08-10-2015 08:32 AM - edited 03-12-2019 05:44 AM
Our company has purchased the above Cisco product and carried out the installation and configuration thereof in strict accordance with written guidelines. However, the ASA FirePOWER configuration module in ASDM has shown only the contents, whereas the menu items do not open, there is nothing on the screen. We are expect your expert advice in solving the problem.
:ASDM 7.4(3)
Result of the command: "show running-config"
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(1)
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa941-lfbff-k8.SPA
ftp mode passive
clock timezone CET 1
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-743.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.50-192.168.1.254 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
Result of the command: "show module sfr"
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
sfr FirePOWER Services Software Module ASA5506
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
sfr a46c.2ae4.92b8 to a46c.2ae4.92b8 N/A N/A 5.4.1-211
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 5.4.1-211
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
sfr Up Up
08-11-2015 01:57 PM
Your output indicates you are running ASDM version 7.4(3). The FirePOWER module management is only supported at this time in version 7.3(3).
See the Release Notes for confirmation.
08-12-2015 02:46 AM
Thank you for your reply.
Software was downgraded to version 9.3(3) for ASA and 7.3(3) for ASDM, but the result remained unchanged.
08-12-2015 06:37 AM
Have you done the basic configuration from the module cli (set ip address, netmask and gateway)?
08-12-2015 06:45 AM
Yes, the basic configuration was done.
Configure Manager> show summary
------------------[ Sourcefire3D ]------------------
Model : ASA5506 (72) Version 5.4.1 (Build 211)
UUID : 9898fa4-3d1b-11e5-8fa6-b9cea1111112
Rules update version : 2015-01-15-001-vrt
VDB version : 229
----------------------------------------------------
------------------[ policy info ]-------------------
Access Control Policy : Default Allow All Traffic
--------------------[ outside ]---------------------
Physical Interface : GigabitEthernet1/1
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
---------------------[ inside ]---------------------
Physical Interface : GigabitEthernet1/2
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
---------------------[ cplane ]---------------------
IPv4 Address : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface : eth0
Type : Management
Status : Enabled
MDI/MDIX : Auto
MTU : 1500
MAC Address : A4:6C:2A:E4:92:B8
IPv4 Address : 192.168.1.2
---------------------[ tunl0 ]----------------------
----------------------------------------------------
---------------[ snort version info ]---------------
Snort Version : 2.9.7 GRE (Build 178)
libpcap Version : 1.1.1
PCRE Version : 7.4 2007-09-21
ZLIB Version : 1.2.5
----------------------------------------------------
08-12-2015 06:47 AM
OK.
Is the ASA's physical management port (Management1/1) is connected to a switch on the same VLAN as interface Gi1/2?
08-12-2015 07:15 AM
Yes, both ports connected to the same switch and located in the same VLAN
08-18-2015 01:06 AM
We have the same problem and have a TAC case open for it.
Basically it only works if you connect to the ASA and the Sourcefire module with https without a proxy (browser + Java) as the FirePOWER connection isn't https but socket + tls based according to the Java console output.
In Linux with OpenJDK this doesn't work at all because the private cert of the SFR module isn't accepted and the menu point for creating a csr is missing. Our TAC case is about that as well.
08-27-2015 02:22 PM
Team,
I have seen this issue before as well, but there is a list of things I had to do to fix this problem.
1. First you must make sure that the inside zone/interface is in the same broadcast / vlan as the management interface. The management interface is the only communication its going to use to talk to the inside interface. Therefore the switch below is needed from the gateway (inside) and the management interface to talk to each other. This is also needed for the ASDM client to communicate with the consoles.
2. The menus would not show up for me either, then I realized I had some routing issues. In the instructions - it states you set a gateway on the SFR module to the inside interface for its gateway. This is only if you dont have any internal routing / layer 3 routing on the inside of your network. If you do, then you need to point to your internal layer 3 networks instead of the ASA.
3. Once you have the routing figured out, your ASDM client will be able to reach the INSIDE gateway and your SFR module on the management interface. If not, then you want to look at your OS software and make sure you are not using and older ASDM software. This will also depend on the errors or prompts you get when logged into the ASDM. Example at 17 percent - you should get the (Loading Firepower Menus) or ERROR / IP-LOGIN-PASSWORD prompt. This will help you determine if its a communication error or perhaps something else you need to troubleshoot.
Hopefully that was helpful?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide