Cisco FPR – Re-image from FTD to ASA Code

KB ID 0001766

Problem

Note: This procedure is to re-image a Cisco Firepower device from FTD to ASA code, (in this example a Cisco FPR 1010). 

Why would you want to do this? Well to be frank FTD is bobbins, so if you have a device running FTD code you might want to ‘convert’ it to ASA code. If you tried to do this with an older firewall (ASA 5500-X) then you needed to go to Cisco TAC and try and get them to give you an activation code for the ASA. But if you are using an FPR device then YOU DON’T NEED TO DO THAT.

You might also want to do this because, (at time of writing) buying a Cisco FPR device running ASA code, the lead times in the UK are eye wateringly long (200-300 days!) But you can buy a chassis running FTD code and then convert that to ASA code with the following procedure.

Solution

Connect to your FPR device with a console cable, and log on as admin (the default password is Admin123, unless you have changed it of course!) Download the latest version of ASA code for your device from Cisco, in my case (at time of writing) that’s cisco-asa-fp1k.9.14.3.15.SPA. Copy that onto a USB drive (WARNING: The drive needs to be formatted with FAT32, the firewall will not recognise or mount the drive unless it is!) Finally insert the USB drive into the firewall, and issue the following commands.

FTD-1# scope firmware
FTD-1 /firmware # download image usbA:/cisco-asa-fp1k.9.14.3.15.SPA
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
FTD-1 /firmware # show download-task

Download task:
    File Name Protocol Server          Port       Userid          State
    --------- -------- --------------- ---------- --------------- -----
    cisco-asa-fp1k.9.14.3.15.SPA
              Usb A                             0                 Downloading

% Download-task cisco-asa-fp1k.9.14.3.15.SPA : completed successfully.

Note: If it says, ‘failed. Download failure – USB drive is not mounted‘ the drive is probably formatted incorrectly. If it says ‘Download-task failed. Failed signature validation‘, then the image is probably corrupt, try again, or use a different version.

Verify the file has downloaded correctly.

show download-task

Download task:
    File Name Protocol Server          Port       Userid          State
    --------- -------- --------------- ---------- --------------- -----
    cisco-asa-fp1k.9.14.3.15.SPA
              Usb A                             0                 Downloaded

Then make sure the package is listed with a show package command.

FTD-1 /firmware # show package
Name                                          Package-Vers
--------------------------------------------- ------------
cisco-asa-fp1k.9.13.1.2.SPA                   9.13.1.2
cisco-asa-fp1k.9.14.3.15.SPA                  9.14.3.15
cisco-ftd-fp1k.6.6.0-90.SPA                   6.6.0-90

Note: You can see (above) there’s an ASA code version from a previous install and it shows the current running FTD code also. To re-image the firewall execute the following commands. (Note: you enter the VERSION NOT THE FILENAME!)

FTD-1 /firmware # scope auto-install
FTD-1 /firmware/auto-install # install security-pack version 9.14.3.15

The system is currently installed with security software package 6.6.0-90, which has:
   - The platform version: 2.8.1.105
   - The CSP (ftd) version: 6.6.0.90
If you proceed with the upgrade 9.14.3.15, it will do the following:
   - upgrade to the new platform version 2.8.1.172
During the upgrade, the system will be reboot

Do you want to proceed ? (yes/no):yes {Enter}

This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup

Do you want to proceed? (yes/no):yes {Enter}

Triggered the install of software package version 9.14.3.15
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
FTD-1 /firmware/auto-install #

Now go and have a coffee, it will take 20 minutes, and a few reboots before it’s finished. When completed you should see a login prompt, login with admin/Admin123 and reset the password. 

firepower-1010 login: admin
Password: Admin123
Successful login attempts for user 'admin' : 1
Last failed login: Sun Nov 21 16:55:16 UCT 2021 on ttyS0
There was 1 failed login attempt since the last successful login.
Hello admin. You must change your password.
Enter new password: password123
Confirm new password: password123
Your password was updated successfully.

Then connect to the ASA CLI with the connect asa command. Go to enable mode, and set the enable password. Finally, save the config.

firepower-1010# connect asa
firepower-1010# Verifying signature for cisco-asa.9.14.3.15 ...
Verifying signature for cisco-asa.9.14.3.15 ... success
ciscoasa>
ciscoasa> enable
The enable password is not set.  Please set it now.
Enter  Password: password123
Repeat Password: password123
Note: Save your configuration so that the password can be used for FXOS failsafe access and persists across reboots
("write memory" or "copy running-config startup-config").
ciscoasa# write memory
Building configuration...
Cryptochecksum: a607255a a64f2898 97bb6b40 9a8ff25c

You will now be running ASA code with the factory settings (Inside 192.168.1.1/24, Management 192.168.45.1/24 (with DHCP enabled), Outside set to get IP dynamically, and all traffic allowed out).

Remember if you’re a ‘light weight’ and cant use command line, then you will need to install and configure the ASDM 🙂 

Related Articles, References, Credits, or External Links

Reimage Cisco 1010 ASA to FTD

Convert ASA 5500-X To FirePOWER Threat Defence

Author: PeteLong

Share This Post On

8 Comments

  1. On FPR 2100 boxes if you use a f/w ver earlier than 9.13 the box will run in ‘platform mode’ – where the interfaces are managed in FXOS and everything else in ASA code – and if it runs in platform mode it will forever regardless of what later f/w ver you u/g to. So best to avoid f/w earlier than 9.13 on these boxes! To get off a platform mode FPR ASA you have to migrate from ASA > FTD code and then migrate again from FTD > ASA code using a f/w ver of 9.13 or later – the box then runs in appliance mode where it boots to ASA code (no connect needed) and everything is managed in ASA code. oh and for lightweights the ASDM bin is included in the SPA package 🙂

    One other potential gotcha – if the box was originally an FTD part number it may not have ASA licences associated with it. These boxes use Cisco’s smart lic’ing and for ASA use you need to have a FPR 2100 standard ASA lic in you smart account for your converted box to use. smart lic’ing is a royal pita 🙁

    Post a Reply
    • Do you have a write up on how the flipped the unit to run the ASA code? Any time I try to flip the native file for any released version of the unit I run across this issue:

      Cisco Bug: CSCvo78563
      DOC ENH: 2100 reimage procedure needs revision

      install security-pack version cisco-ftd-fp2k.6.6.7-223.SPA force

      Invalid software pack
      Please contact technical support for help

      Post a Reply
  2. Thank you so much!! Could you please made KB procedure to upload image using tftp and scp? I was trying to upload image using tftp but it is failing after 50% transfer…

    Post a Reply
    • Hi
      It’s sooo much easier to do by USB? but tftp procedure remains the same as its ever been “Copy tftp flash” look for setup a TFTP server in the search bar above.

      Post a Reply
      • Yes, planning to do it using USB, Thank you for quick reply.

        Post a Reply
  3. Hi Pete,

    Do you have maybe any experience with NTP server settings on FXOS to be updated to ASA image?
    After I did install ASA imge on FTD and setup the time servers on FXOS they are no synced to ASA (ASA do not have possibility to setup NTP when this is ASA on FTD – in classic ASA it is possible)

    thanks for any advice!
    Tony

    Post a Reply
    • Sorry Tony – I’ll throw it open for comment though..

      Post a Reply

Leave a Reply to Vishal Cancel reply

Your email address will not be published. Required fields are marked *