Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7772
Views
5
Helpful
8
Replies

ASA FirePower module update 5.4.0

Go to solution
svbakulinwc
Level 1
Level 1

‎02-23-2015 07:20 PM - edited ‎03-12-2019 05:37 AM

Hello everyone,

it looks like Cisco released version 5.4 SourceFire for ASA a few days ago. We're about to commission a new ASA firewall with SFR module and i'd like to have it updated to the latest version before it goes to prod, moreover 5.4 seems to have SSL decryption features that are not available in 5.3.

I can download updated for the defence centre (both 5.4.0 and  5.4.0.1) but when i go to Downloads\NextGen firewalls\ASA with SFR etc  i can only see  the 5.4.0.1 patch (.sh file)  but nothing quite like 5.4.0. I'm not sure how actual SFR module upgrade works, but assuming that it is the same process as for the DC the updates are not commutative.

I tried uploading the SFR module update 5.4.0.1 to DC but it says there is no compatible devices found and that the update is intended for 5.4.0+. Of course my modules are still running 5.3.

Is it just me or is the required update missing in the downloads on Cisco.com?

 

Appreciate any information.
Stan.

1 person had this problem
Labels:
Preview file
2 KB
0 Helpful
1 Accepted Solution

Accepted Solutions
8 Replies 8

Go to solution
svbakulinwc
Level 1
Level 1
In response to Eduardo Ferreira Fernandez

‎02-23-2015 08:47 PM

Thanks Eduardo,

I'll give it a try and the file is looking like the right one. I didn't think they would have ASA images on sourcefire portal :) 

0 Helpful

Go to solution
Eduardo Ferreira Fernandez
Level 1
Level 1
In response to svbakulinwc

‎02-23-2015 08:51 PM

i already downloaded and installed , go for it ...

0 Helpful

Go to solution
yong khang NG
Level 5
Level 5
In response to Eduardo Ferreira Fernandez

‎10-12-2015 08:14 PM

Hi,

Instead of update this patch file, does it need to do anything on 5.4.0-763 boot image and install package, for firepower module with 5.3.1.x code update to 5.4.0?

Thanks

Noel

0 Helpful

Go to solution
svbakulinwc
Level 1
Level 1

‎03-03-2015 07:52 PM

Me again. Even though i've downloaded what appears to be the right upgrade package (by the way it is now available on Cisco as well), i've been having troubles upgrading my SFR modules.

DC is running 5.4.1 and it recognized the 5.4.0.1 upgrade for ASA as applicable, but shortly after the beginning of installation the process fails without providing any details. 

The status is failed and that's all i managed to get from it.

I've already upgraded SFR modules to latest 5.3.1.1 but it didn't help.

I'm assuming this is probably the first upgrade of this kind ever as ASA SFR was released with 5.3 so there isn't much info on the web on this issue. I am also new to SourceFire products so

unfortunately don't have much experience with their low level system stuff and debugging. 

Even worse, it looks like i won't be able to raise a TAC case for some time as the distributor who sold these devices is still sorting out their underpinning contract with Cisco and they do not have Sourcefire  skills internally.

Any ideas what to look at? log files? documentation on debugging? will appreciate any inputs. 

I think i could just reinstall SFR modules on ASA using new 5.4.0 images, but i'm a bit reluctant to go this path as i'm not sure what happens with licenses etc in this case. 

0 Helpful

Go to solution
Johan Svanberg
Level 1
Level 1
In response to svbakulinwc

‎03-18-2015 08:21 AM

I have the same problem, going from 5.3.1.2-30 on the Firepower module trying to upgrade to 5.4.0-763, the update fails.

 

Did you sort this out or did you have to do a recover on the module?

 

/Johan

0 Helpful

Go to solution
svbakulinwc
Level 1
Level 1
In response to Johan Svanberg

‎03-18-2015 06:36 PM

Hi Johan,

I actually did,  without recovering the module.

It turned out that some policies, either access or intrusion, were not up-to-date on SFR modules. I'd probably ensure that device policies as well as system and health policies are also up-to-date.

After recreating the policies (which probably wasn't really required but since I didn't have many rules in them it was easy enough)  and reapplying them to the devices I was eventually able to upgrade to 5.4.0 without any issue.

Surprisingly, it didn't affect that upgrade from 5.3.1 to 5.3.1.1 at all, so only 5.3 -> 5.4. That's what got me confused in the first place as I only tried 5.3.1.1 after 5.4 failed.

HTH

Stan

0 Helpful

Go to solution
Antoine Jacot-Descombes
Level 1
Level 1
In response to svbakulinwc

‎03-19-2015 03:53 AM

Hi,

Currently doing evaluation of product in lab and exactly the same for me. After upgrading FireSIGHT DC to 5.4 the policy was marked as not in sync with FirePOWER module.

After just reapplying the Policy to the device, the upgrade started properly on the module. (now progress 30%. finger crossing ;) )

Regards,

Antoine
University of Neuchatel, Switzerland

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card