topic Re: No enable command ASA 5508-x in Network Security

No enable command ASA 5508-x

mawg64 — Fri, 21 Feb 2020 14:21:27 GMT

I got a new 5508-x at work. Out of the box went through the defaults via wizard, changing the internal and management ip (already in use somewhere else). Rebooted as instructed, everything looked good. The prompt I get is a > symbol but I'm not in a normal access prompt, no enable command, no access to standard commands, config, etc. I can look at thing but cant change anything I need to like a no shut, config etc. I can get to a bash shell even tried a reboot once sudo'd via linux. Running back through the wizard, not an option. Reset button, nope. No option to start over, defintely no "do-over" option. I can see the status of the interfaces, not via normal "sho ip int br", using the provided show network command. They are all shutdown. Just a nice blinky ">". Suggestions?

Re: No enable command ASA 5508-x

Francesco Molino — Sun, 24 Sep 2017 19:44:49 GMT

Hi

Did you tried doing login command at the prompt and type your credentials (user/password) to access the enable privilege 15 mode ?

Thanks

Re: No enable command ASA 5508-x

Karsten Iwen — Sun, 24 Sep 2017 21:02:26 GMT

Based on your sayings, I would assume that you are running an FTD image where the CLI is quite different to a traditional ASA. Is there any output for "show version" or can you show what is given by typing the question-mark?

Re: No enable command ASA 5508-x

mawg64 — Mon, 25 Sep 2017 01:53:07 GMT

I do have to login with username and password.

Re: No enable command ASA 5508-x

mawg64 — Mon, 25 Sep 2017 01:56:08 GMT

I can get a menu of options with the ?. If I'm not mistaken I can get a show version option. Not at work right now to check, but I'm reasonably sure of that, since it was how I also got to see the interfaces/network.

Re: No enable command ASA 5508-x

Francesco Molino — Mon, 25 Sep 2017 01:57:24 GMT

Yeah send the output of show version.
Like Karsten said, your certainly running ftd image and you don't have three save cli commands as you have with asa

Re: No enable command ASA 5508-x

mawg64 — Mon, 25 Sep 2017 02:00:34 GMT

Ok I'll ASAP Monday morning.

Thanks

Re: No enable command ASA 5508-x

Marvin Rhoads — Mon, 25 Sep 2017 10:49:00 GMT

Your ASA definitely has the Firepower Threat Defense (FTD) image. FTD does not allow configuration via the cli apart from the minimal bits required to setup management access. Thus there is no enable command.

You need to use either Firepower Device Manager (FDM = on-box GUI) or Firepower Management Center (FMC = remote management server). FDM can be accessed by browsing via https to the configured managment address.

Re: No enable command ASA 5508-x

mawg64 — Mon, 25 Sep 2017 12:19:12 GMT

I would do that if the interfaces were not in a no shut state. If there is a
way to do that via the FTD or linux I would have no problem. Part of
problem is there is **bleep** little documentation.

Re: No enable command ASA 5508-x

Marvin Rhoads — Mon, 25 Sep 2017 13:08:04 GMT

You manage an FTD device via the physical management interface (for FMC) or via inside or managemnt (for FDM).

The following quick start guide may be useful:

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/5508X/ftd-fdm-5508x-qsg.html

Re: No enable command ASA 5508-x

mawg64 — Mon, 25 Sep 2017 13:05:28 GMT

I have tried that, using both the default ip and the one I set it to. Which is what it displays using "show network" command. Unfortunately, between windows and the ASA someone is telling my laptop that there is no cable plugged in.

Re: No enable command ASA 5508-x

Marvin Rhoads — Mon, 25 Sep 2017 13:08:37 GMT

When you plug into Management 1/1 do you get link light?

Re: No enable command ASA 5508-x

mawg64 — Mon, 25 Sep 2017 13:12:56 GMT

No link light.

Re: No enable command ASA 5508-x

Marvin Rhoads — Mon, 25 Sep 2017 14:48:50 GMT

That's odd. I've done a dozen or so FTD configurations and have never seen a new one where the management interface wasn't enabled.

If "show network" indicates br1 is enabled and yet you have no link light you may have faulty hardware.

Re: No enable command ASA 5508-x

mawg64 — Mon, 25 Sep 2017 15:08:19 GMT

LOL....if you only knew how many times I've heard..."thats odd...". yeah in the running config the interfaces are all shutdown and no ips. The output of "show network" has an IPv4 Default route gateway ip, br1 has no ip, IPv4 has been manually configured and shows the network. I can get to the FTD menu and look at all sorts of things I cant change. Isnt there a way to drop out of FTD into a good old CLI? If not I'm going to have to figure out how to wipe the thing and start all over to rule out hardware. From what I've seen and tried (reset button doesnt do anything) so far that is going to be an extra bit of joy.

Re: No enable command ASA 5508-x

Marvin Rhoads — Mon, 25 Sep 2017 15:17:29 GMT

You can drop into what Cisco calls the Lina cli from FTD by using the command "system support diagnostic-cli" and see the underlying configuration equivalent to the classic ASA bits of code.

There is an enable mode but no config mode in that cli though as you cannot change anything from there.

Re: No enable command ASA 5508-x

mawg64 — Mon, 25 Sep 2017 18:46:47 GMT

I have dropped into lina with no more control than before. I was watching a reboot of the system and it did have link lights. I opened to connection in MS and I was only getting data sent the was no data recieved. Once the ASA was up the lights went dead. I think its time to google "How to reset it the hard way".

Re: No enable command ASA 5508-x

mawg64 — Mon, 25 Sep 2017 18:48:01 GMT

Re: No enable command ASA 5508-x

mawg64 — Fri, 29 Sep 2017 01:06:30 GMT

If for some reason you end up like me and something isnt quite right with you new ASA 5508-x with FTD and you need to get back to the begininning. I finally found some help and answers on the very bottom under "Uncommon Management Tasks". Then there was a little bit of extra to finish it up. I hope this helps some one and may you never have to use it.

Procedure

Use an SSH or CLI in to the box.

Step 1 > expert

at the bash prompt sudo and set the time, date and timezone.

Step 2 Delete any managers.

> configure manager delete

If you enabled any feature licenses, you must disable them in

Firepower Device Manager before deleting the local manager.

Otherwise, those licenses remain assigned to the device in Cisco

Smart Software Manager.

Do you want to continue[yes/no] yes

Deleting task list

Manager successfully deleted.

Step 3 > show managers

No managers configured.

Step 4 > Configure manager local

Step 5 > show managers

Managed locally.

Step 6 Set your system to get a DHCP ip

You can now use a web browser to open the Firepower Management Center

By clearing the configuration, you will be prompted to complete the device setup wizard.

If you still cant log into the web interface

Step 1 > show network

You should have the default DHCP addresses in the Gateway and for IPv4, or at least in the subnet.

If not then reset everything to DHCP

Step 2 > configure network ipv4 and/or ipv6 dhcp

This may take some time to run. Once this is done your management computer should get a DHCP ip.

The addresses in the Gateway and for IPv4 should go back to DHCP.

Check you system to make sure it got a DHCP address.

If not, set it to DHCP

Once everything is DHCP give it a minute to shuffle and arp. It took me 5 mins before I could log into the web portal. I was gettin ready to start all over again. And then like magic it all worked.

LAST THING TO DO!

One at a time, write you configs on each device and reboot after writing. Patientce is a virtue. It takes

about 5 mins to get back to a normal state and talking to each other.