cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15542
Views
15
Helpful
28
Replies
Highlighted
jni Beginner
Beginner

ASA5506 - firepower / sourcefire installation problems - version 6.0.0

Hello

Does any of you have problems with installation af firepower / sourcefire 6.0.0?

I have a test 5506-x firewall and I intended to use it for som firepower testing. However I do have a lot of issues with installation of version 6.0.0.

It is possible to install version 5.4, but I am not able to neither install nor upgrade it. I've tried to install and upgrade it through ASA CLI, ASDM and through a FirePower Management Center (ESX version), but all fail.

The ASA itself is running:

Cisco Adaptive Security Appliance Software Version 9.5(2)
Device Manager Version 7.5(2).

1. ASA CLI

I am able to boot into the 6.0.0 image, enter IP addresses etc. and run the system install from a FTP server. I does download, extract and starts to install image, but then simply stops.

A sh module gives me this

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
sfr Recover Not Applicable

Steps for CLI install

sw-module module sfr uninstall
debug module-boot
sw-module module sfr recover configure image disk0:asasfr-5500x-boot-6.0.0-1005.img
sw-module module sfr recover boot
session sfr console

setup
system install ftp://10.10.62.3/asasfr-sys-6.0.0-1005.pkg

2. ASDM / FMC

I tell the firewall to install the .sh file. It does start the install, but I also fails ultimately during upgrade. Some times it just fails, other times the task manager informs me about heartbeat issues and also fails. 

As said before, I am able to install version 5.4, but after install I do get some errors in the log (see below) which would explain why I get heartbeat issues and cannot upgrade through ASDM or Management Center.


Jan 08 2016 12:39:17: %ASA-1-323006: Module sfr experienced a data channel communication failure, data channel is DOWN.
Jan 08 2016 12:39:20: %ASA-1-323006: Module sfr experienced a data channel communication failure, data channel is DOWN.
Jan 08 2016 12:39:24: %ASA-3-323001: Module sfr experienced a control channel communication failure.
Jan 08 2016 12:39:24: %ASA-1-323006: Module sfr experienced a data channel communication failure, data channel is DOWN.

Jan 08 2016 12:40:30: %ASA-5-505005: Module sfr is initializing control communication. Please wait...
Jan 08 2016 12:40:30: %ASA-1-323006: Module sfr experienced a data channel communication failure, data channel is DOWN.
Jan 08 2016 12:40:37: %ASA-1-505015: Module sfr, application up "ASA FirePOWER", version "5.4.1-211" Normal Operation
Jan 08 2016 12:40:37: %ASA-5-505006: Module sfr is Up.
Jan 08 2016 12:40:38: %ASA-1-505011: Module sfr data channel communication is UP.
Jan 08 2016 12:40:41: %ASA-1-505011: Module sfr data channel communication is UP.

Jan 08 2016 13:36:03: %ASA-1-323006: Module sfr experienced a data channel communication failure, data channel is DOWN.
Jan 08 2016 13:36:05: %ASA-1-323006: Module sfr experienced a data channel communication failure, data channel is DOWN.
Jan 08 2016 13:36:13: %ASA-3-323001: Module sfr experienced a control channel communication failure.
Jan 08 2016 13:36:13: %ASA-1-323006: Module sfr experienced a data channel communication failure, data channel is DOWN.
Jan 08 2016 13:37:19: %ASA-5-505005: Module sfr is initializing control communication. Please wait...
Jan 08 2016 13:37:19: %ASA-1-323006: Module sfr experienced a data channel communication failure, data channel is DOWN.
Jan 08 2016 13:37:29: %ASA-3-323001: Module sfr experienced a control channel communication failure.
Jan 08 2016 13:37:30: %ASA-5-505005: Module sfr is initializing control communication. Please wait...
Jan 08 2016 13:37:37: %ASA-1-505015: Module sfr, application up "ASA FirePOWER", version "5.4.1-211" Normal Operation
Jan 08 2016 13:37:37: %ASA-5-505006: Module sfr is Up.
Jan 08 2016 13:37:37: %ASA-1-505011: Module sfr data channel communication is UP.
Jan 08 2016 13:37:41: %ASA-1-505011: Module sfr data channel communication is UP.

Any suggestions what to try next? Am I missing something or are we talking about a bug or defect hardware?

Thank you for your time.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

I had the same issue and I

I had the same issue and I was able to resolve it through installing 5.4 boot image and package and installing all the updates. During my upgrade to 5.4.1.2 the update got hung and I was able to resolve this. I provided a link to help fix a hung update. One other note is that to upgrade to 6.0.0 you need to run the patch 5.4.1.999 prior to updating to 6.0. You will need to add them manually after downloading from Cisco support site in the upgrade page, after that you can download the remaining updates for 6.0.x from Firesight or ASDM.

Link to fix hung update:

https://supportforums.cisco.com/discussion/12632501/asa5506-x-sfr-module-upgrade-5413-26-error

Please rate if this helps!

View solution in original post

28 REPLIES 28
Highlighted
Hall of Fame Guru

When you've uninstalled a

When you've uninstalled a software module (such as the sfr), you need to reinstall it via the two step process - boot image and then setup and proceed with system image. Both images must be the exact same version.

The system image installation takes a while on the small 5506 - a couple of hours isn't unusual. You can tail or examine some detailed log files if you're having problems although that's best done with guidance from the TAC.

Highlighted
jni Beginner
Beginner

Hello Marvin

Hello Marvin

Thank you for your answer. I did try to both upgrade from 5.4 -> 6.0 and also try to uninstall completely and reinstall through the two step process (img + pkg). Neither is working.

The update fails at some time during upgrade before it reaches 100% (last couple of times with a "lost heartbeat") and a complete reinstall through CLI also never finishes. 

The complete reinstall terminated the last two times at this point:

Mod-sfr 420> Status: Mapping host 0x2aab38e00000 to VM with size 16777216
Mod-sfr 421> Warning: vlan 0 is not connected to host network
Console session with module sfr terminated.

If I try to reconnect to the console (sessions sfr or session sfr console) it fails.

The session sfr: Module sfr did not respond to session request. (since it is Recover status)

The session sfr console: It will connect (Connected to module sfr. Escape character sequence is 'CTRL-^X'.) but I am not able to enter anything. I just hangs.

The only img/pkg I am able to install is the 5.4.1-211 and no matter what I cannot install the 6.0.

Highlighted
Beginner

I have the same problem on my

I have the same problem on my 5506 as well running the same versions as jnielsen. Attempting to upgrade via the .sh file OR a clean install with the 6.0 boot image and .pkg file fails every time—which totals about 8 attempts so far. 

Also fails if trying to patch from 5.4.1-211 to 5.4.1.4-15 using the .sh file via ASDM. I let each attempt run for about 12 hours at one point to no avail. The point at which they fail is different every time. When this all happens sh module sfr simply shows a status of "unresponsive." It will stay that way until I force a reboot and start from scratch again. Crazy.

Highlighted
jni Beginner
Beginner

Yes, I am experiencing the

Yes, I am experiencing the exact same problem/symptoms

Highlighted
Enthusiast

Any fixes for this?  I just

Any fixes for this?  I just tried doing a new install on two 5512X and both loaded the boot and system image, but then hang after the reboot.

I was able to successfully upgrade some of my 5512s that were running 5.4.0.4-55.

Highlighted
jni Beginner
Beginner

I haven't heard anything. I

I haven't heard anything. I also haven't been investigating a lot because the customer has bought PaloAlto FWs instead. They where tired of waiting for a solution.

Highlighted
Beginner

I had the same issue and I

I had the same issue and I was able to resolve it through installing 5.4 boot image and package and installing all the updates. During my upgrade to 5.4.1.2 the update got hung and I was able to resolve this. I provided a link to help fix a hung update. One other note is that to upgrade to 6.0.0 you need to run the patch 5.4.1.999 prior to updating to 6.0. You will need to add them manually after downloading from Cisco support site in the upgrade page, after that you can download the remaining updates for 6.0.x from Firesight or ASDM.

Link to fix hung update:

https://supportforums.cisco.com/discussion/12632501/asa5506-x-sfr-module-upgrade-5413-26-error

Please rate if this helps!

View solution in original post

Cisco Employee

Yes, tailing the log file

Yes, tailing the log file definitely shows a more exact view of what is happening.  I suffered from the same symptoms as most others here.  When you upgrade it seems to step back through all the earlier patches.  from my own tail -f of the log file as I upgraded to 5.4.1.8:

ui:[5.4.1.7 at 1%] Running script 000_start/100_start_messages.sh...
ui:[5.4.1.7 at 3%] Running script 000_start/105_check_model_number.sh...
ui:[5.4.1.7 at 5%] Running script 000_start/107_version_check.sh...
ui:[5.4.1.7 at 14%] Running script 000_start/400_run_troubleshoot.sh...
ui:[5.4.1.7 at 15%] Running script 200_pre/001_check_reg.pl...
ui:[5.4.1.7 at 16%] Running script 200_pre/002_check_mounts.sh...
ui:[5.4.1.7 at 17%] Running script 200_pre/003_check_health.sh...
ui:[5.4.1.7 at 29%] Running script 200_pre/201_disable_faild.sh...
ui:[5.4.1.7 at 30%] Running script 200_pre/202_disable_syncd.sh...
ui:[5.4.1.7 at 31%] Running script 200_pre/400_restrict_rpc.sh...
ui:[5.4.1.7 at 32%] Running script 200_pre/500_stop_system.sh...
ui:[5.4.1.7 at 35%] Running script 200_pre/999_enable_sync.sh...
ui:[5.4.1.7 at 39%] Running script 450_prior_updates/100_run_prior_updates.sh...
ui:[5.4.1.6 at 0%] Running script 000_start/100_start_messages.sh...
ui:[5.4.1.6 at 2%] Running script 000_start/105_check_model_number.sh...
ui:[5.4.1.6 at 4%] Running script 000_start/107_version_check.sh...
ui:[5.4.1.6 at 9%] Running script 000_start/113_EO_integrity_check.pl...

Highlighted
Cisco Employee

Hi,

Hi,

Please make sure for 6.0 you are meeting the minimum requirements .

Refer link : http://www.cisco.com/c/en/us/td/docs/security/firepower/60/relnote/firepower-system-release-notes-version-600.html

Is there any exact error message that you can share where is it stuck ?

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Highlighted
jni Beginner
Beginner

If I try to do a CLI upgrade

If I try to do a CLI upgrade (and hence eliminate possible issues with Management Center), the ASA5506-X is running firepower ver. 5.4.

The ASA itself is running

Cisco Adaptive Security Appliance Software Version 9.5(2)
Device Manager Version 7.5(2).

According to the documentation the minimum requirements are "ASA version 9.4(2) or 9.5(1.5)".

There isn't much of a error message when trying to install through the CLI. After installing the boot image and the setup (IP, GW, hostname, DNS, NTP etc.), I'll try to install the image itself (system install ftp://10.10.62.3/asasfr-sys-6.0.0-1005.pkg). It will do the downloading, verifying and extraction of the pkg and begin to install. It will run for a while and then it just hangs. It isn't possible to connect to the module any more (session sfr or session sfr console) and a show module gives the following output:

# sh mod

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506 JAD191602G9
sfr Unknown N/A JAD191602G9

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 78ba.f9da.3987 to 78ba.f9da.3990 1.0 1.1.1 9.5(2)
sfr 78ba.f9da.3986 to 78ba.f9da.3986 N/A N/A

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Recover Not Applicable

I've tried to install the upgrade again two days ago where I haven't touched the firewall since, but still no luck (so it shouldn't be the case that it just "takes a long time").

@Tim Harrington: Do you have anything to add?

Highlighted
Cisco Employee

Hi,

Hi,

Unfortunately we have a doc bug filed for time taken for on box devices. I have seen a case where in upgrading SFR to 6.0 took about 4 hours on asa 5506 or any onbox appliances.

 This is because the management center is built into the local system so Firesight management features as well as Firepower service functionalities will need to be upgraded.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Highlighted
Beginner

Aha. That would definitely

Aha. That would definitely explain it, Aastha. I know it's rather soon, but is there any ETA on a fix for that? Thanks.

Highlighted
Contributor

Any particular fix that was

Any particular fix that was ever given for this same issue?  I'm experiencing exact same symptoms.

Thanks!

Highlighted
Cisco Employee

Hello Lucas,

Hello Lucas,

Which is the version that you are trying to move to and what is the existing version that you have. Please attach a screenshot of the error that you are facing.

Regards

Jetsy