Solved: Thanks a lot mate. It is

QW_netzwerk · ‎02-09-2015

Hello,

today I have been trying to configure the ASA firepower module's IP address. But unfortunately I am not succeed. The firewall is at branch location and do not have any more router on the LAN network. So I have shutdown the management interface and configure the firepower management IP on the Server network. But unfortunately I cannot ping the gateway IP address which is basically the one of the interface of the firewall. It is 5525x series Firewall. So it doesn't has any dedicated interface for the firepower management. So it would be nice to know where did I make the mistake? I did reload and recovery of the module and I see the status as still recovery state. So my question is whethere there is any problem on the module itself?

Module status

sh module

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC
ips Unknown N/A
cxsc Unknown N/A
sfr Unknown N/A

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 f 1.0 2.1(9)8 9.2(3)
ips N/A N/A
cxsc N/A N/A
sfr N/A N/A

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable
cxsc Unknown No Image Present Not Applicable

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
cxsc Unresponsive Not Applicable
sfr Recover Not Applicable

Firewall Interface Config

#Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.101.106.115 YES CONFIG up up
GigabitEthernet0/1 10.106.106.115 YES CONFIG up up
GigabitEthernet0/2 10.103.254.254 YES CONFIG up up
GigabitEthernet0/3 10.0.210.254 YES CONFIG up up
GigabitEthernet0/4 10.100.254.254 YES CONFIG up up
GigabitEthernet0/5 10.107.253.115 YES CONFIG up up

#interface GigabitEthernet0/1
speed 1000
duplex full
nameif server
security-level 70
ip address 10.106.106.115 255.255.0.0

Firepower Management config

Hostname: SFR1
Management Interface Configuration

IPv4 Configuration: static
IP Address: 10.106.251.253
Netmask: 255.255.0.0
Gateway: 10.106.106.115

IPv6 Configuration: Stateless autoconfiguration

DNS Configuration:
Domain: XXX.local
Search:
XXX.local
DNS Server:
10.101.251.2
10.201.251.2

Any assist will be greatly appreciated.

Thanks

Saimun

tbostrom · ‎02-09-2015

Saimun,

Even though there is not a physical Firepower services module management port, it uses the Management0/0 port for connecting to the SFR module. If you'd like it on the same VLAN as your server VLAN on the ASA, plug the Management0/0 port into a switch that shares the server VLAN network and give the SFR module an IP address on the same subnet.

make sure you remove the nameif statement from under the Management0/0 interface. Here's an example:

interface Management0/0
management-only
no nameif
security-level 100
no ip address

View solution in original post

tbostrom · ‎02-09-2015

Saimun,

Even though there is not a physical Firepower services module management port, it uses the Management0/0 port for connecting to the SFR module. If you'd like it on the same VLAN as your server VLAN on the ASA, plug the Management0/0 port into a switch that shares the server VLAN network and give the SFR module an IP address on the same subnet.

make sure you remove the nameif statement from under the Management0/0 interface. Here's an example:

interface Management0/0
management-only
no nameif
security-level 100
no ip address

QW_netzwerk · ‎02-10-2015

Thanks a lot mate. It is working. But now I have another issue to upload the sfr module package. Anyway i am creating another new discussion about it.

nipun0001 · ‎08-05-2015

tbostrom

I have exactly the same issue. The sfr module is always in recover stage. The ASA's internal IP address is not able to reach the IP address of the SFR module. Though both are IP addresses are in the same subnet, I am unable to ping them.

interface BVI1
ip address 192.168.1.242 255.255.255.0

ciscoasa(config)# sh int IP br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset up up
GigabitEthernet0/1 192.168.1.242 YES unset up up
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down
GigabitEthernet0/4 unassigned YES unset administratively down down
GigabitEthernet0/5 unassigned YES unset administratively down down
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset down down
Internal-Data0/2 unassigned YES unset up up
Management0/0 unassigned YES unset up up
BVI1 192.168.1.242 YES CONFIG up up

The firewall is in transparent mode, the access-lists any any are configured.

!
interface GigabitEthernet0/0
no nameif
bridge-group 1
no security-level

interface GigabitEthernet0/1
nameif outside1
bridge-group 1
security-level 0

Please tell me if the connections I have done has a mistake. I am connecting my laptop to outside1 interface, the management and interface g0/0 are connected to the switch in the same vlan.

Marvin Rhoads · ‎08-05-2015

Have you run through the initial SFR module setup? If you've done that successfully (assuming you have since you refer to having an IP address configured on it), then you need to run through the "system install" routine to move from the boot image to the system image on the sfr module.

Configure IP address ASA Firepower module