Solved: Firepower Services for ASA upgrade Need help on best path

D. STM · ‎05-15-2017

Ok, I have a 5506, waiting on replacement at some point my firepower services stopped working, I didn't have it in line do to pending swap, but I wanted to upgrade the software and get the latest firepower services setup. Currently on 7.8 ASDM and 9.8.1release. When I go into my file management I can see the asasfr-5500x-boot-5.4.1-211.img there not set to any status, so when I boot up I don't get any Firepower services.

I would like to upload the latest version but is there a step process, or can I pull in a new version and then go through the steps to install, etc.

Any help would be great, I haven't messed with this in a while, once it had issue I powered it off, it runs, but seems to be forever waiting for a replacement and I currently have time to get this updated, as I know I will have to do it on the new one when it comes.

Any help getting this Firepower services updated would be appreciated.

Thank you, D

Marvin Rhoads · ‎05-16-2017

You are really on the edge with those brand new ASA and ASDM versions. I'm guessing this is not a production environment.

For the sfr module, you are best off just re-imaging it with the 6.0 boot image file (asasfr-5500x-boot-6.2.0-362.img edit: asasfr-5500x-boot-6.2.0-2.img) and then bootstrapping and installing asasfr-sys-6.2.0-362.pkg. Both can be found here:

https://software.cisco.com/download/release.html?mdfid=286283326&flowid=77251&softwareid=286277393&release=GeoDB&relind=AVAILABLE&rellifecycle=&reltype=latest

Once you have that finished, patch to the current patch level (6.2.0.1 as of this posting date).

You will also need the sfr licenses (Control license at a minimum and optionally Protect subscription, URL and Malware licenses)

View solution in original post

Marvin Rhoads · ‎05-16-2017

Sorry about that. You are correct - it should be the asasfr-5500x-boot-6.2.0-2.img file that you boot when re-imaging to 6.2.

I edited my earlier reply to correct that guidance.

View solution in original post

Marvin Rhoads · ‎05-16-2017

You are really on the edge with those brand new ASA and ASDM versions. I'm guessing this is not a production environment.

For the sfr module, you are best off just re-imaging it with the 6.0 boot image file (asasfr-5500x-boot-6.2.0-362.img edit: asasfr-5500x-boot-6.2.0-2.img) and then bootstrapping and installing asasfr-sys-6.2.0-362.pkg. Both can be found here:

https://software.cisco.com/download/release.html?mdfid=286283326&flowid=77251&softwareid=286277393&release=GeoDB&relind=AVAILABLE&rellifecycle=&reltype=latest

Once you have that finished, patch to the current patch level (6.2.0.1 as of this posting date).

You will also need the sfr licenses (Control license at a minimum and optionally Protect subscription, URL and Malware licenses)

D. STM · ‎05-16-2017

When I looked under 6.2, I don't see this asasfr-5500x-boot-6.2.0-362.img

I see the one you said to boot strap to, and install asasfr-sys-6.2.0-362.pkg

Thank you for the help.

Marvin Rhoads · ‎05-16-2017

Sorry about that. You are correct - it should be the asasfr-5500x-boot-6.2.0-2.img file that you boot when re-imaging to 6.2.

I edited my earlier reply to correct that guidance.

D. STM · ‎05-17-2017

Thank you, I will give it a try hopefully tonight, and let you know how it goes.

D. STM · ‎05-19-2017

Thanks Marvin, I'm backup, all updates, .img, pkg, spa, etc rules and what not. definitely a learning experience. in one of the documents it said to make sure you refresh the outside port when it reboot as it can get flaky, it's done that twice after booting, I have to go in and toggle the outside enable disable until it pulls its DHCP IP. Sort of wish I could run the firepower views external to the ASA, as the ASDM is a resource hog. I'm up to 6.2.0.1:59. Running good. geo updated, rule updated. Since this box has been designated to replaced when Cisco gets around to (probably sooner now I redid it all), it's not my main, so now I can play with it more.

Thank You,
DSM.

Marvin Rhoads · ‎05-19-2017

You're right about the pain of incremental upgrades. I have given this feedback to Cisco (as have many other partners and customers).

I almost never advise running ASDM for FirePOWER management apart from a home lab. FirePOWER Management Center on its own server is the better choice for most use cases.

D. STM · ‎05-20-2017

Short of buying the VM version your stuck with that asdm correct? Do you know if the VM version runs on VMWare workstation? Or since its Linux could you put on its own intel based hardware? These spilt platforms are great in the beginning for small shop it's when the updates come that the performance starts to hinder.

D. STM · ‎05-16-2017

Also, the image that is there now will it be over written, or should I go in file management and remove it. asasfr-5500x-boot-5.4.1-211.img , what is weird is when I first go to the IP for management and get the ASDM page, if I just launch the java asdm, I see no firepower, if I install the client to launch or go through the setup steps, when I finally get in, it shows the firepower tab, but when I go there, there is nothing there, just the fairy blank page like its not running. I believe it said version 6 on that page, so im thinking a failed update. I was udating this months ago when they released the update that would let you be able to sub interface the ports to sort of make like a switch like the 5505, and something went sideways then with the update. At that time, early Feburary is when they announced the hardware issue show I shut it down and been waiting for replacement. I figured since I have in non-production, why not go through it and document it to upgrade, that way when they do replace it I have already worked through it (probably a couple times). So that's where I am at. Thank you for your guidance.