09-27-2018 02:34 PM - edited 03-12-2019 07:00 AM
Hi,
I'm struggling to pass initial configuration for Firepower Service. I get into the wizard as soon as I log into sfr module that asks for IP Address, Subnet, GW, dns etc. After providing all those info it tries to initialize and eventually fails with error "System (/usr/local/sf/bin/service_control.sh iptables restart) Failed -- (iptables-restore: line 1 failed)" and then returns to the sfr login prompt again. It starts over once I login and stays in this loop.
Any clue?
09-27-2018 10:29 PM
What version of the ASA and Firepower service module are you using?
Check via:
show version show module sfr detail
...and please share the output.
10-01-2018 07:54 AM
Hi Marvin
Its ASA 5512-X and SFR version is 5.4.0-764
10-01-2018 06:35 PM
hi,
can you post a show module sfr detail output?
you might need to upgrade the FP module (to 6.0).
10-03-2018 01:51 AM
Hi John
Thank you for the response. ..
Below is the output
Card Type: FirePOWER Services Software Module
Model: ASA5512
Hardware version: N/A
Serial Number: FCH21147UA4
Firmware version: N/A
Software version: 5.4.0-764
MAC Address Range: a023.9f15.50f3 to a023.9f15.50f3
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 5.4.0-764
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: No DC Configured
Mgmt IP addr: 10.101.210.3
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 10.101.210.1
Mgmt web ports: 443
Mgmt TLS enabled: true
Thanks
10-01-2018 11:32 PM
Like @tonypearce1 said, don't even bother with the 5.4 image. It is way past out-of date.
6.2.3.5 is the most recent version. So re-image the module to 6.2.3 and then go from there. Do make sure your 5512-X ASA software is at or above the compatible version as well (9.5(2) or higher - the current recommendation would be 9.8(2)38 - https://software.cisco.com/download/home/284143129/type/280775065/release/9.8.2%20Interim)
10-03-2018 01:55 AM
Hi Marvin
Actually this is installed at client location that too in production and that too in Govt. of another country ..so to get down time and upgrade is not our 1st approach.
We would prefer to get it working 1st and then ask client to give downtime for an upgrade.
Thanks
10-03-2018 01:59 AM
You don't necessarily have to upgrade the ASA. What release is it running? If it's 9.5(2) or later then you can perhaps re-image the module to 6.2.3.
See the compatibility guide here:
https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#id_59075
Trying to work with 5.4.0 is a losing battle.
10-03-2018 02:19 AM
Hi Marvin
Thanks a ton for suppor.
Its on 9.2. It was somebody else`s spoiled baby which has fallen in my lap.
I will make an attempt to follow what you have suggested and will share an update.
Thanks and take care
10-03-2018 02:40 AM
10-03-2018 09:32 AM
I had to involve Cisco TAC as I had some urgency and they concluded that re-imaging of Firepower Module is the only fix and eventually mine was re-imaged with the most recent 6.2.3. It fixed the issue as well.
Hope it helps others who faced similar issue.
10-04-2018 01:33 PM
Hi
Got same response ...mine ASA is 9.2 so they have suggested to upgrade ASA, ASDM & SFR ...
Thanks
05-16-2019 06:54 AM
I have a similar problem details below: new unit and unable to download images from Cisco due to service contract limitations :(
Card Type: FirePOWER Services Software Module
Model: ASA5525
Hardware version: N/A
Serial Number: FCH2237724C
Firmware version: N/A
Software version: 6.2.2-81
MAC Address Range: 706d.15c8.42b7 to 706d.15c8.42b7
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.2.2-81
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: No DC Configured
Mgmt IP addr:
Mgmt Network mask:
Mgmt Gateway:
Mgmt web ports: 443
Mgmt TLS enabled: true
10-01-2018 07:08 PM
Looks like a bug.
Lots of features added in 6.x versions. Unless there's a specific reason why you must stick to / deploy an old version I'd suggest re-imaging to 6.2. I also can't see your specific version available for download on the software portal.
if you want to stick to 5.4.0 then you would need to install 5.4.0 and then incrementally upgrade to the latest which would take a long time given the number of 5.4.0 versions there are. So might be easier to install the 6.2.3 and upgrade to the latest.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide