Solved: ASA sfr module stuck in init.

Austin Clark · ‎06-03-2015

Below is my problem. The ASA can not restart, reboot or recover the sfr module. I can console into the module but restarting it there does nothing. I'm awaiting a maintenance window to restart the whole ASA and see if that will fix it.

Module sfr cannot be reset, not in Up, Down, or Unresponsive state.

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
cxsc Unresponsive Not Applicable
sfr Init Not Applicable

Marvin Rhoads · ‎06-03-2015

Has it ever worked?

Have you tried "sw-module module sfr shutdown"?

Have you considered doing a "sw-module module sfr uninstall" and re-imaging?

View solution in original post

Marvin Rhoads · ‎06-03-2015

Has it ever worked?

Have you tried "sw-module module sfr shutdown"?

Have you considered doing a "sw-module module sfr uninstall" and re-imaging?

Austin Clark · ‎06-04-2015

It has been up for about 2 months. Memory maxed out at 1700KB and packets started bypassing the module. (running all UTM's on 5512x). I set the inspection map to "monitor only" and restarted the module. It didn't like that.

The module going 100KB over the allocated memory is a whole other ticket, I just need to get it back up first

I've read over your recommendations in another post and a similar problem with a CX module. I've got the instructions from your post on how to redeploy. I'll let you know how it goes after tomorrow mornings maintenance window.

__________________________UPDATE________________________

After a reboot of the ASA the same problems persisted. I was unable to get the module out of Init state, and also lost management access. I found that my "monitor only" class map was still in the config so I deleted it and was able to restart the asa and shutdown the module.

I'm currently re-intalling. You definitely have to go through initial module setup in order for the FTP transfer to work. I assume it uses the management interface for the transfer. After loading the .pkg file it verified and extracted and then asked for a reboot. I rebooted the module and some time later it asked for another reboot.

Austin Clark · ‎06-04-2015

It's all good. Thank you Marvin.

Marvin Rhoads · ‎06-04-2015

Glad to hear that.

You do need tto be careful with load on the 5512-X with the full set of features and associated policies running on the FirePOWER module. Running all those inspection does take some serious processing power and reduces the throughput accordingly. One of the main things we focus on as partners is making sure the device is appropriately sized for the anticiapted load.

Still, it shouldn't fail so ungracefully. I'd make sure you keep up on the latest patch levels to address identified issues.

Austin Clark · ‎06-04-2015

I'm keeping an eye on it. CPU load is never over 50% and it seemed liked memory crept up over time, regardless of utilization. I was the only one here early Monday morning when I noticed that the memory finally hit the ceiling. That's with no one in the office since the friday before. The week prior it was steady in major and then critical alarm.

Its like there's a memory leak.