07-20-2016 12:54 PM - edited 03-10-2019 06:39 AM
Hello,
I have 2 ASA 5585 SSP10 in active/standby configuration working. We have purchased 2 SFR modules ASA5585-SSP-SFR10 to be installed.
My question is whether the boot and system software images are already factory pre-installed on the cards. Or should we need to download the images from Cisco and re image the cards during install ?
Thank you.
Solved! Go to Solution.
07-20-2016 04:04 PM
The FirePOWER system image should be installed already.
However they are probably on the older version 5.3.x.
You will want to get them up to the latest 6.0.1.1 via your FirePOWER Management center once you have them bootstrapped and registered.
07-21-2016 06:05 AM
1. Correct.
2. No - not on ASA 5585 with pre-6.0 FirePOWER software.
3. Sorry - yes that's the correct link for the hardware module.
Yes, as I noted earlier - without FMC you will need a completely re-image via cli.
07-20-2016 04:04 PM
The FirePOWER system image should be installed already.
However they are probably on the older version 5.3.x.
You will want to get them up to the latest 6.0.1.1 via your FirePOWER Management center once you have them bootstrapped and registered.
07-20-2016 05:04 PM
The cards will be configured in IDS mode (monitor-only) for some time, as the virtual management center is not ready yet. Iam wondering if we could use ASDM to upgrade the modules to the latest version, though we are not registering them in ASDM.
Could you reference some documentation for bootstraping and ASDM upgrade in this particular case ?
Thanks
07-20-2016 06:05 PM
i have the quick start guide at this link:
http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118824-configure-firepower-00.html#anc6
Is this guide referencing the bootstrap process ?
Im confused because this guide does the image recovery all over (bootstrap and system images), as if the module has no image pre installed. If the module does have system image pre installed, how is the bootstrap and registration done in that case
07-27-2016 12:21 PM
Registration is done with the license Key. Usually you received a doc with the PAK
very important.. make sure you Firepower Management Console is in the same version or higher than the sensor or module FP.
07-20-2016 06:10 PM
If your modules come with <6.0 FirePOWER version you will not be able to upgrade them via ASDM.
The ante for using ASDM to manage (including upgrade) a FirePOWER module on anything other than the Kenton models (5506/08/16) is ASDM 7.5.112 and FirePOWER 6.0.
http://www.cisco.com/c/en/us/td/docs/security/asdm/7_5/release/notes/rn75.html#ID-2172-00000128
You'd be much better off standing up a FirePOWER Management Center on a VM. If you ever plan to run the 5585 modules with anything near the load they are capable of, ASDM (with the module only event storage) is really not a sustainable solution.
If you go the route of upgrading from 5.3.x to 6.0 without FMC, you will need to go the cli route - a lot more work and it's roughly described here:
http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html
As noted there, upgrade apart from either FirePOWER Management Center or ASDM management (the latter only available post-6.0) requires reimaging - I would not recommend it for the new user.
07-21-2016 01:57 AM
Thank you for this clarification.
1- By this statement, Do you mean any version lower than 6.0 can not be upgraded via ASDM ?
If your modules come with <6.0 FirePOWER version you will not be able to upgrade them via ASDM.
2- Is it possible to use ASDM for upgrade for the meanwhile and later switch to full FMC VM ?
3- The cli option you mentionned is for the software module. Is this link for the hardware module ?
http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118824-configure-firepower-00.html#anc6
If correct, does this mean a complete image recovery is necessary via cli ?
Thank you.
07-21-2016 06:05 AM
1. Correct.
2. No - not on ASA 5585 with pre-6.0 FirePOWER software.
3. Sorry - yes that's the correct link for the hardware module.
Yes, as I noted earlier - without FMC you will need a completely re-image via cli.
07-21-2016 04:26 PM
Thanks a lot.
01-30-2019 01:38 PM
If I am 5.3.1, reimage can be done to the latest 6.2.3 or need to follow specifics path?
03-13-2017 11:08 AM
Hello
We have 12 ASA5585X with IPS-SSP-20.Can we install Firepower image on them without changing hareware?
Thank you.
03-13-2017 11:25 AM
Yes, you can. Make sure the image is equal or below the FMC release. And make sure you match the ASA version working with FP. I highly recommend using the FP 6.1 or up, if your FMC is 6.2 ....avoid all the headaches in between...
03-13-2017 07:44 PM
Hello
I've tried to install and change our ASA5585X with IPS-SSP-20 to Firepower image 6.2 according to below link:
http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118824-configure-firepower-00.html
But After final reboot and when the module reloads, All process reset to IPS-SSP-20 mode and image installation process failed.
Is there something wrong with that?
Thank you.
03-13-2017 07:55 PM
Note the guide you referenced instructs that "the other module must be uninstalled to make space for the SSP-SFR".
This is referring to uninstallation of the older hardware module, consistent with the advice I gave just a short while ago in this thread.
03-13-2017 07:39 PM
Sorry for the correction but the 5585-X IPS-SSP cards cannot be reimaged to run FirePOWER.
In cases such as this, there is a special SKU (ASA5585-xx-FP-UPG, using 10, 20, 40 or 60 in place of "xx") the customer can order to get a discounted price on the required new hardware module. The model ordered should be considered carefully - the customer's Cisco or partner SE can use the internal sizing tool to choose the right one given the customer's current and projected performance requirements.
They should also consider moving to a new FirePOWER 2100 (FTD image only) or 4100 (ASA or FTD image) series appliance as the end of sales for 5585-X FirePOWER variants has been announced recently. The EoS date will be August 2017.
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-x-series-next-generation-firewalls/eos-eol-notice-c51-738643.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide