Firepower module (ASA5516-X) upgrade from 6.6.5 to 7.0.4 fails at 92%

n-russell-biggie · ‎11-04-2022

Hi,

I have hit issues when upgrading the firepower sensors on an ASA 5516-X in HA. The sensor on each ASA were upgraded at the same time. One sensor completed the upgrade successfully while the other failed with the below error:

Apply Cisco Network Sensor Upgrade 7.0.4-55 to FSFR-XXXX
[92%] Fatal error: Error running script 999_finish/989_flip_mbr.sh.

The ASA shows the module as unresponsive:

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Not Applicable 6.6.5-81

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Unresponsive Not Applicable

Although the module shows as unresponsive, I am able to log into the SFR from the ASA.

The upgrade log on SFR:

[221103 13:03:37:897] Starting script: 999_finish/989_flip_mbr.sh
Entering 999_finish/989_flip_mbr.sh...

Update Lilo, wth dir /
Found device type SALEEN.
No device config variables file found for this device ( /usr/local/etc/devcfg.va
riables.SALEEN doesn't exist)
enter run_lilo_and_depmod()

### RUNNING LILO

LILO version 24.2 (released 22-November-2015)
* Copyright (C) 1992-1998 Werner Almesberger (until v20)
* Copyright (C) 1999-2007 John Coffman (until v22)
* Copyright (C) 2009-2015 Joachim Wiedorn (since v23)
This program comes with ABSOLUTELY NO WARRANTY. This is free software
distributed under the BSD License (3-clause). Details can be found in
the file COPYING, which is distributed with this software.

Warning: Ignoring entry 'default'
Reading boot sector from /dev/sda
Warning: /proc/partitions references Experimental major device 253.
Warning: /proc/partitions references Experimental major device 253.
Warning: /proc/partitions references Experimental major device 253.
Warning: /proc/partitions references Experimental major device 253.
Warning: /proc/partitions references Experimental major device 253.
Warning: /proc/partitions references Experimental major device 253.
Warning: /proc/partitions references Experimental major device 253.
Using MENU secondary loader
Calling map_insert_data

write map file: Structure needs cleaning
Fatal error: Something went wrong running lilo in the chroot (/new-root)
**********************************************************

The FMC shows the device as health in the health monitor, but in the Devices section the device is grey with a spanner next to it.

It appears that the upgrade is waiting for the issue to be resolved and then the continue instruction to be passed to it. I have tried the continue however, as expected, the upgrade fails at the same point.

Any advice on how to resolve this issue would be great.

Thanks

Nick

Marvin Rhoads · ‎11-04-2022

Are you sure your ASA 5506-X appliances were running 6.6.5? The last version that was supported on those devices was 6.2.3.x. That applies for either Firepower service modules and FTD on them:

https://software.cisco.com/download/home/286283326/type/286277393/release/6.2.3.18

https://software.cisco.com/download/home/286283326/type/286306337/release/6.2.3.18

In any case, they definitely will not run 7.0. The installation should not have even passed a compatibility pre-check.

If you are talking about an ASA 5516-X instead, it will run 7.0.4. If the upgrade corrupted the module, you may need to reimage it. In that case, you can just reimage straight to 7.0.4 using the boot image and install package.

https://software.cisco.com/download/home/286285782/type/286277393/release/7.0.4

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc7

https://community.cisco.com/t5/security-blogs/reimage-firepower-module-in-cisco-5500-x-firewall-models/ba-p/3760395

n-russell-biggie · ‎11-04-2022

Thank you Marvin,

You are correct. That ASA model was a typo. I will edit the initial post.

Yes a re-image was my initial thought.

Thanks

Nick