cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2447
Views
10
Helpful
8
Replies

ASA 5506 with Firepower Managing Device: From ASDM Built-in to External FireSIGHT

LJ Gabrillo
Level 5
Level 5

Hi Everyone, 


Just a bit of background
As a lot of us know, the 5506 has a built-in Management for its firepower module using ASDM.
However, the admin has the option to use an external FirePOWER managemnt center if so desired.

One of our clients, has a 5506 where its firepower module and all related config is done through ASDM.
However, in the long run, we setup an external firepower mgmt. Center server to manage the SFR software module of 5506

However, even though I added/configured the manager IP, it wouldn't add to the FMC.
In the long run, I had to re-flash the ASA SFR and then I was able to add it to the FMC.

My question is, is there a quicker way in w/c I wont need to re-flash/re-image it? Priming the module takes a looooooooooooooooong time, especially when you are in a higher patch. If it was pre-managed initially through ASDM, it looks like simply adding a manager IP wont do it 

Is there like a command to say "hey ASA, disable your built-in ASDM management for the firepower module, i need the module to be managed on an external FMC" haha :D 

HOpe someone can help

8 Replies 8

ankojha
Level 3
Level 3

Hi,

I believe there is no problem adding device to firepower management center even if it is managed by ASDM earlier without any reimage and it works fine without that as well.

It might be some other issue while trying to register the device because of which it failed but reimage is not required for adding it to FMC.

Thanks,

Ankita

Yeah, documentation also said that I only need to configure a manager IP But that's the case on what happened, i tried everything i could before re-imaging

But as I said, this is what happened

Hi LJ,

Hope you're doing well.

As soon as you add the FMC on SFR module then SFR clearly says to ASDM "Listen up bro, your duty is over & I got this amazing FMC to take care of me". Yeah, it does ;)

If it doesn't work then mostly it's the issue with communication between FMC and SFR. Check the status of sftunnel.

sftunnel service status is set as 'waiting' while managing the SFR from ASDM. It should be up and running when the same is managed by FMC.

-> Verify if sftunnel.conf exist under /etc/sf/

-> Verify if it's running: pmtool status | grep sftunnel

There can be other issues as well like port 8305 blocking or ssl certificate revoke but above is most common issue.

Regards,

Dv

kind of off-topic, but how do you manage this with the license. Did you move the license with help of Cisco. Cause you first activated the On-BOX controle/protect license right? (i'm in a similar situation and have some doubts to move to the firesight management instead off the on-box.

We used the 45-day free trial thing when the server wasnt available yet

Also dont worry about that, Cisco will help you regenerate the license if needed 
Open a TAC case for that one

Hi there,

We need to move from ASDM do FMC in a sinlgle ASA + SFR box environment.

Do you know that the running SFR config will be preserved after the change from ASDM to FMC, or should we export the policies (acp, sys policies) and import them in FMC after we finish the SFR and FMC association?

TIA,

Hugo

When you move from local management (ASDM) to FMC management it does not preserve the old policies. Only the bootstrap configuration (IP address, gateway, hostname etc.) are preserved.

You will need to rebuild the policies on FMC and then deploy them to the ASA FirePOWER module once you have registered it.

You cannot export from ASDM as that isn't supported as a means of importing to FMC.

Mr. Rhoads,

Thanks a lot for your answer.

It's not the answer that would make me happy..

Regards,

Hugo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: