Last Updated: Saturday, 23 September 2023, 17:12 Hrs GMT
Scenario:
Device: ASA
Model: Cisco ASA 5508-X, 5506-X, 5506W-X
TFTP: To upload the image file to the ASA
FTP: To upload the package file to the sensor one image is installed.
Description: In this article, we will discuss a detailed stepwise method of how to reimage or update the SFR Module image of Cisco ASA.
Step1: File
Get the appropriate File to re-image the SFR Module. If you go to the Cisco Software download page you will get a few files that are as below
.img
.pkg
.tar
.sh
We need below mentioned two files at the starting to re-image the Module
.img – Image file of basic SFR file
.pkg – Package file to install a module in the image
Step2: Download the File
Download .img and .pkg files using the link provided below and save them in local laptop/storage
Cisco Software File Center
Step3:- Module Status
Check SFR module status by using the command
edledge-asa# sh module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ --
1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508 JAD12345678
sfr FirePOWER Services Software Module ASA5508 JAD12345678
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ -------
1 f4db.3738.3738 to f4db.3738.3738 3.2 1.1.13 9.13(1)10
sfr f4db.3738.3738 to f4db.3738.3738 N/A N/A 6.0.0-1005
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- -------------------
sfr ASA FirePOWER Up 6.0.0-1005
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Up Up
Re-imaging the Module
Step4: Transfer File
Transfer the file using TFTP, and follow the steps as shown below. Sometimes we get “Timeout Error” and/or “Unspecified Error“. Follow the links articles to resolve such issues.
edledge-asa# copy tftp flash:
Address or name of remote host [10.1.7.51]? Enter
Source filename [./]? asasfr-5500x-boot-6.4.0-1.img
Destination filename [asasfr-5500x-boot-6.4.0-1.img]? Enter
Accessing tftp://10.1.7.51/asasfr-5500x-boot-6.4.0-1.img;int=Maintenance
!!!!!!!!!..!!!!!!!.!!!!.!!!!!...!!!!!!!!!!!!!!
Before moving to the next step “Ensure that traffic to Firepower is stopped during upgrade else it could cause issues.
Step5: Commands
Run the following commands to ensure recovery of sfr module
edledge-asa(config)# sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-6.4.0-1.img
edledge-asa(config)# sw-module module sfr recover boot
Module sfr will be recovered. This may erase all configuration and all data
on that device and attempt to download/install a new image for it.This may
take several minutes.
Recover module sfr? [confirm]{Enter}
Recover issued for module sfr.
Step6: Debug [Optional]
If you want to see the steps of what is going on after those two commands executed above then use this command
edledge-asa(config)# debug module-boot
You will get the output of the debug output.
Step7: Confirm Module Status
If you check the module here it will be in “Recover” state
edledge-asa# sh module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------
1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508 JAD12345678
sfr FirePOWER Services Software Module ASA5508 JAD12345678
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ -------
1 f4db.3738.3738 to f4db.3738.3738 3.2 1.1.13 9.13(1)10
sfr f4db.3738.3738 to f4db.3738.3738 N/A N/A 6.0.0-1005
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- -------------------
sfr ASA FirePOWER Up 6.0.0-1005
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Recover Not Applicable
Wait for 10-15 minutes here and then log in to the SFR module.
Login to SFR module to do the basic setting using the default username and password of the SFR module and you could reset or change the SFR module password anytime
Step8: Login SFR
Once the SFR module is showing up login to the SFR module and set up the basic requirement to push the package file to the module. Since the Module is now re-imaged you could log in using Cisco SFR Module default username and password.
edledge-asa# session sfr console
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco ASA5508 v6.4.0 (build 102)
firepower login: admin
Password:
Cisco FirePOWER Services Boot 6.4.0 (102)
Type ? for list of commands
asasfr-boot>setup
Welcome to Cisco FirePOWER Services Setup
[hit Ctrl-C to abort]
Default values are inside []
Enter a hostname [asasfr]: edledge-firepower
Do you want to configure IPv4 address on
management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: N
Enter an IPv4 address [192.168.8.8]: 192.168.1.253
Enter the netmask [255.255.255.0]: 255.255.255.0
Enter the gateway [192.168.8.1]: 192.168.1.254
Do you want to configure static IPv6
address on management interface?(y/n) [N]: N
Stateless autoconfiguration will be enabled for IPv6 addresses.
Enter the primary DNS server IP address: 192.168.1.10
Do you want to configure Secondary DNS Server? (y/n) [n]: N
Do you want to configure Local Domain Name? (y/n) [n]: Y
Enter the local domain name: edledge.com
Do you want to configure Search domains? (y/n) [n]: Y
Enter the comma separated list for search domains: edledge.com
Do you want to enable the NTP service? [Y]: Y
Enter the NTP servers separated by commas: 10.1.1.10,10.0.1.1.20
Do you want to enable the NTP symmetric key authentication? [N]: N
Please review the final configuration:
CAUTION:
You have selected IPv6 stateless autoconfiguration, which
assigns a global address based on network prefix and a device identifier.
Although this address is unlikely to change, if it does change,
the system will stop functioning correctly.We suggest you
use static addressing instead.
Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying...
Restarting network services...
Restarting NTP service...
Done.
Press ENTER to continue...{Enter}
The module has been installed and now we need to install the software package to the module.
Please note only FTP would allow you to push the package file, TFTP does not work here.
Also, ensure to increase the SSH timeout time else you will be disconnected and need to log in again.
Step9: Package File
Now it’s time to push the package file to the SFR module. Use FTP to push the file. Refer to the article to know How To Enable & Setup FTP Server on Windows 10 Machines
asasfr-boot>system install noconfirm http://10.3.0.84/asasfr-sys-6.4.0-102.pkg
Verifying. ..
Downloading. ..
Extracting. ..
Package Detail
Description:Cisco ASA-SFR 6.4.0-102 System Install
Requires reboot:Yes
Do you want to continue with upgrade? [y]: Y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.
Now once the image is pushed and installed wait for SFR module to be “UP” from “Recover” state.
Step10: Module State
Check the module state and wait till the time the module is moved from “Recover” state to “UP“.
edledge-asa# sh module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ ---
1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508 JAD12345678
sfr FirePOWER Services Software Module ASA5508 JAD12345678
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ -------
1 f4db.3738.3738 to f4db.3738.3738 3.2 1.1.13 9.13(1)10
sfr f4db.3738.3738 to f4db.3738.3738 N/A N/A 6.0.0-1005
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- -------------------
sfr ASA FirePOWER Up 6.0.0-1005
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Recover Not Applicable
Wait for about 30 minutes and check the SFR module again, hopefully it will be in “UP” state now {if not please keep waiting till the time SFR module is showing as UP}
edledge-asa# sh module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------
1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508 JAD12345678
sfr FirePOWER Services Software Module ASA5508 JAD12345678
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ------
1 f4db.3738.3738 to f4db.3738.3738 3.2 1.1.13 9.13(1)10
sfr f4db.3738.3738 to f4db.3738.3738 N/A N/A 6.4.0-102
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- -------------------
sfr ASA FirePOWER Up 6.4.0-102
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Up Up
Configuration after Upgrade
Step11: Login & Setup [Same as step8]
Login to the module using Cisco SFR Module default username and password and setup.
edledge-asa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco ASA5508 v6.4.0 (build 102)
firepower login: admin
Password:
Copyright 2004-2019, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.4.0 (build 2)
Cisco ASA5508 v6.4.0 (build 102)
You must accept the EULA to continue.
Press <ENTER> to display the EULA: [ENTER]
End User License Agreement
{Please go slow here else ssh connection will get disconnected then
you will have to login again}
Please enter 'YES' or press to AGREE to the EULA: YES
System initialization in progress. Please stand by.
You must change the password for 'admin' to continue.
Enter new password: edledge.com
Confirm new password: edledge.com
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: Y
Do you want to configure IPv6? (y/n) [n]: N
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: {Enter}
Enter an IPv4 address for the management interface [192.168.45.45]: 192.168.1.123
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
Enter the IPv4 default gateway for the management interface []: 192.168.1.254
Enter a fully qualified hostname for this system [firepower]:Firepower-Module
Enter a comma-separated list of DNS servers or 'none' []:192.168.1.10
Enter a comma-separated list of search domains or 'none'[example.net]: edledge.com
If your networking information has changed, you will need to reconnect.
For HTTP Proxy configuration, run 'configure network http-proxy'
Creating default Identity Policy.
Creating default SSL Policy.
Update policy deployment information
- add device configuration
- add network discovery
- add system policy
- add access control policy
- applying access control policy
You can register the sensor to a Firepower Management
Center and use the Firepower Management Center to manage
it. Note that registering the sensor to a Firepower
Management Center disables on-sensor Firepower Services
management capabilities.
When registering the sensor to a Firepower Management
Center, a unique alphanumeric registration key is always
required. In most cases, to registera sensor to a
Firepower Management Center, you must provide the
hostname or the IP address along with the registration
key.
'configure manager add [hostname | ip address ] [registration key ]'
However, if the sensor and the Firepower Management
Center are separated by aNAT device, you must enter
a unique NAT ID, along with the unique
registrationkey.'configure manager add
DONTRESOLVE [registration key ] [ NAT ID ]'
Later, using the web interface on the Firepower
Management Center, you must use the same registration
key and, if necessary, the same NAT ID when you add
this sensor to the Firepower Management Center.
> exit
Remote card closed command session.
Press any key to continue.
Command session with module sfr terminated.
Confirmation
Step12: Confirmation
Finally, check and ensure ASA is able to ping to SFR module management IP
edledge-asa# ping 192.168.1.123
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.123, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
edledge-asa# wr mem
Building configuration...
Cryptochecksum: 6bcde85c dc7a074d 8e22978c 0620c211
7149 bytes copied in 0.350 secs[OK]
edledge-asa#
Source: Cisco, Lab, Knowledge Base
EA00017
One thought on “Reimage or Update Cisco ASA SFR Module”