Solved: Re: ASA 5585-X FirePOWER install - Not able to access SSP-10 module

gsidhu · ‎06-12-2017

Hi

I will be installing FirePOWER (SFR) Services on ASA 5585-X SSP-10 module

I have ssh session to ASA but I am unable to get a response from the SSP-10.

From the details below please can somebody tell me why I am having this issue and how it can be resolved:

Thanks

p2vpn# show module all

Mod Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   0 ASA 5585-X Security Services Processor-10 wi ASA5585-SSP-10     JAD2xxxxxx
   1 ASA 5585-X Half Width Network Module with 4 ASA5585-NM-4-10GE JAD20xxxxxx

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   0 0078.8805.3e9c to 0078.8805.3ea7 4.0          2.0(14)1     9.6(3)1
   1 70e4.22ce.deb0 to 70e4.22ce.deb3 1.0          0.0(0)0

Mod SSP Application Name           Status           SSP Application Version
---- ------------------------------ ---------------- --------------------------

Mod Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   0 Up Sys             Not Applicable
   1 Up                 Up

p2vpn# show module 0 details

Card Type:          ASA 5585-X Security Services Processor-10 with 8GE
Model:              ASA5585-SSP-10
Hardware version:   4.0
Serial Number:      JAD201100Y8
Firmware version:   2.0(14)1
Software version:   9.6(3)1
MAC Address Range: 0078.8805.3e9c to 0078.8805.3ea7
Data Plane Status: Not Applicable
Console session:    Not ready
Status:             Up Sys

p2vpn# hw-module module ?

Available module ID(s):
1 Slot Number
2 Slot Number
p2vpn# hw-module module

p2vpn# hw-module module 1 ?
ERROR: % Unrecognized command
p2vpn# hw-module module 0 ?
ERROR: % Unrecognized command
p2vpn# hw-module module 0
^
ERROR: % Invalid input detected at '^' marker.
p2vpn# hw-module module 1 ?
ERROR: % Unrecognized command
p2vpn# hw-module module 1
ERROR: % Incomplete command

p2vpn# session 0
^
ERROR: % Invalid input detected at '^' marker.

Marvin Rhoads · ‎11-19-2017

(Moved to the appropriate forum)

As shown in your show module output, you do not have a Firepower hardware module installed in the 5585-X chassis. That's why you cannot log into the module - it isn't there.

The 5585-X uses a dedicated hardware module (which was end of sales earlier this year). Without that, you cannot configure Firepower services on that hardware platform.

If you had one, the output would like similar to the following:

ciscoasa# show module 1 details

Getting details from the Service Module, please wait...
Unable to read details from module 1

Card Type:          ASA 5585-X FirePOWER SSP-10, 8GE

View solution in original post

Flavio Miranda · ‎11-18-2017

Hi @gsidhu

Are you trying to access the FP from ASA? I mean, you opened up an SSH session with ASA and you are trying to manage the FP?

You should use FP IP address isn't it?

-If I helped you somehow, please, rate it as useful.-

Marvin Rhoads · ‎11-19-2017

(Moved to the appropriate forum)

As shown in your show module output, you do not have a Firepower hardware module installed in the 5585-X chassis. That's why you cannot log into the module - it isn't there.

The 5585-X uses a dedicated hardware module (which was end of sales earlier this year). Without that, you cannot configure Firepower services on that hardware platform.

If you had one, the output would like similar to the following:

ciscoasa# show module 1 details

Getting details from the Service Module, please wait...
Unable to read details from module 1

Card Type:          ASA 5585-X FirePOWER SSP-10, 8GE

gsidhu · ‎11-20-2017

Thank you Marvin...I had assumed that the ASA 5585-X shipped with the FP module as standard

Marvin Rhoads · ‎11-20-2017

You're welcome. They are definitely not standard - they added a hefty cost depending on the SSP type.

In addition you'd need the license even if you had the hardware.

Unfortunately if you don't have one already you cannot add it as they discontinued them a couple of months back.

The Firepower 4100 series with FTD image are much more attractive from a pricing and throughput perspective. Even the high end 2100 series may be a good alternative.