Solved: Thanks again. I upgraded the

emetesh · ‎01-23-2016

Greetings,

New ASA 5545 install
Cannot browse to firepower module @ 10.51.51.3 to register licensing

ASA connected to layer 3 switch
Switch - int vlan 51 10.51.51.1/29
2 ports in vlan 51
ASA - g0/1 10.51.51.2/29 DG 10.51.51.1
ASA - firepower 10.51.51.3/29 DG 10.51.51.1 (If DG is 10.51.51.2, cannot ping firepower module)

ASDM seems to work fine, did the Startup Wizard
FirePower Status tab says UP with Normal operation, but bottom of screen says No DC configured

From CLI in session sfr "configure manager add 10.51.51.3 xxxxxx" results in Active Peer already exits. (the xxxxxx is just a made up key at this point, correct?)

Thanks for any direction

Marvin Rhoads · ‎01-23-2016

"and FirePOWER 6.0"

Only with FirePOWER 6.0 / ASA 9.5(2) (and ASDM 7.2(2)) or later will you be able to manage FirePOWER through ASDM. (Except for the 5506, 5508 and 5516-X "Kenton" models which included it earlier.)

You will need to reimage the module with FirePOWER 6.0 (cli process from the ASA) or else use a FirePOWER Manager (licensed) to get there.

View solution in original post

Philip D'Ath · ‎01-23-2016

The Firepower module uses the management port on the ASA. Have you got the management port plugged in as well?

emetesh · ‎01-23-2016

Yes, I am 95% certain the 2nd line from the switch is going to the management port port, and it is up. (95% because I am helping someone remotely with this new install)

Marvin Rhoads · ‎01-23-2016

If you want to use ASDM to manage your FirePOWER module, you need to be running ASA 9.5(2) and FirePOWER 6.0. In that case, you do not configure a manager in the FirePOWER module setup.

If you do not have that prerequisite software, then you need to have a real FirePOWER Manager (aka Defense Center) setup and register the FirePOWER module to it. You then redeem the licenses using the DC license key and apply them to the managed module(s) from there.

In neither case are you able to browse to the module IP. The ASA modules do not have the built-in html to present a Web UI like the hardware appliances do. Even for the hardware appliances, you still install the licenses on the FirePOWER Manager and apply them from there.

Update - it's actually 9.5(1.5) (or later) that added support for managing FirePOWER 6.0 modules via ASDM 7.5(2).

emetesh · ‎01-23-2016

Thank you for the reply. I just updated the asa to 9.5(2) as you stated. The firepower module is at 5.3.1-152. I don't see a Firepower button on the Configuration page as the Update Firepower guide mentions.

Marvin Rhoads · ‎01-23-2016

"and FirePOWER 6.0"

Only with FirePOWER 6.0 / ASA 9.5(2) (and ASDM 7.2(2)) or later will you be able to manage FirePOWER through ASDM. (Except for the 5506, 5508 and 5516-X "Kenton" models which included it earlier.)

You will need to reimage the module with FirePOWER 6.0 (cli process from the ASA) or else use a FirePOWER Manager (licensed) to get there.

emetesh · ‎01-23-2016

Thanks for that info. Which direction do you suggest? This will be the only ASA in the organization.

I have always enjoyed reading your posts. Thank you for your great contributions.

Marvin Rhoads · ‎01-24-2016

Personally even if I only had one ASA with FirePOWER module, I'd still spin up the FirePOWER Manager. The purchase cost is quite low for the 2-device management license (US$500 list price with Smartnet support @US$100/year).

While almost all of the basic protection features are available either way, the dedicated management servers can store more historical logs, customize dashboards, generate emails based on configurable conditions, be backed up and restored, etc.

That said, if you don't have a VMware environment and only need the basic protection then the ASDM-based management is an acceptable alternative.

emetesh · ‎01-24-2016

Thanks again. I upgraded the ASA to 9.5(2) and the module to 6.0.0. However, I can't see any change in asdm gui. The messages at the end of the firepower install... "Note that registering the sensor to Firepower Management center disables on-sensor Firepower services management capabilities." And the firepower status status screen still wants a DC configured

I took to mean you didn't have to use a FMC. So she does need a a firepower vm regardless? I was hoping for a solution similar to the 5510 and trendMicro

Marvin Rhoads · ‎01-24-2016

You are using ASDM 7.5(2) - right?

If that is so and you have the basic FirePOWER module setup completed - including network settings with a gateway that allows your ASDM client to reach it - you should see the FirePOWER module in the ASDM GUI.

show module sfr detail

...from the ASA cli will verify the setup. ASDM pulls this information under the covers and uses it to know there is a functioning FirePOWER (sfr) module and the configured IP address. It then pulls information from the module using a separate https connection to that address to populate the FirePOWER configuration and monitoring sections as well as to communicate changes to the module.

No DC / FirePOWER Manager needs be setup in the FirePOWER module when managing via ASDM.

emetesh · ‎01-28-2016

Thank you Thank you Marvin. I wasn't able to revisit this ASA issue for a few days. In the meantime, the PC hosting the ASDM was rebooted and now the other FirePower tabs, buttons, and menu options are visible. Maybe a cache issue, there...don't know..

Thanks again for your great insight in this issue

ASA 5545 Firepower configuration