topic thanks again Marvin. i am in Network Security

Installing Firepower on redundant ASA 5512x pair

The Learned — Sun, 10 Mar 2019 13:31:42 GMT

Hi, I am trying to install firepower on redundant asa5512x pair that are configured in active/standby mode. these asas have an IPS module installed. I need to remove the old IPS module and install the firepower module.

I know that I need to shutdown the existing ips module, uninstall it then load the firepower boot image etc... however, I have no experience working with redundant units so I am not sure how to go about installing firepower in active/standby configuration.

I have searched for guides/instructions on how to do this ips upgrade in redundant asa pair but the only guides I have found so far talk about upgrading to firepower in standalone asa unit.

any suggestions, instructions or links to blog/sites that provide step by step instruction on upgrading to firepower in active/standy mode would be much appreciated.

thanks in advance.

The FirePOWER modules

Marvin Rhoads — Sat, 19 Dec 2015 14:21:17 GMT

The FirePOWER modules themselves are completely unaware of the ASAs being in Active/Standby (or any other HA or clustering setup). There is no synchronization directly between the modules. As such, you setup each one independently.

You can configure and manage them from ASDM (as of ASA 9.5(2) and FirePOWER 6.0) or from an external FireSIGHT / FirePOWER Management Center. The latter method allows you to create policies once and deploy to any number of managed modules (as long as you have the necessary licenses).

Hi Marvin thank you for your

The Learned — Sat, 19 Dec 2015 16:01:26 GMT

Hi Marvin thank you for your response. i use asa 9.2.2(4). i was trying to shutdown/uninstall the existing ips module (tried it first on standby asa and that didn't work so tried on active as well) but in both cases, it looks like ASA reboots after running the uninstall ips command and the standby unit becomes active. when the unit that rebooted comes back up, it gets configuration from newly active asa so nothing changes.its like i rebooted the asa for nothing. and since i can't install firepower without uninstalling the existing ips first, i am stuck.

i guess i am looking for step by step instructions on how i can uninstall the existing ips modules in failover configuration (while minimizing downtime). after that, like you said, i need to individually install the firepower module on both active and standby unit and manage them using firesight.

thanks

Do I understand you to say

Marvin Rhoads — Sat, 19 Dec 2015 18:42:15 GMT

Do I understand you to say that the module ips uninstall causes failover? That should be ok because in ASA 9.2.x and earlier the HA pair monitors the service module status by default and that cannot be disabled.

ASA 9.3 introduced

(no) monitor-interface service-module

...which allows you to disable that behavior.

Even on 9.2.x though, you should be able to do the uninstall on the standby unit. When you say it didn't work, what error did you get?

The order I would suggest is:

1. Uninstall ips on secondary-standby. Primary-active should see module go down and mark mate not ready.

2. Repeat on primary-active. When the primary-active unit reloads, the secondary-standby should see no active mate and assume active role. You should now have that situation of secondary-active and primary-standby

3. Install sfr on primary-standby. Load boot image, perform initial module setup and load running image.

4. Install sfr on secondary-active, including load and setup steps. When primary-standby sees the secondary-active reload, it should assume active state and be primary-active. After secondary-standby reloads it should have matching module type (i.e both have sfr installed).

5. Register and verify connection to FireSIGHT Management Center on both sfr modules.

6. Create and deploy policies to both ASAs' modules.

7. Modify ASA service-policy to redirect traffic to the sfr module for inspection per the deployed policies on those modules.

thanks again Marvin. i am

The Learned — Sun, 20 Dec 2015 23:54:04 GMT

thanks again Marvin. i am able to get further this time following your guide. i am having a separate issue now after i connect to the sfr console. i am not able to ping the gateway. i need to troubleshoot it further but the guidance you provided atleast allowed me to load the boot image so far.

i will try to figure out why i can't ping the gateway from sfr console.

i will mark your answer as correct answer.

thanks again for your help.

You're welcome.

Marvin Rhoads — Mon, 21 Dec 2015 04:22:52 GMT

You're welcome.

Can you share a sketch or describe how your network is setup?

Have you followed the Quick Start Guide (and setup the sfr module considering that the ASA physical management interface MUST be used for the sfr module and is only optional for the ASA itself)?

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

Can you tell us the output of "show run interface m0/0" from the ASA?

i think that is the problem.

The Learned — Wed, 23 Dec 2015 04:45:14 GMT

i think that is the problem. in our setup, management and data networks are separate and dont talk to each other. i will move firesight vm to the management network and it should work.

That will do it.

Marvin Rhoads — Wed, 23 Dec 2015 04:50:54 GMT

That will do it.

The FireSIGHT Management Center most definitely needs to be able to reach the FirePOWER module. That module can only communicate the ASA's physical m0/0 interface.