Solved: ASA Firepower upgrade 5.4 to 6.2

wayne wan · ‎10-15-2023

Our Firewall ASA5545-X with FirePower module required to upgrade to the latest version.
We already upgraded the ASA version to 9.14(4)22.
We need to upgrade our FirePower module from version 5.4.0.12 to version 6.6.7 because our Firesight Management Center is version 7.2 (Cisco_Secure_FW_Mgmt_Center_Virtual_VMware-7.2.3-77.tar.gz)
We understand to upgrade to version 6.6.7, we need to upgrade to 6.2 first.

We already download the two files for the firepower upgrade and uploaded to the firewall:
asasfr-5500x-boot-6.2.3-4.img
asasfr-sys-6.2.3-83.pkg

We have tried two different methods to do the upgrade.

1) We tried to run the following command on the ASA command line but there is no response after we issue the following command.
sw-module module sfr recover configure image disk0:asasfr-sys-6.2.3-83.pkg

2) We tried to do the upgrade inside the Firepower. However, the syntax “system install …..” didn’t work as before.
Please see the attached file for the error during upgrade our existing firepower version 5.4.0(764) to version 6.2.3(83).
We have experience to use this command to upgrade from version 5.4.0 (763) to version 5.4.0 (764)

Best Regards,

Wayne Wan

===============

session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

^

configure Change to Configuration mode

end Return to the default mode

exit Exit this CLI session

expert Invoke a shell

help Display an overview of the CLI syntax

history Display the current session's command line history

logout Logout of the current CLI session

show Change to Show Mode

system Change to System Mode

> system install

system

Change to System Mode

> system install

^

> system install

^

configure Change to Configuration mode

end Return to the default mode

exit Exit this CLI session

expert Invoke a shell

help Display an overview of the CLI syntax

history Display the current session's command line history

logout Logout of the current CLI session

show Change to Show Mode

system Change to System Mode

=============================================================================

johnd2310 · ‎10-16-2023

Hi,

Yes, that is correct.

If you are going to use FMC to do the upgrade, then you will need to register the module with FMC and then push upgrade.

If you are going to use the files, then you will need to re-image with the 6.6.7 files.

Re-imaging the module is usually faster that using FMC

Thanks

**Please rate posts you find helpful**

View solution in original post

johnd2310 · ‎10-15-2023

Hi,

After you issue the command "sw-module module sfr recover configure image disk0:asasfr-sys-6.2.3-83.pkg", you need to issue the command "sw-module module sfr recover boot" i.e.

sw-module module sfr recover configure image disk0:asasfr-sys-6.2.3-83.pkg
sw-module module sfr recover boot

After the module has recovered, login , setup the module with ip address and install the new stoftware

system install ftp://x.x.x.x/asasfr-sys-6.2.3-83.pkg

Have a look at the following guide:

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

Thanks

**Please rate posts you find helpful**

Marvin Rhoads · ‎10-15-2023

In addition to what @johnd2310 mentioned, since you are reimaging, there is no need to go to the 6.2 version first. Just update to 6.6.7 directly.

https://software.cisco.com/download/home/286271173/type/286277393/release/6.6.7

wayne wan · ‎10-15-2023

Hi John/Marvin,

Thank you for your replies.
After I issued the following command, I wait for a long time and the status is still "recover".
I also checked I can use "session sfr console" to login to the firepower.
Should I run the command "system install ftp://x.x.x.x/asasfr-sys-6.2.3-83.pkg" in the firepower now?

I tried to run the "debug module-boot" but I can't see the sfr module is doing updating software.

Regards,
Wayne Wan

==========================

sw-module module sfr recover configure image disk0:asasfr-sys-6.2.3-83.pkg
sw-module module sfr recover boot
Recover issued for module sfr.

wk02dsw-1/act/pri# debug module-boot
debug module-boot enabled at level 1
wk02dsw-1/act/pri# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

[H[2JCisco FirePOWER Services Boot Image 6.2.3

asasfr login: admin
Password:

Cisco FirePOWER Services Boot 6.2.3 (4)
Type ? for list of commands
asasfr-boot>
asasfr-boot>
asasfr-boot>
asasfr-boot>
asasfr-boot>?
show => Display system information. Enter show ? for options
config => Configure the system. Enter config ? for options
system => Control system operation
setup => System Setup Wizard
support => None
delete => Delete files
ping => Ping a host to check reachability
nslookup => Look up an IP address or host name with the DNS servers
traceroute => Trace the route to a remote host
exit => Exit the session
help => Get help on command syntax
asasfr-boot>exit

[H[2JCisco FirePOWER Services Boot Image 6.2.3

asasfr login:
Escape Sequence detected
Console session with module sfr terminated.

wk02dsw-1/act/pri# show module

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt ASA5545 FCH1942J8FM
ips Unknown N/A FCH1942J8FM
cxsc Unknown N/A FCH1942J8FM
sfr Unknown N/A FCH1942J8FM

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 58ac.785c.2d42 to 58ac.785c.2d4b 1.0 2.1(9)8 9.14(4)22
ips 58ac.785c.2d40 to 58ac.785c.2d40 N/A N/A
cxsc 58ac.785c.2d40 to 58ac.785c.2d40 N/A N/A
sfr 58ac.785c.2d40 to 58ac.785c.2d40 N/A N/A

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable
cxsc Unknown No Image Present Not Applicable

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
cxsc Unresponsive Not Applicable
sfr Recover Not Applicable

Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Disabled perpetual

wk02dsw-1/act/pri# show module sfr detail
Getting details from the Service Module, please wait...
Unable to read details from module sfr

Card Type: Unknown
Model: N/A
Hardware version: N/A
Serial Number: FCH1942J8FM
Firmware version: N/A
Software version:
MAC Address Range: 58ac.785c.2d40 to 58ac.785c.2d40
Data Plane Status: Not Applicable
Console session: Ready
Status: Recover

johnd2310 · ‎10-15-2023

Hi,

Now that the module has recovered to boot image 6.2.3, you will need to run "setup" command to configure the module with hostname and ip address.

After the ip address is configured, you will be able to run the "system install " to install from ftp or http

Thanks

**Please rate posts you find helpful**

wayne wan · ‎10-16-2023

Hi John,

Thank you for your solution.

I have updated to version 6.2. If I continue to upgrade it to version 6.7, is that I need to register the sfr to the FMC first and then do the upgrade in FMC by uploading the file "Cisco_Network_Sensor_Upgrade-6.6.7-223.sh.REL.tar" to the FMC ?

If I want to use the file asasfr-sys-6.6.7-223.pkg to do the install in the sfr, I need to re-image the sfr by using the image file asasfr-5500x-boot-6.6.7-1.img first, just like what I did for the version 6.2? right?

Regards,

Wayne Wan

wk02dsw-1/act/pri# session sfr consoleshow module sfr detail
Getting details from the Service Module, please wait...

Card Type: FirePOWER Services Software Module
Model: ASA5545
Hardware version: N/A
Serial Number: FCH1942J8FM
Firmware version: N/A
Software version: 6.2.3-83
MAC Address Range: 58ac.785c.2d40 to 58ac.785c.2d40
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.2.3-83
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: No DC Configured
Mgmt IP addr: 192.168.14.133
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 192.168.14.254
Mgmt web ports: 443
Mgmt TLS enabled: true
wk02dsw-1/act/pri#

wk02dsw-1/act/pri# show module sfr

Mod Card Type Model Serial No.

---- -------------------------------------------- ------------------ -----------

sfr FirePOWER Services Software Module ASA5545 FCH1942J8FM

Mod MAC Address Range Hw Version Fw Version Sw Version

---- --------------------------------- ------------ ------------ ---------------

sfr 58ac.785c.2d40 to 58ac.785c.2d40 N/A N/A 6.2.3-83

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 6.2.3-83

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
sfr Up Up

wk02dsw-1/act/pri#

johnd2310 · ‎10-16-2023

Hi,

Yes, that is correct.

If you are going to use FMC to do the upgrade, then you will need to register the module with FMC and then push upgrade.

If you are going to use the files, then you will need to re-image with the 6.6.7 files.

Re-imaging the module is usually faster that using FMC

Thanks

**Please rate posts you find helpful**

charles-itspecialconv · ‎07-18-2024

hello,

I don't have cisco account to download asasfr-5500x-boot-6.2.3.img for my ASA.

could you help me to download this file

Marvin Rhoads · ‎07-18-2024

The image you are asking about is very old by now. Also, if you do not have an account then you do not have entitlement to freely download the image. It would be a violation of the terms of use for this forum to provide a copy to you.

charles-itspecialconv · ‎07-19-2024

Hello Marvin,

I have the Asa 5506 and I need to use firepower. It seems to me that the image is obsolete and I have to reimage.

here is the status of my ASA

ASA-CNR-HQ# session sfr

Opening command session with module sfr.

Connected to module sfr. Escape character sequence is 'CTRL-^X'.

Cisco ASA5506 v5.4.1 (build 211)

Sourcefire3D login: admin

Password:

Last login: Mon Jul 15 10:56:59 UTC 2024 on pts/0

Cisco is a registered trademark of Cisco Systems, Inc.

All other trademarks are property of their respective owners.

Cisco Linux OS v5.4.1 (build 12)

Cisco ASA5506 v5.4.1 (build 211)

System initialization in progress. Please stand by.

Applying 'Default Allow All Traffic' access control policy.

Remote card closed command session. Press any key to continue.

Mod Card Type Model Serial No.

---- -------------------------------------------- ------------------ -----------

sfr FirePOWER Services Software Module ASA5506 JAD194906E0

Mod MAC Address Range Hw Version Fw Version Sw Version

---- --------------------------------- ------------ ------------ ---------------

sfr 00fe.c832.1815 to 00fe.c832.1815 N/A N/A 5.4.1-211

Mod SSM Application Name Status SSM Application Version

---- ------------------------------ ---------------- --------------------------

sfr ASA FirePOWER Up 5.4.1-211

Mod Status Data Plane Status Compatibility

---- ------------------ --------------------- -------------

sfr Up Up

ASA-CNR-HQ# ASA-CNR-HQ# sh sfr module

ASA-CNR-HQ# dir

Directory of disk0:/

98 -rwx 111366272 09:07:52 Jun 08 2020 asa984-20-lfbff-k8.SPA

99 -rwx 34143680 09:08:38 Jun 08 2020 asdm-7101.bin

100 -rwx 71 16:17:48 Jun 15 2024 .boot_string

11 drwx 4096 18:30:14 Jun 09 2024 log

19 drwx 4096 16:21:44 Mar 19 2020 crypto_archive

20 drwx 4096 16:21:46 Mar 19 2020 coredumpinfo

101 -rwx 5837 16:00:02 Jun 15 2024 oldconfig_2024Jun17_1509.cfg

102 -rwx 5797 18:23:44 Jun 09 2024 oldconfig_2024Jun11_1532.cfg

103 -rwx 15950 16:17:54 Jun 15 2024 asa-cmd-server.log

104 -rwx 39 16:10:00 Jun 15 2024 snortpacketinfo.conf

7 file(s) total size: 145537646 bytes

7859437568 bytes total (4490506240 bytes free/57% free)