Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14080
Views
10
Helpful
13
Replies

Sfr is unresponsive

lsanchez
Level 1
Level 1

‎09-25-2018 07:03 PM - edited ‎03-12-2019 06:59 AM

I would like to ask why sfr is unresponsive?

 

 

FIT-ASA# show module sfr details
Getting details from the Service Module, please wait...
Unable to read details from module sfr

Card Type: Unknown
Model: N/A
Hardware version: N/A
Serial Number: JAD202200G1
Firmware version: N/A
Software version:
MAC Address Range: 0062.ec8f.92f0 to 0062.ec8f.92f0
Data Plane Status: Not Applicable
Console session: Ready
Status: Unresponsive

 

FIT-ASA# show module

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5516-X with FirePOWER services, 8GE, AC, ASA5516 JAD202200G1
sfr Unknown N/A JAD202200G1

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 0062.ec8f.92f1 to 0062.ec8f.92f9 1.1 1.1.12 9.9(2)
sfr 0062.ec8f.92f0 to 0062.ec8f.92f0 N/A N/A

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Unresponsive Not Applicable

 

Thank you in advance.

5 people had this problem
Labels:
0 Helpful
13 Replies 13

Mohammed al Baqari
Level 11
Level 11

‎09-25-2018 07:44 PM

What do you see when you try to console from ASA to SFR. Also, get the
output of

sh module sfr log console
0 Helpful

lsanchez
Level 1
Level 1
In response to Mohammed al Baqari

‎09-26-2018 06:26 PM

thank you for your response

 

when i tried to access the sfr

Screenshot_1.jpg

im stuck on this, even i press ctrl+x

 

here is the output when checking sfr log console

Screenshot_2.jpg

Preview file
13 KB
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-25-2018 09:02 PM

It's most likely not installed.

 

Has it ever worked?

0 Helpful

lsanchez
Level 1
Level 1
In response to Marvin Rhoads

‎09-26-2018 06:27 PM

Thank you for your response.

Yes sir it worked before.
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to lsanchez

‎09-27-2018 12:50 AM

It appears to have gotten severely corrupted to the extent of not starting correctly. You may need to re-install the software module.

 

Unless it has a lot of locally-configured (via ASDM) settings, I'd just go ahead and re-image it and re-register to FMC and redeploy the policies.

0 Helpful

lsanchez
Level 1
Level 1
In response to Marvin Rhoads

‎09-27-2018 05:50 PM

i'll try to reinstall, thank you sir
0 Helpful

Florin Barhala
Level 6
Level 6
In response to Marvin Rhoads

‎08-29-2019 10:32 PM

When you say reinstall you mean recover?

sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-6.3.0-1.img
sw-module module sfr recover boot
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Florin Barhala

‎08-29-2019 11:04 PM

Yes, that's correct. Recover and boot.

You might also precede those with an uninstall for the most complete treatment.

Florin Barhala
Level 6
Level 6
In response to Marvin Rhoads

‎08-30-2019 12:56 AM

Thank you Marvin!
I do have one more question/concern when it comes to SFR;
As we speak I have the SFR configured as fail-open and still I am worried about production traffic impact.
At what moment the ASA will consider the sensor "ready" to forward traffic? When does "fail-open" is triggered?

This combination of policy-map config along with pushing policies from FMC is confusing to me in regard to any traffic disruption/block.

Thanks!
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Florin Barhala

‎08-30-2019 04:59 AM

"fail-open" means if the sfr module fails (i.e. status is "down/down" or even "up/down") the ASA will ignore the service-policy that would otherwise redirect the traffic to it for inspection.

Once the module status is "up/up" traffic redirection will resume.

0 Helpful

Florin Barhala
Level 6
Level 6
In response to Marvin Rhoads

‎08-30-2019 09:47 AM

That makes sense ; how can anyone determine SFR status?
I reviewed this command, but the output returns a different status than up/down

show module sfr details
Getting details from the Service Module, please wait...
Unable to read details from module sfr

Card Type: Unknown
Model: N/A
Hardware version: N/A
Serial Number: FCH66620UU
Firmware version: N/A
Software version:
MAC Address Range: 0062.1111.9d84 to 0062.1111.9d84
Data Plane Status: Not Applicable
Console session: Ready
Status: Unresponsive
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Florin Barhala

‎08-30-2019 07:22 PM

It could be that the sfr module is not installed and that there is either no installed module or one of the legacy types (cxsc or ips).

"show module" will return the overall status of all module types.

kvnrndlph
Level 1
Level 1
In response to Florin Barhala

‎10-21-2020 02:00 PM

Had a similar issue that was resolved with just a reset.

 

sw-module module sfr shutdown

sw-module module sfr reset

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card