firepower configuration missing on 5506

yangsonggui — Tue, 12 Mar 2019 08:12:02 GMT

The FirePower configuration button is not visible in ASDM.

laptop connect to switch, configure the IP address: 10.55.5.202, ping 10.55.5.201 is okay, ASDM login with management IP(10.55.5.201) is OK. but cannot find Firepower configuration button.

the firewall mode is transparent.

ASA Version 9.6(1)
!
firewall transparent
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names

!
interface GigabitEthernet1/1
nameif outside
bridge-group 1
security-level 100
!
interface GigabitEthernet1/2
nameif inside
bridge-group 1
security-level 100
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 10.55.5.201 255.255.0.0
!
interface BVI1
ip address 192.168.1.205 255.255.255.0
!
ftp mode passive
access-list inside-to-outside extended permit ip any any
access-list outside_access_in extended permit ip host 192.168.1.189 192.168.1.0 255.255.255.0
access-list outside_mpc extended permit ip host 192.168.1.189 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group outside_access_in in interface outside
access-group inside-to-outside out interface outside
route management 0.0.0.0 0.0.0.0 10.55.5.241 1
route outside 0.0.0.0 0.0.0.0 192.168.1.175 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 10.0.0.0 255.0.0.0 management
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dynamic-access-policy-record DfltAccessPolicy

username cisco123 password 3USUcOPFUiMCO4Jk encrypted privilege 15

!
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match access-list outside_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map outside-policy
class outside-class
inspect netbios
!
service-policy global_policy global
service-policy outside-policy interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:525fd9bed6e62a005c45cf4d64ddd39c
: end
ciscoasa#

ciscoasa# show module

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC ASA5506 JADxxxxxxx

sfr FirePOWER Services Software Module ASA5506 JADxxxxxxx

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 002a.104b.57e6 to 002a.104b.57ef 1.1 1.1.8 9.6(1)
sfr 002a.104b.57e5 to 002a.104b.57e5 N/A N/A 5.4.1-211

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 5.4.1-211

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Up Up

ciscoasa#

ciscoasa# show ver

Cisco Adaptive Security Appliance Software Version 9.6(1)
Device Manager Version 7.6(1)

Compiled on Fri 18-Mar-16 14:04 PDT by builders
System image file is "disk0:/asa961-lfbff-k8.SPA"
Config file at boot was "startup-config"

ciscoasa up 5 hours 8 mins

Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8192MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Number of accelerators: 1

1: Ext: GigabitEthernet1/1 : address is 002a.104b.57e7, irq 255
2: Ext: GigabitEthernet1/2 : address is 002a.104b.57e8, irq 255
3: Ext: GigabitEthernet1/3 : address is 002a.104b.57e9, irq 255
4: Ext: GigabitEthernet1/4 : address is 002a.104b.57ea, irq 255
5: Ext: GigabitEthernet1/5 : address is 002a.104b.57eb, irq 255
6: Ext: GigabitEthernet1/6 : address is 002a.104b.57ec, irq 255
7: Ext: GigabitEthernet1/7 : address is 002a.104b.57ed, irq 255
8: Ext: GigabitEthernet1/8 : address is 002a.104b.57ee, irq 255
9: Int: Internal-Data1/1 : address is 002a.104b.57e6, irq 255
10: Int: Internal-Data1/2 : address is 0000.0001.0002, irq 0
11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
12: Int: Internal-Data1/3 : address is 0000.0001.0003, irq 0
13: Ext: Management1/1 : address is 002a.104b.57e6, irq 0

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 30 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 50 perpetual
Total VPN Peers : 50 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total UC Proxy Sessions : 160 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual

This platform has an ASA 5506 Security Plus license.

Serial Number: JADxxxxxxx
Running Permanent Activation Key:
Configuration register is 0x1
Image type : Release
Key Version : A
Configuration last modified by cisco at 00:50:54.329 UTC Mon Aug 29 2016
ciscoasa#
ciscoasa#

Have you sessioned into the

Marvin Rhoads — Mon, 29 Aug 2016 13:53:02 GMT

Have you sessioned into the sfr module and accepted the EULA?

not yes, is it the necessary

yangsonggui — Tue, 30 Aug 2016 01:05:47 GMT

not yet, is it the necessary step?

do you think the sfr ip address is correct or not in my case? it should be 192.168.1.xxx or 10.55.5.xxx? and what is the gateway ip address?

You shouldn't have to accept

Marvin Rhoads — Tue, 30 Aug 2016 01:22:20 GMT

You shouldn't have to accept the EULA to reach the module.

Re-reading your post, did you set BOTH the ASA managment and FirePOWER module address to 10.55.5.201? They need to be different addresses in that /16. Think of the FirePOWER module like a VM on the same ESXi host as the ASA software. Each has it's own distinct IP configuration and address.

The FirePOWER module gateway should be the core switch at 10.255.5.202.

thanks so much!

yangsonggui — Tue, 30 Aug 2016 01:36:42 GMT

thanks so much!

as my understanding now, i should login ASDM, use the setup wizard, change the FirePOWER module ip address to 10.55.5.202/16 and correct gateway address, then logout ASDM and re-login, the FirePOWER module configuration button should be found in ASDM, right?

Well close - you said your

Marvin Rhoads — Tue, 30 Aug 2016 01:41:15 GMT

Well close - you said your core switch is .202 and the ASA management interface is .201.

The FirePOWER module needs to be a third unique address in that /16 subnet.

When you launch ASDM it pulls up information from the FirePOWER module (same that you could do from cli with "show module sfr detail") and uses that information to populate the FirePOWER module Home, Configuration and Monitoring sections within ASDM.

Okay, totally understand.

yangsonggui — Tue, 30 Aug 2016 01:48:01 GMT

Okay, totally understand. actually .202 isn't the gateway address. I know we need an unique address for FirePOWER module. thanks for clarifying!

I will try to troubleshooting next week maybe(due to the new schedule). will let you know the latest update, much appreciate!

topic Well close - you said your in Network Security

firepower configuration missing on 5506

Have you sessioned into the

not yes, is it the necessary

You shouldn't have to accept

thanks so much!

Well close - you said your

Okay, totally understand.