cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4007
Views
0
Helpful
12
Replies

ASA 5525 update

pasha-life
Level 1
Level 1

Hi guys. I need your help. We have 2 asa, fmc, asdm. Tried to install last software updates (6.2.3), everything went good except one asa. FMC, first ASA updated successfully. But on second asa it doesnt pass readiness check.

Currently it's version is 6.1.0.6 and 6.2.3 says we can update straightly from it. I checked console, no log folder created in /var/log/sf/updates/Cisco_Network_Sensor_Upgrade-6.2.3-83, but were for others (e.g. Sourcefire_3D_Def...)

Then i tried to run readiness-check manually to see some logs as there werent any in gui. So, running 

perl /var/sf/bin/install_update.pl --readiness-check /var/sf/updates/Cisco_Network_Sensor_Upgrade-6.2.3-83 show me this error: Update is not a signed or content update at /var/sf/bin/install_update.pl line 509.

 

line 509:

if (defined($$update_info{is_sig_valid}))
{
# signed package. validated_filename is the extracted makeself file
$filepath = $$update_info{'validated_filename'};
$is_bundle = 1;
if ($$update_info{is_sig_valid} == 0)
{
warn "Update has invalid signature";
exit_update(1, "cleanup");
}
}
else
{
# unsigned package. filename is the file argument passed to this script
$filepath = $$update_info{'filename'};
$is_bundle = 0;
# Allow unsigned updates only for GeoDB, VDB, SRU
if (($$update_info{'update_type'} !~ /GeoLocation.+Database/) &&
($$update_info{'update_type'} !~ /Vulnerability.+Database/) &&
($$update_info{'update_type'} !~ /Rule.+Update/))
{
warn "Update is not a signed or content update";
exit_update(1, "cleanup");
}
}

 

As wee see is_sig_valid is not defined. From SF::Util::Update module we can see, if I understand right, it is defined when checksum (md5sum,sha512sum) executed correctly. But there is no problem with checksums, i check it manually and it is competing with original md5 and sha512 hashes. 

 

Also, i thought about straight update incompability and because of that i checked Cisco_Network_Sensor_Upgrade-6.2.0-362, Cisco_Network_Sensor_Upgrade-6.2.2-81 and failed with same error. Please, help me to udnerstand and solve the problem

 

1 Accepted Solution

Accepted Solutions

Hi Pasha,

 

it means the device on which upgrade is running isn't registered with the FMC.

If you run "show managers" on the CLISH mode of the device, it should probably show manager details with status as pending.

Please finish the manager (FMC) registration first and then this script would pass.

 

Hope it helps,

yogesh

View solution in original post

12 Replies 12

yogdhanu
Cisco Employee
Cisco Employee

Hi

 

Could you please confirm the downloaded file is for ASA5525? or may be download it again?

Please also make sure the file you are downloading is Cisco_Network_Sensor_Upgrade-6.2.3-83.sh ?

The .REL.tar file is only for upgrade from 6.2.2

 

I would just suggest to download the file again from the site and then upload on FMC and try the readiness check again.

 

Hope it helps,

Yogesh

Yes, I confirm. Exactly .sh file, NOT .rel.tar from https://software.cisco.com/download/home/286271172/type/286277393/release/6.2.3

What's the point of redownloading it if hashes are equal?

Just in case, I did as you told and got same error..Can anyone, please, explain me, what's the problem?

Ok, I am editing logic of install_update.pl, because it sees official update unsigned. So, check begins and here is some errors from output:

 

[180507 12:03:12:366] FAILED 000_start/105_check_model_number.sh
**********************************************************
[180507 12:03:12:014] Starting script: 000_start/105_check_model_number.sh
Entering 000_start/105_check_model_number.sh...

Fatal error: This update is not for model number 66. Exiting.

 

**********************************************************
[180507 12:03:13:109] Starting script: 000_start/107_version_check.sh
Entering 000_start/107_version_check.sh...

Checking version requirement...
The product version is 6.2.3.1.

 

Fatal error: This patch is for IMS versions greater than or equal to 6.1.0 and less than 6.2.3.

 

[180507 12:04:28:076] # UPGRADE READINESS CHECK COMPLETE status : FAILED! #

 

Seems it wants to install update on already updated asa. How should I run readiness check to another one? Can't see option to point it to install_update.pl 

 

 

 

Hi

 

It seems confusing.

If the firepower module is already running 6.2.3.1, why do you need to install 6.2.3?

If the script is identifying the version incorrectly, than it might be a bug and I would suggest to open TAC case.

The error about the model also indicates that the file downloaded might not be right one.

I am also assuming that this is about ASA with firepower module and not the ASA box running FTD code.

 

Hope it helps,

Yogesh

Dear Mr. Yoghdanu,

 

As I told above, everything is correct. Dont bother about that. Yes, the script is identifying incorrectly, because it compares (BEGIN  000_start/105_check_model_number.sh) version from /etc/sf/ims.conf, which is firepower module config file. Why it checks that file for version if I want to upgrade ASA itself, not FPM? How it supposed to know which asa is it updating? What is difference in launching readiness check from gui and on console? I tried to pass uid to install_update.pl, it didnt work.  

 

P.S. Yes, this is ASA with FPM, not FTD. 

 

 

Yes , you are right. The script would check /etc/sf/ims.conf as that's where the firepower module information is stored.

ASA IOS code is different. Version 6.2.3 is for Firepower module only. Its not for ASA.

ASA's still continue to run 9.x.x codes.

 

Hope that clarifies it.

 


cisco.png

I'm not talking about IOS. See screen below. Can't update that second device to 6.2.3.1 as i've explained many times in posts above. 

 

@yogdhanu The script would check /etc/sf/ims.conf as that's where the firepower module information is stored.@

Yes, that's what i'm saying. It checks and sees 6.2.3 soft version in /etc/sf/ims.conf, but on my second device version is 6.1.0.6. That's why he doesn't go further as it thinks device is up-dated. 

 

Hi Pasha,

 

Thanks for the screenshot. I assume there are 2 ASA with firepower module where 1 has been updated and other has not been.

If you are trying to run the upgrade from the first ASA module (which is already upgraded) for secondary, it will fail. Both the modules would be treated as individual modules even if the ASA's are in HA.

So the upgrade script or attempt needs to be run from secondary ASA module which is still on 6.1.0.6.

 

May be I am getting all of this wrong and there is something wrong on the device itself which is causing the upgrade to fail even if you are doing all correct. If my understanding above is incorrect, I would suggest to open TAC case so someone can remote in to system and verify why and where things are going wrong.

 

Hope it helps,

Yogesh

-So the upgrade script or attempt needs to be run from secondary ASA module which is still on 6.1.0.6.

Yes, exactly! But how should I run it only on secondary ASA? I get exception error from GUI, that's why i was trying to do it manually from console. 

 

Ok, I solved this problem. Another question. Now it shows this:

Starting script: 200_pre/001_check_reg.pl
Entering 001_check_reg.pl
Device registration in progress. Cannot continue. at 200_pre/001_check_reg.pl line 15.

 

From script: 

my $regdone = SF::PeerManager::Registration::isPeerNotFinishedRegistration();

if ($regdone != 0) {
warn "Device registration in progress. Cannot continue.";
exit 1;
}

 

I can't understand, what does it mean? 

 

Hi Pasha,

 

it means the device on which upgrade is running isn't registered with the FMC.

If you run "show managers" on the CLISH mode of the device, it should probably show manager details with status as pending.

Please finish the manager (FMC) registration first and then this script would pass.

 

Hope it helps,

yogesh

Review Cisco Networking for a $25 gift card