Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2250
Views
20
Helpful
8
Replies

Cisco ASA 5506-X with FirePOWER fails to login.

michael
Level 1
Level 1

‎05-20-2017 03:35 PM - edited ‎03-10-2019 06:50 AM

Hi... I performed the following upgraded to the ASA FirePower (module) application and it seems the ASDM Launcher stuck at 28% into authentication. Below are the two patch files I used for the upgrade. The pre-install completed successfully however when uploading the sensor patch I lost connectivity to the sourcefire. 

found this dc address not configured...... any thoughts ?

Card Type:          FirePOWER Services Software Module

Model:              ASA5506

Hardware version:   N/A

Serial Number:      JAD2032043V

Firmware version:   N/A

Software version:   5.4.1-211

MAC Address Range:  - deleted :)

App. name:          ASA FirePOWER

App. Status:        Up

App. Status Desc:   Normal Operation

App. version:       5.4.1-211

Data Plane Status:  Up

Console session:    Ready

Status:             Up

DC addr:            No DC Configured                                            

Mgmt IP addr:       192.168.1.2                                                

Mgmt Network mask:  255.255.255.0                                              

Mgmt Gateway:       192.168.1.1                                                 

Mgmt web ports:     443                                                        

Mgmt TLS enabled:   true                                                       

Cisco_Network_Sensor_6.0.0_Pre-install-5.4.1.999-1.sh

Cisco_Network_Sensor_Upgrade-6.0.0-1005.sh

I'm attaching an image and txt file from the show module sfr log console

Thank you for any help.

Michael

Labels:
Preview file
101 KB
Preview file
518 KB
Preview file
176 KB
0 Helpful
8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-21-2017 12:45 AM

"No DC Configured" simply means the module is not configured to use a Defense Center (old name for FirePOWER Management Center) and instead use ASDM.

If the module has never been used or has a minimal configuration, I'd skip the upgrade and just re-image it to 6.2 and go from there. You will save yourself a lot of time and headache that way.

michael
Level 1
Level 1
In response to Marvin Rhoads

‎05-21-2017 01:21 AM

Hi Marvin, Thanks for getting back to me! You are correct the module has it's default configuration. I did a reset and reload and that brought back everything accept for the no DC Configured issue. I'll will give the reimage a whirl.

However it's been a long time since I worked with CLI. So I was hoping you might have a url to a list of relevant commands. I'm having fun with that [noconfirm] response in correlation to the necessary command line options to finalize the tasks.

Thank you again..

Michael.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to michael

‎05-21-2017 01:51 AM

You're welcome. Beyond the initial setup which is described in the quick start guide, there is very little you ever need to do in the sensor cli.

When troubleshooting, the TAC (and expert users) may change to expert mode to drop into the Linux bash shell and check some files and processes.

michael
Level 1
Level 1
In response to Marvin Rhoads

‎05-21-2017 08:11 AM

Hi Marvin,

I am assuming there is no simple string of code I can use to input the correct DC address to port?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to michael

‎05-21-2017 08:27 AM

If you have a FirePOWER Management Center (aka DC), you can add it from the module's cli via the command:

configure manager add <host address or name> <registration key>

Reference:

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118596-configure-firesight-00.html#anc4

michael
Level 1
Level 1
In response to Marvin Rhoads

‎05-21-2017 08:46 AM

That is exactly what I needed... Thank you Marvin!!

0 Helpful

michael
Level 1
Level 1
In response to Marvin Rhoads

‎05-21-2017 11:50 PM

Hi Marvin,

I attached a screenshot of the ASDM CLI asking me to input [confirmation]. Is the "noconfirm" even possible to execute with the ASDM CLI or am I messing up when adding it as a perimeter. Because according to "CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.3 " I am not seeing anything that indicates to use SSH to Install or Reimage the Software Module. Am I messing up on the "appropriate noconfirm option? Thank you for any further help or insight on adding the option as the parameter to the command... sw-module module sfr recover boot noconfirm

Result of the command: "sw-module module sfr recover boot noconfirm"
sw-module module sfr recover boot noconfirm
                                  ^
ERROR: % Invalid input detected at '^' marker.

Michael

Preview file
86 KB
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to michael

‎05-22-2017 04:47 AM

"noconfirm" is not an option with the module recovery command. You have to perform that from the actual cli - not via the ASDM cli tool.

The command reference is the best place to confirm things like that. Here's the link to that specific command:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s17.html#pgfId-1608801

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card