Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2247
Views
0
Helpful
3
Replies

ASA 5506 with FirePower Services Plus REST

alex.baldwin
Level 1
Level 1

‎02-09-2019 12:27 PM - edited ‎02-21-2020 08:47 AM

I hope someone on here can perhaps help me.

We have a fleet of ASA-5506-X models in the field that I am in the process of replacing with new ones due to the Cisco clock chip vulnerability.

 

We have SFR enabled and we use REST.  We actually use REST, we need it.

 

We are just trying to stay patched no additional features needed, just trying to replace what is and stay safe from a security patching standpoint.

 

We are on the 9.6 train.  My understanding is that some memory concern has led Cisco to disallow REST in combination with SFR in later versions (which seems like a good reason Cisco should replace all of these boxes rather than tell customers they can't run two features at the same time, but I digress).  According to all the release notes I read on the 9.6 train I should be able to continue to run REST and SFR so long as I stay within the 9.6 train and 6.0 of SFR.

 

When I try to enable REST it says you can't until you remove SFR

 

asa(config-group-webvpn)# rest-api image disk0:/asa-restapi-131-lfbff-k$

asa(config)# rest-api agent

The FirePOWER Services(SFR) module and the REST API agent cannot be enabled concurrently on this platform. Please uninstall the FirePOWER Services(SFR) module in order to enable the REST API agent.

 

Even if I downgrade the image to 6.0 it will not let me.

 

Not uninstall I uninstall the SFR with

        ciscoasa(config)# sw-module module sfr uninstall

and reload will it let me enable REST

When I try to reinstall the SFR with version 6.0 it still will not allow it

 

asa# sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-6.0.0-1005.img

asa# sw-module module sfr recover boot

 

The FirePOWER Services(SFR) module and the REST API agent cannot be enabled concurrently on this platform. Please disable the REST API agent in order to install the FirePOWER Services(SFR) module.

 

So are the release notes wrong?  Did I read something wrong? Am I applying something in the wrong order?  Is there not a version available where a customer can continue to run both services and stay patched?

 

In the long term, is there a fix for this on the FTD platform (both SFR and REST)

 

Thx

 

0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎02-09-2019 06:58 PM

Hi

Rest API isn't supported if sfr version 6 or later is installed.
Check it out here:
https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#id_65991

Instead of using asa + sfr and you move to FTD image, you can use APIs.
Check it out here:
https://www.cisco.com/c/en/us/td/docs/security/firepower/ftd-api/guide/ftd-rest-api.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

alex.baldwin
Level 1
Level 1
In response to Francesco Molino

‎04-14-2019 01:42 PM

OK, that may well be, but I am still runniing SFR version 5, I cannot even apply the bug fix version of ASA 9.6(4)20

 

Shouldn't a person running ASA plus firepower + REST (Which was a perfectly valid configuration when we bought this firewall) be able to patch for security vulnerabilities without losing features?

 

home# show ver

Cisco Adaptive Security Appliance Software Version 9.6(4)20
Device Manager Version 7.9(2)152

 

 

home(config)# rest-api agent
The FirePOWER Services(SFR) module and the REST API agent cannot be enabled concurrently on this platform. Please uninstall the FirePOWER Services(SFR) module in order to enable the REST API agent.

 

home# show module sfr

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
sfr FirePOWER Services Software Module ASA5506

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
sfr 002a.104b.4361 to 002a.104b.4361 N/A N/A 5.4.1-211

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 5.4.1-211

Mod Status Data Plane Status Compatibility

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to alex.baldwin

‎04-21-2019 09:19 PM

Sorry for my late answer.

I understand your concern and you should raise this concern to your local Cisco contact to escalate.

I'm sorry for you to be stuck in this position.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card