cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4230
Views
0
Helpful
8
Replies

ASA 5506-X FirePower configuration problem

DmitryTsvirkun
Level 1
Level 1

Our company has purchased the above Cisco product and carried out the installation and configuration thereof in strict accordance with written guidelines. However, the ASA FirePOWER configuration module in ASDM has shown only the contents, whereas the menu items do not open, there is nothing on the screen. We are expect your expert advice in solving the problem.

:ASDM 7.4(3)

Result of the command: "show running-config"


: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(1) 
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa941-lfbff-k8.SPA
ftp mode passive
clock timezone CET 1
object network obj_any
 subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-743.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (any,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.50-192.168.1.254 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
: end

 

Result of the command: "show module sfr"

Mod  Card Type                                    Model              Serial No. 
---- -------------------------------------------- ------------------ -----------
 sfr FirePOWER Services Software Module           ASA5506            

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version     
---- --------------------------------- ------------ ------------ ---------------
 sfr a46c.2ae4.92b8 to a46c.2ae4.92b8  N/A          N/A          5.4.1-211

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Up               5.4.1-211

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
 sfr Up                 Up                    

8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

Your output indicates you are running ASDM version 7.4(3). The FirePOWER module management is only supported at this time in version 7.3(3).

See the Release Notes for confirmation.

Thank you for your reply.

Software was downgraded  to version 9.3(3) for ASA and 7.3(3) for ASDM, but the result remained unchanged.

Have you done the basic configuration from the module cli (set ip address, netmask and gateway)?

Yes, the basic configuration was done. 

 

Configure Manager> show summary
------------------[ Sourcefire3D ]------------------
Model                     : ASA5506 (72) Version 5.4.1 (Build 211)
UUID                      : 9898fa4-3d1b-11e5-8fa6-b9cea1111112
Rules update version      : 2015-01-15-001-vrt
VDB version               : 229
----------------------------------------------------

------------------[ policy info ]-------------------
Access Control Policy     : Default Allow All Traffic

--------------------[ outside ]---------------------
Physical Interface        : GigabitEthernet1/1
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ inside ]---------------------
Physical Interface        : GigabitEthernet1/2
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ cplane ]---------------------
IPv4 Address              : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : A4:6C:2A:E4:92:B8
IPv4 Address              : 192.168.1.2
---------------------[ tunl0 ]----------------------
----------------------------------------------------

---------------[ snort version info ]---------------
Snort Version             : 2.9.7 GRE (Build 178)
libpcap Version           : 1.1.1
PCRE Version              : 7.4 2007-09-21
ZLIB Version              : 1.2.5
----------------------------------------------------

OK.

Is the ASA's physical management port (Management1/1) is connected to a switch on the same VLAN as interface Gi1/2?

Yes, both ports connected to the same switch and located in the same VLAN

We have the same problem and have a TAC case open for it.

Basically it only works if you connect to the ASA and the Sourcefire module with https without a proxy (browser + Java) as the FirePOWER connection isn't https but socket + tls based according to the Java console output.

In Linux with OpenJDK this doesn't work at all because the private cert of the SFR module isn't accepted and the menu point for creating a csr is missing. Our TAC case is about that as well.

Team,

 

I have seen this issue before as well, but there is a list of things I had to do to fix this problem.

 

1. First you must make sure that the inside zone/interface is in the same broadcast / vlan as the management interface. The management interface is the only communication its going to use to talk to the inside interface. Therefore the switch below is needed from the gateway (inside) and the management interface to talk to each other. This is also needed for the ASDM client to communicate with the consoles.

2. The menus would not show up for me either, then I realized I had some routing issues. In the instructions - it states you set a gateway on the SFR module to the inside interface for its gateway. This is only if you dont have any internal routing / layer 3 routing on the inside of your network. If you do, then you need to point to your internal layer 3 networks instead of the ASA.

3. Once you have the routing figured out, your ASDM client will be able to reach the INSIDE gateway and your SFR module on the management interface. If not, then you want to look at your OS software and make sure you are not using and older ASDM software. This will also depend on the errors or prompts you get when logged into the ASDM. Example at 17 percent - you should get the (Loading Firepower Menus) or ERROR / IP-LOGIN-PASSWORD prompt. This will help you determine if its a communication error or perhaps something else you need to troubleshoot.

 

Hopefully that was helpful?

 

 

Review Cisco Networking for a $25 gift card