Solved: Re: No enable command ASA 5508-x

mawg64 · ‎09-24-2017

I got a new 5508-x at work. Out of the box went through the defaults via wizard, changing the internal and management ip (already in use somewhere else). Rebooted as instructed, everything looked good. The prompt I get is a > symbol but I'm not in a normal access prompt, no enable command, no access to standard commands, config, etc. I can look at thing but cant change anything I need to like a no shut, config etc. I can get to a bash shell even tried a reboot once sudo'd via linux. Running back through the wizard, not an option. Reset button, nope. No option to start over, defintely no "do-over" option. I can see the status of the interfaces, not via normal "sho ip int br", using the provided show network command. They are all shutdown. Just a nice blinky ">". Suggestions?

mawg64 · ‎09-28-2017

If for some reason you end up like me and something isnt quite right with you new ASA 5508-x with FTD and you need to get back to the begininning. I finally found some help and answers on the very bottom under "Uncommon Management Tasks". Then there was a little bit of extra to finish it up. I hope this helps some one and may you never have to use it.

Procedure

Use an SSH or CLI in to the box.

Step 1 > expert

at the bash prompt sudo and set the time, date and timezone.

Step 2 Delete any managers.

> configure manager delete

If you enabled any feature licenses, you must disable them in

Firepower Device Manager before deleting the local manager.

Otherwise, those licenses remain assigned to the device in Cisco

Smart Software Manager.

Do you want to continue[yes/no] yes

Deleting task list

Manager successfully deleted.

Step 3 > show managers

No managers configured.

Step 4 > Configure manager local

Step 5 > show managers

Managed locally.

Step 6 Set your system to get a DHCP ip

You can now use a web browser to open the Firepower Management Center

.

By clearing the configuration, you will be prompted to complete the device setup wizard.

If you still cant log into the web interface

Step 1 > show network

You should have the default DHCP addresses in the Gateway and for IPv4, or at least in the subnet.

If not then reset everything to DHCP

Step 2 > configure network ipv4 and/or ipv6 dhcp

This may take some time to run. Once this is done your management computer should get a DHCP ip.

The addresses in the Gateway and for IPv4 should go back to DHCP.

Check you system to make sure it got a DHCP address.

If not, set it to DHCP

Once everything is DHCP give it a minute to shuffle and arp. It took me 5 mins before I could log into the web portal. I was gettin ready to start all over again. And then like magic it all worked.

LAST THING TO DO!

One at a time, write you configs on each device and reboot after writing. Patientce is a virtue. It takes

about 5 mins to get back to a normal state and talking to each other.

View solution in original post

Francesco Molino · ‎09-24-2017

Hi

Did you tried doing login command at the prompt and type your credentials (user/password) to access the enable privilege 15 mode ?

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

mawg64 · ‎09-24-2017

I do have to login with username and password.

Karsten Iwen · ‎09-24-2017

Based on your sayings, I would assume that you are running an FTD image where the CLI is quite different to a traditional ASA. Is there any output for "show version" or can you show what is given by typing the question-mark?

mawg64 · ‎09-24-2017

I can get a menu of options with the ?. If I'm not mistaken I can get a show version option. Not at work right now to check, but I'm reasonably sure of that, since it was how I also got to see the interfaces/network.

Francesco Molino · ‎09-24-2017

Yeah send the output of show version.
Like Karsten said, your certainly running ftd image and you don't have three save cli commands as you have with asa

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

mawg64 · ‎09-24-2017

Ok I'll ASAP Monday morning.

Thanks

Marvin Rhoads · ‎09-25-2017

Your ASA definitely has the Firepower Threat Defense (FTD) image. FTD does not allow configuration via the cli apart from the minimal bits required to setup management access. Thus there is no enable command.

You need to use either Firepower Device Manager (FDM = on-box GUI) or Firepower Management Center (FMC = remote management server). FDM can be accessed by browsing via https to the configured managment address.

mawg64 · ‎09-25-2017

I would do that if the interfaces were not in a no shut state. If there is a
way to do that via the FTD or linux I would have no problem. Part of
problem is there is **bleep** little documentation.

Marvin Rhoads · ‎09-25-2017

You manage an FTD device via the physical management interface (for FMC) or via inside or managemnt (for FDM).

The following quick start guide may be useful:

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/5508X/ftd-fdm-5508x-qsg.html

mawg64 · ‎09-25-2017

I have tried that, using both the default ip and the one I set it to. Which is what it displays using "show network" command. Unfortunately, between windows and the ASA someone is telling my laptop that there is no cable plugged in.

Marvin Rhoads · ‎09-25-2017

When you plug into Management 1/1 do you get link light?

mawg64 · ‎09-25-2017

No link light.

Marvin Rhoads · ‎09-25-2017

That's odd. I've done a dozen or so FTD configurations and have never seen a new one where the management interface wasn't enabled.

If "show network" indicates br1 is enabled and yet you have no link light you may have faulty hardware.

mawg64 · ‎09-25-2017

LOL....if you only knew how many times I've heard..."thats odd...". yeah in the running config the interfaces are all shutdown and no ips. The output of "show network" has an IPv4 Default route gateway ip, br1 has no ip, IPv4 has been manually configured and shows the network. I can get to the FTD menu and look at all sorts of things I cant change. Isnt there a way to drop out of FTD into a good old CLI? If not I'm going to have to figure out how to wipe the thing and start all over to rule out hardware. From what I've seen and tried (reset button doesnt do anything) so far that is going to be an extra bit of joy.