Re-image ASA SFR Module

edledge Cisco logo

Scenario:
Device: ASA
Model: Cisco ASA 5508-X, 5506-X, 5506W-X
Topic: Re-image ASA SFR Module Requirement
TFTP: To upload the image file to the ASA
FTP:  To upload the package file to the sensor one image is installed.

Step1: Get the appropriate File to re-image the SFR Module. If you go to the Cisco Software download page you will get a few files which are
.img
.pkg
.tar
.sh
We need two files at the starting to re-image the Module
.img – Image file of basic SFR file
.pkg – Package file to install a module in the image

Step2:- Download the File from Cisco Software File Center
Download .img and .pkg files and save it in local laptop/storage.

Step3:- Check Module Status

edledge-asa# sh module

Mod  Card Type                                    Model           Serial No.

---- -------------------------------------------- ------------------ --

1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508         JAD12345678

sfr FirePOWER Services Software Module           ASA5508        JAD12345678

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version

---- --------------------------------- ------------ ------------ -------

1 f4db.3738.3738 to f4db.3738.3738 3.2          1.1.13       9.13(1)10

sfr f4db.3738.3738 to f4db.3738.3738 N/A          N/A          6.0.0-1005


Mod  SSM Application Name           Status           SSM Application Version

---- ------------------------------ ---------------- -------------------

sfr ASA FirePOWER                  Up               6.0.0-1005

Mod  Status             Data Plane Status     Compatibility

---- ------------------ --------------------- -------------

1 Up Sys             Not Applicable

sfr Up                 Up

Step4:- Push the file to ASA using TFTP or FTP

edledge-asa# copy tftp flash:
Address or name of remote host [10.1.7.51]? Enter
Source filename [./]? asasfr-5500x-boot-6.4.0-1.img
Destination filename [asasfr-5500x-boot-6.4.0-1.img]? Enter
Accessing tftp://10.1.7.51/asasfr-5500x-boot-6.4.0-1.img;int=Maintenance
!!!!!!!!!..!!!!!!!.!!!!.!!!!!...!!!!!!!!!!!!!!

Before moving to the next step “Ensure that traffic to Firepower is stopped during upgrade else it could cause issues.

Step5:- Put the following commands

edledge-asa(config)# sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-6.4.0-1.img
edledge-asa(config)# sw-module module sfr recover boot
Module sfr will be recovered. This may erase all configuration and all data
on that device and attempt to download/install a new image for it.This may
take several minutes.

Recover module sfr? [confirm]{Enter}
Recover issued for module sfr.

Step6:- (Optional) If you want to see the steps what is going on after those two command executed above then use this command

edledge-asa(config)# debug module-boot

You will get the output of the debug output.

Step7:- If you check the module here it will be in “Recover” state

edledge-asa# sh module
Mod  Card Type                            Model            Serial No.
---- -------------------------------------------- ------------------
1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508          JAD12345678
sfr FirePOWER Services Software Module           ASA5508        JAD12345678

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ -------
1 f4db.3738.3738 to f4db.3738.3738 3.2          1.1.13      9.13(1)10
sfr f4db.3738.3738 to f4db.3738.3738 N/A          N/A      6.0.0-1005

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- -------------------
sfr ASA FirePOWER                  Up               6.0.0-1005

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
sfr Recover          Not Applicable

Wait for 10-15 minutes here and then log in to the SFR module.

Login to SFR module to do the basic setting using the default username and password of the SFR module and you could reset or change the SFR module password anytime

Step8:- Access SFR module and setup the basic requirement to push the pakage file to the module. Since the Module is now re-imaged it will have default username and password [username – admin , Password – Admin123]

edledge-asa# session sfr console
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco ASA5508 v6.4.0 (build 102)
firepower login: admin
Password:

Cisco FirePOWER Services Boot 6.4.0 (102)
Type ? for list of commands

asasfr-boot>setup
 
 
Welcome to Cisco FirePOWER Services Setup
 [hit Ctrl-C to abort]
Default values are inside []
 
Enter a hostname [asasfr]: edledge-firepower
Do you want to configure IPv4 address on
management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: N
Enter an IPv4 address [192.168.8.8]: 192.168.1.253
Enter the netmask [255.255.255.0]: 255.255.255.0
Enter the gateway [192.168.8.1]: 192.168.1.254
Do you want to configure static IPv6
address on management interface?(y/n) [N]: N
Stateless autoconfiguration will be enabled for IPv6 addresses.
Enter the primary DNS server IP address: 192.168.1.10
Do you want to configure Secondary DNS Server? (y/n) [n]: N
Do you want to configure Local Domain Name? (y/n) [n]: Y
Enter the local domain name: edledge.com
Do you want to configure Search domains? (y/n) [n]: Y
Enter the comma separated list for search domains: edledge.com
Do you want to enable the NTP service? [Y]: Y
Enter the NTP servers separated by commas: 10.1.1.10,10.0.1.1.20
Do you want to enable the NTP symmetric key authentication? [N]: N
Please review the final configuration:
 
CAUTION:
You have selected IPv6 stateless autoconfiguration, which
assigns a global address based on network prefix and a device identifier.
Although this address is unlikely to change, if it does change,
the system will stop functioning correctly.We suggest you
use static addressing instead.
 
Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying...
Restarting network services...
Restarting NTP service...
Done.
Press ENTER to continue...{Enter}

The module has been installed and now we need to install the software package to the module

Please note only FTP would allow you to push the package file, TFTP does not work here.

Also, ensure to increase the SSH timeout time else you will be disconnected and need to log in again.

Step9:- Now it is time to push the package file to the sfr module.

 

asasfr-boot>system install noconfirm http://10.3.0.84/asasfr-sys-6.4.0-102.pkg
Verifying.    ..
Downloading.    ..
Extracting.    ..
Package Detail
Description:Cisco ASA-SFR 6.4.0-102 System Install
Requires reboot:Yes
Do you want to continue with upgrade? [y]: Y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.

Now once the image is pushed and installed wait for SFR module to be “UP” from “Recover” state.

Step10:- Check the module state and wait till the time the module is moved from “Recover” state to “UP“.

edledge-asa# sh module

Mod  Card Type                                    Model            Serial No.
---- -------------------------------------------- ------------------ ---
1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508          JAD12345678
sfr FirePOWER Services Software Module           ASA5508        JAD12345678

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ -------
1 f4db.3738.3738 to f4db.3738.3738 3.2          1.1.13       9.13(1)10
sfr f4db.3738.3738 to f4db.3738.3738 N/A          N/A          6.0.0-1005

Mod  SSM Application Name           Status           SSM Application Version

---- ------------------------------ ---------------- -------------------
sfr ASA FirePOWER                  Up               6.0.0-1005
Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
1 Up Sys             Not Applicable
sfr Recover          Not Applicable

Wait for about 30 minutes and check the SFR module again, hopefully it will be in “UP” state now {if not please keep waiting till the time SFR module is shwoing as UP}

edledge-asa# sh module

Mod  Card Type                                    Model           Serial No.

---- -------------------------------------------- ------------------
1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508           JAD12345678

sfr FirePOWER Services Software Module           ASA5508         JAD12345678


Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ------
1 f4db.3738.3738 to f4db.3738.3738 3.2          1.1.13       9.13(1)10
sfr f4db.3738.3738 to f4db.3738.3738 N/A          N/A          6.4.0-102


Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- -------------------
sfr ASA FirePOWER                  Up               6.4.0-102

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
1 Up Sys             Not Applicable
sfr Up                 Up

Step11:- Once SFR module shows up then login {using default username and password} to SFR module and put the same details again we put in step 6

edledge-asa# session sfr  console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco ASA5508 v6.4.0 (build 102)
firepower login: admin
Password:
Copyright 2004-2019, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.4.0 (build 2)
Cisco ASA5508 v6.4.0 (build 102)

You must accept the EULA to continue.
Press <ENTER> to display the EULA: [ENTER]
End User License Agreement

{Please go slow here else ssh connection will get disconnected then
you will have to login again
}

Please enter 'YES' or press  to AGREE to the EULA:  YES
System initialization in progress.  Please stand by. 

You must change the password for 'admin' to continue.
Enter new password: Password123
Confirm new password: Password123
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: Y
Do you want to configure IPv6? (y/n) [n]: N
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: {Enter}
Enter an IPv4 address for the management interface [192.168.45.45]: 192.168.1.123
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
Enter the IPv4 default gateway for the management interface []: 192.168.1.254

Enter a fully qualified hostname for this system [firepower]:Firepower-Module
Enter a comma-separated list of DNS servers or 'none' []:192.168.1.10
Enter a comma-separated list of search domains or 'none'[example.net]: edledge.com

If your networking information has changed, you will need to reconnect.
For HTTP Proxy configuration, run 'configure network http-proxy'
Creating default Identity Policy.
Creating default SSL Policy.
Update policy deployment information 
- add device configuration 
- add network discovery
- add system policy 
- add access control policy
- applying access control policy

You can register the sensor to a Firepower Management
Center and use the Firepower Management Center to manage
it. Note that registering the sensor to a Firepower
Management Center disables on-sensor Firepower Services
management capabilities.

When registering the sensor to a Firepower Management
Center, a unique alphanumeric registration key is always
required.  In most cases, to registera sensor to a
Firepower Management Center, you must provide the
hostname or the IP address along with the registration
key.
'configure manager add [hostname | ip address ] [registration key ]'


However, if the sensor and the Firepower Management
Center are separated by aNAT device, you must enter
a unique NAT ID, along with the unique
registrationkey.'configure manager add
DONTRESOLVE [registration key ] [ NAT ID ]'

Later, using the web interface on the Firepower
Management Center, you must use the same registration
key and, if necessary, the same NAT ID when you add
this sensor to the Firepower Management Center.

> exit
Remote card closed command session.
Press any key to continue.
Command session with module sfr terminated.

Step12:- Finally check and ensure ASA is able to ping to SFR module management IP 

edledge-asa# ping 192.168.1.123
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.123, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms 
edledge-asa# wr mem
Building configuration...
Cryptochecksum: 6bcde85c dc7a074d 8e22978c 0620c211  

7149 bytes copied in 0.350 secs[OK] 

edledge-asa#

Source: Cisco, Lab, Knowledge Base

EA00017

One thought on “Re-image ASA SFR Module

Leave a Reply

Your email address will not be published.