Solved: ASA 5545X, Firepower Issue

macfrist38 · ‎08-05-2015

Hi All,

I have an urgent Issue, i bougth 2 ASAs 5545x with Firepower, both ASAs have Sourcefire inside flash, but only one has the status UP.

when I issue show module command,

ASA1

==========================================================================================

ciscoasa# sh module

Mod Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt     ASA5545            FCH19207Y7G
ips Unknown                                      N/A                FCH19207Y7G
cxsc Unknown                                      N/A                FCH19207Y7G
sfr Unknown           N/A           FCH19207Y7G

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   0 d8b1.9040.ba11 to d8b1.9040.ba1a 1.0          2.1(9)8      9.2(2)4
ips d8b1.9040.ba0f to d8b1.9040.ba0f N/A          N/A
cxsc d8b1.9040.ba0f to d8b1.9040.ba0f N/A          N/A
sfr d8b1.9040.ba0f to d8b1.9040.ba0f N/A          N/A

Mod SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown                        No Image Present Not Applicable
cxsc Unknown                        No Image Present Not Applicable

Mod Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   0 Up Sys             Not Applicable
ips Unresponsive       Not Applicable
cxsc Unresponsive       Not Applicable
sfr Unresponsive       Not Applicable

Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Disabled perpetual

=================================================================================

ASA2

==========================================================================================

ciscoasa# sh module

Mod Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt     ASA5545            FCH19207Y7G
ips Unknown                                      N/A                FCH19207Y7G
cxsc Unknown                                      N/A                FCH19207Y7G
sfr FirePOWER Services Software Module           ASA5545            FCH19207Y7G

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   0 d8b1.9040.ba11 to d8b1.9040.ba1a 1.0          2.1(9)8      9.2(2)4
ips d8b1.9040.ba0f to d8b1.9040.ba0f N/A          N/A
cxsc d8b1.9040.ba0f to d8b1.9040.ba0f N/A          N/A
sfr d8b1.9040.ba0f to d8b1.9040.ba0f N/A          N/A          5.3.1-152

Mod SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown                        No Image Present Not Applicable
cxsc Unknown                        No Image Present Not Applicable
sfr ASA FirePOWER                  Up               5.3.1-152

Mod Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   0 Up Sys             Not Applicable
ips Unresponsive       Not Applicable
cxsc Unresponsive       Not Applicable
sfr Up                 Up

Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Disabled perpetual

=================================================================================

I have tried these commands in order to recover firewall

sw-module module sfr recover configure image disk0:asasfr-5500x-boot-5.3.1-152.img
sw-module module sfr recover boot

The state sill the same, but i can connect to the firepower module via session sfr console.

Please can you help me ?

Marvin Rhoads · ‎08-05-2015

If you've booted the recovery image, you have a partial system setup. You need to go into the module using the session command and run setup. Once you have a bootstrap configuration in place you can complete the recovery process by installing the full image.

Something like this:

ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape sequence is 'CTRL-^X'.
Cisco ASA SFR Boot Image 5.3.1
asasfr login: admin

Password: Admin123

Then run setup, followed by "system install" to load the full image package (pkg) as follows::

asasfr-boot> system install ftp://<FTPusername:FTPpassword>@<FTP IP>/asasfr-sys-5.3.1-152.pkg
Verifying
Downloading
Extracting
Package Detail
Description: Cisco ASA-SFR 5.3.1-152 System Install
Requires reboot: Yes
Do you want to continue with upgrade? [y]: Y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.
Upgrading
Starting upgrade process...
Populating new system image
Reboot is required

Once you reboot, the sfr module should show as up. You can then log back in (using admin / Sourcefire), accept the EULA and finish by re-setting the addressing and then adding the manager definition.

View solution in original post

Marvin Rhoads · ‎08-05-2015

If you've booted the recovery image, you have a partial system setup. You need to go into the module using the session command and run setup. Once you have a bootstrap configuration in place you can complete the recovery process by installing the full image.

Something like this:

ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape sequence is 'CTRL-^X'.
Cisco ASA SFR Boot Image 5.3.1
asasfr login: admin

Password: Admin123

Then run setup, followed by "system install" to load the full image package (pkg) as follows::

asasfr-boot> system install ftp://<FTPusername:FTPpassword>@<FTP IP>/asasfr-sys-5.3.1-152.pkg
Verifying
Downloading
Extracting
Package Detail
Description: Cisco ASA-SFR 5.3.1-152 System Install
Requires reboot: Yes
Do you want to continue with upgrade? [y]: Y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.
Upgrading
Starting upgrade process...
Populating new system image
Reboot is required

Once you reboot, the sfr module should show as up. You can then log back in (using admin / Sourcefire), accept the EULA and finish by re-setting the addressing and then adding the manager definition.

John · ‎03-16-2016

Hello Marvin,

We tried the command but we got an error.

ciscoasa# session sfr console
ERROR: Failed opening console session with module sfr. Module is in "Unresponsive" state.
Please try again later.

Marvin Rhoads · ‎03-16-2016

Please start a new thread for your issue. Let us know the steps you've taken so far.

macfrist38 · ‎08-07-2015

Hi Marvin,

Thanks very much, I tested and it is working well.

Thanks again.

jeanmojr · ‎08-08-2019

Hi Macfrist38,

Good Day! How did it worked? Thank you in advance!