Thank you Iwen for quick response, we have Version 9.2(2)4 so i am not able to run this command. Anything can be done on the existing version.

Any particular reason that you can't or don't want to upgrade your firewall?

There is no particular reason, we have planned the upgrade next year but the module is failing frequently almost twice a week.  If we shut this module down and remove all the related configuration i.e. policy. Will it still be monitored and the change will be disruptive change.!

With these problems, I would definitely first shutdown and uninstall FP, then upgrade the ASA to a suggested release and last reinstall the module. If that all doesn't help, you likely need to open a TAC-case.

Pankaj ,

What version are SFR modules running? You should upgrade to the latest version and see if that will solve the issue. You should be able to do it without any service disruption. 

Thanks,

Nenad

Hi Ninad,

 We are using Software version: 5.3.1-152.

Thanks

Pankaj  

As Marvin said I would upgrade firepower modules. I ran into couple bugs with old versions. Thanks

Thank you experts,  Ninad, Marvin, Iwen for your valuable inputs and help. I think i should keep it shutdown till the next upgrade.

Thanks

If you are using the FirePOWER (sfr) modules, you should definitely upgrade. You are running the very first version of ASA software that supported them and the very first version of FirePOWER software available on the ASA sfr module as well. There have been numerous upgrades and literally hundreds of bug fixes since those versions.

If you are not using them, then simply uninstall the modules. It's a simple non-disruptive (to the parent ASA) command. Do it on the standby unit first and then the active unit and it won't even trigger another failover. Your configurations will be lost unless you are using FirePOWER Management Center (previously known as FireSIGHT Management Center or Defense Center). In that case, all policies can be re-applied to the units once have have upgraded the software to a current stable release.

Thanks Marvin, yes i agree we should upgrade the code now and we have in out plan for next year. When you say

"Your configurations will be lost unless you are using FirePOWER Management Center (previously known as FireSIGHT Management Center or Defense Center)."

which configuration are you reffering to, only SFR related config i.e. class map and service policy configuration or the firewall configuration...!

[@pankajm.bisht]  ,

I was referring only to the FirePOWER policies on the modules themselves. Your base ASA policies would not be affected.

You would, of course, need to go into the ASA and remove any policy map that includes redirection to the module prior to uninstalling it.

You can shutdown the sfr module.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.html#56378