cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
929
Views
0
Helpful
4
Replies

Can we manage Cisco ASA 5585-X Firepower SSP-40 with ASDM?

vishal agavane
Level 1
Level 1

Hi,

 

I've ASA5585-SSP-40 appliance i want to know that can we manage ASA Firepower (ASA5585-SSP-SFR40) by using ASDM?, or we compulsory require Firesight management center?

 

I could see in cisco web side that we can manage Firepower with ASDM if we could match firmware of ASA, Firepower and ASDM as suggested by cisco but it's not mentioned whether its applicable for ASA 5585?

 

and lastly currently i have "5.3.1-155"SSP application version, i want to upgrade SSP application version from 5.3.1-155 to 6.2.2-3 which seems to be support Firepower management through ASDM.

 

i want to know procedure to upgrade firepower image, i could see document on how to install firepower image through ROMMOM> mode but i need to know procedure how to upgrade Firepower image? i have seen one post on upgradation procedure in which we have to paste image in parent asa flash/disk0: and then have to use below command, however i couldn't see any available command sw-module module... in cisco ASA configure mode and privileged mode, current ASA software version is 9.6 (3)1 (asa963-1-smp-k8.bin)

 

ASA(config)# sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-6.0.0-1005.img
ASA(config)# sw-module module sfr recover boot

 Can someone please guide me on how to upgrade ASA firepower image?

 

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

There's no "sw-module" (software module) command because the 5585-X uses a hardware module.

 

You can re-image your hardware modules to 6.2.2 using the commands outlined here:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118824-configure-firepower-00.html

 

(The document was written before ASDM-based management was an option for the 5585-X so you can ignore the parts about FMC.) 

 

While you can manage it using ASDM, you have limited functionality - no ability to sync the Firepower configs between members of an HA pair, no historical reporting, etc.

 

Most customers with an ASA 5585-X need those features and more and thus choose to manage the Firepower module(s) with FMC..

Many thanks for your reply.

 

It mean we have only Rommon> option to upgrade Firepower firmware? correct me if am wrong.

 

I have tried to follow suggested procedure for Firepower firmware upgradation however i couldn't ping my Management ip address in rommon mode, m quite familiar with Rommon mode but this time i have no clue. After setting up Management port ip and other setting i couldn't ping tftp server from Firepower rommon mode neither Management interface own ip address, physical interface shown up. Please refer below logs.

 

I have noticed one thing when firepower module boots completely then i could ping Management ip address (192.168.10.1) but its not working when firepower is in rommon mode? is that any ROMMON version/firmware issue? If you have any idea then please share..

 

---------------------------------

 

Cisco Systems ROMMON Version (2.0(14)1) #0: Sat Jan 25 16:44:38 CST 2014

Platform ASA 5585-X FirePOWER SSP-40, 6GE, 4SFP+

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.

Management0/0
Link is UP
MAC Address: ecbd.1dee.6d40


Use ? for help.
rommon #0> set
ROMMON Variable Settings:
  ADDRESS=192.168.10.1
  SERVER=192.168.10.10
  GATEWAY=192.168.10.254
  PORT=Management0/0
  VLAN=untagged
  IMAGE=/tftpboot/asasfr-5500x-boot-6.2.2-3.img
  CONFIG=
  LINKTIMEOUT=20
  PKTTIMEOUT=4
  RETRY=10

rommon #1> ping 192.168.10.1
Sending 10, 100-byte ICMP Echoes to 192.168.10.1, timeout is 4 seconds:
??????????
Success rate is 0 percent (0/10)
rommon #2> ping 192.168.10.10
Sending 10, 100-byte ICMP Echoes to 192.168.10.10, timeout is 4 seconds:
??????????
Success rate is 0 percent (0/10)
rommon #3>

 

-------------

Double check that the cabled management interface is the one on the sfr module (top slot) and not the base ASA (bottom slot).

 

Is it correct that your management address is .1 and the gateway is .10? that's a bit odd as the more common usage would be to have gateway as .1.

Thanks for your support..

 

Everything was correct however i have changed interface from Eth0 to Eth1 and ip from 192.168 to 1.1.1.1 then i could ping to Tftp server from ROMMON mode however i didn't able to ping to FA ip from tftp server neither from ROMMOM itself!!!

 

Secondly Ive observed that in suggested document step mentioned below didn't work so i used "IMAGE=asasfr-boot-5.3.1-152.img" instead "IMAGE=/tftpboot/asasfr-boot-5.3.1-152.img" then it was start working..

 

rommon #4> IMAGE=/tftpboot/asasfr-boot-5.3.1-152.img

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: