cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2326
Views
5
Helpful
13
Replies

Cisco ASA5525-X with FPWR Services - Can't initialize FirePower Module

Hi,

I'm struggling to pass initial configuration for Firepower Service. I get into the wizard as soon as I log into sfr module that asks for IP Address, Subnet, GW, dns etc. After providing all those info it tries to initialize and eventually fails with error "System (/usr/local/sf/bin/service_control.sh iptables restart) Failed -- (iptables-restore: line 1 failed)" and then returns to the sfr login prompt again. It starts over once I login and stays in this loop.

 

Any clue? 

13 Replies 13

Marvin Rhoads
Hall of Fame
Hall of Fame

What version of the ASA and Firepower service module are you using?

 

Check via:

 

 

show version
show module sfr detail

...and please share the output.

Hi Marvin

 

Its ASA 5512-X and SFR version is 5.4.0-764

hi,

can you post a show module sfr detail output?

you might need to upgrade the FP module (to 6.0).

Hi John

 

Thank you for the response. ..

 

Below is the output

 

Card Type:          FirePOWER Services Software Module
Model:              ASA5512
Hardware version:   N/A
Serial Number:      FCH21147UA4
Firmware version:   N/A
Software version:   5.4.0-764
MAC Address Range:  a023.9f15.50f3 to a023.9f15.50f3
App. name:          ASA FirePOWER
App. Status:        Up
App. Status Desc:   Normal Operation
App. version:       5.4.0-764
Data Plane Status:  Up
Console session:    Ready
Status:             Up
DC addr:            No DC Configured
Mgmt IP addr:       10.101.210.3
Mgmt Network mask:  255.255.255.0
Mgmt Gateway:       10.101.210.1
Mgmt web ports:     443
Mgmt TLS enabled:   true

 

Thanks

Like @tonypearce1 said, don't even bother with the 5.4 image. It is way past out-of date.

 

6.2.3.5 is the most recent version. So re-image the module to 6.2.3 and then go from there. Do make sure your 5512-X ASA software is at or above the compatible version as well (9.5(2) or higher - the current recommendation would be 9.8(2)38 - https://software.cisco.com/download/home/284143129/type/280775065/release/9.8.2%20Interim)

Hi Marvin

 

Actually this is installed at client location that too in production and that too in Govt. of another country ..so to get down time and upgrade is not our 1st approach.

 

We would prefer to get it working 1st and then ask client to give downtime for an upgrade.

 

Thanks

You don't necessarily have to upgrade the ASA. What release is it running? If it's 9.5(2) or later then you can perhaps re-image the module to 6.2.3.

 

See the compatibility guide here:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#id_59075

 

Trying to work with 5.4.0 is a losing battle.

Hi Marvin

 

Thanks a ton for suppor.

Its on 9.2. It was somebody else`s spoiled baby which has fallen in my lap. 

I will make an attempt to follow what you have suggested and will share an update. 

 

Thanks and take care

As marvin said, you don't necessarily need downtime. As it's not working at
the moment anyway I take it that you don't have the ASA service policy set
to drop traffic yet. You can place the ASA in monitor only mode then re
image the module without any need for downtime

I had to involve Cisco TAC as I had some urgency and they concluded that re-imaging of Firepower Module is the only fix and eventually mine was re-imaged with the most recent 6.2.3. It fixed the issue as well.

 

Hope it helps others who faced similar issue.

Hi

 

Got same response ...mine ASA is 9.2 so they have suggested to upgrade ASA, ASDM & SFR ...

 

Thanks

I have a similar problem details below: new unit and unable to download images from Cisco due to service contract limitations :(

 

Card Type: FirePOWER Services Software Module
Model: ASA5525
Hardware version: N/A
Serial Number: FCH2237724C
Firmware version: N/A
Software version: 6.2.2-81
MAC Address Range: 706d.15c8.42b7 to 706d.15c8.42b7
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.2.2-81
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: No DC Configured
Mgmt IP addr:



Mgmt Network mask: 
Mgmt Gateway:
Mgmt web ports: 443
Mgmt TLS enabled: true

tonypearce1
Level 3
Level 3

Looks like a bug. 

Lots of features added in 6.x versions. Unless there's a specific reason why you must stick to / deploy an old version I'd suggest re-imaging to 6.2. I also can't see your specific version available for download on the software portal. 

if you want to stick to 5.4.0 then you would need to install 5.4.0 and then incrementally upgrade to the latest which would take a long time given the number of 5.4.0 versions there are. So might be easier to install the 6.2.3 and upgrade to the latest. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: