05-01-2019 01:24 AM - edited 02-21-2020 09:05 AM
Hi all,
We have two ASA 5525-X Firewall in our Public Zone with Failover setup. Both ASAs running with SFR module version 5.4.0.2. Now we have planned to upgrade FirePOWER module version to 6.3.0. Since our FirePOWER module version is 5.4.0.2, Upgrading FirePOWER module through FirePOWER Management Center become more hectic. So we have planned to uninstall existing FirePOWER module 5.4.0.2 from ASA 5525-X and freshly Install FirePOWER module 6.3.0.
Our doubt is, when uninstalling FirePOWER module version 5.4.0.2 from ASA 5525-X, we must reload ASA or it is optional step?
In ASA, We configured SFR redirection policy to permit traffic if SFR card fails (fail-open), So Uninstalling existing SFR module will affect the traffic flow?
Is their any cisco guide with an complete procedure to uninstall and reinstall SFR module in failover setup?
Any other constraints we need to consider before doing SFR module uninstall and Install specially for failover setup?
Also, Upgrading FirePOWER management center, will affect FirePOWER Module devices?
Please help us...
Thanks.
Solved! Go to Solution.
05-01-2019 09:25 AM
05-01-2019 09:25 AM
05-01-2019 07:34 PM
@GRANT3779 - perfect - well said.
05-04-2019 12:20 AM
Hi GRANT,
Thanks for your reply.
With respect to uninstalling SFR module in fail-over setup, If we have sets ASA to block all the traffic when SFR fails (fail-close), we should disable traffic redirection from the ASA to SFR module by removing SFR redirection policy?
If we need to do it, from where we can start? Whether In Active ASA or Standby ASA?
For example, If we removed SFR redirection policy in Active ASA, It will be replicated in Standby ASA. So overall all the traffic will by passes or avoids SFR module?
With Regards,
Magesh Kumar.G
05-04-2019 01:15 AM
Hi Magesh,
I have always removed the class from the policy-map when doing this. E. G if you were using global policy (see below) you would go in there and remove the class below. I think in theory you could also amend the action to fail-open but i have always been more cautious and just removed the whole redirect. Another way i guess would be to just deny all traffic in your redirect acl so it doesn't go to SFR. If you do any of the above on the primary it will in turn apply to the secondary. Just remember though that the actual SFRs are completely independent of each other and when rebuilding them, they will both need to be done.
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class YOUR_SFR_REDIRECT
sfr fail-close
05-04-2019 03:04 AM - edited 05-04-2019 03:51 AM
So you mean If we disable traffic redirection on ASA, all the traffic will bypass SFR module? But we always need to send our traffic thorough SFR module.
Below I have briefly described my plan, please let me know if you found any lags...
Thanks.
With Regards,
Magesh Kumar.G
05-04-2019 04:40 AM
Hi Magesh,
Yes that sounds at a high level a plan if you require constant inspection from Firepower during the upgrades.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide