               5.4.1-211

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Up               Up

[/box]

2. To reload the module issue the following command;

[box]

Petes-ASA# sw-module module sfr reload

Reload module sfr? [confirm] {Enter}
Reload issued for module sfr.
Petes-ASA#

[/box]

3. It usually only takes a couple of minutes but you can use the show module command to keep an eye on it.

[box]

Petes-ASA# show module
-----Output removed for the sake of brevity----

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Reload             Not Applicable
-----Output removed for the sake of brevity----

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Init             Not Applicable


-----Output removed for the sake of brevity----

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Up               Up

[/box]

 

Related Articles, References, Credits, or External Links

NA