Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4156
Views
5
Helpful
12
Replies

Recommendation stable ASA Software for Firepower 6.0.1

Go to solution
roesch4alc
Level 1
Level 1

‎07-07-2016 03:44 AM - edited ‎03-12-2019 06:03 AM

Hello all,

I have to install 2x 5525x in a Cluster for Firepower. We will use the most current version of Firepower and now I would like to know your recommendations regarding the most stable/best Cisco ASA Software Version to use. We have no special requirements to the featureset, the firewall itself will be the gateway for production networks and has to protect the traffic going from and to this network. No VPNs will be in use, no dynamic routing. The software should be a stable release, that is known to be running fine with Firepower 6.0.1.

As I can see in the documentation for Firepower 6.0.1 (http://www.cisco.com/c/en/us/td/docs/security/firepower/601/relnotes/firepower-system-release-notes-version-601.html) At least we need: "running ASA version 9.4(2), 9.5(2) or 9.6(1)".

Would be great, if someone could share his recommendation about which software I should go for. On a 5506x in my lab I´m currently using 9.5.2 and I didn´t face any problems so far.

Another question regarding the Firepower upgrade process. As described in the firepower manuals, at first the FMC needs to be updated, then the Firepower Module on the Cisco ASA follows. Is it the best way to update the Firepower Module on the ASA to use FMC? Is it the recommenend way? Or can I also upgrade the Firepower Services module in the CLI without loosing its configuration?

Best Regards

Sebastian

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee
In response to roesch4alc

‎07-08-2016 05:44 AM

Hello Team,

I have verified the errors and confirmed that the error can occur if there is an object in the EO tables whose revision is outdated . For this we need the help of Cisco TAC to escalate the issue to the engineering team and get a fix.You are not supposed to edit anything regards with the EO tables. Thus make sure that you contact the Cisco TAC.

Rate if my post helps you.

Regards

jetsy 

View solution in original post

12 Replies 12

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee

‎07-07-2016 05:01 AM

Hello Team,

You can either go ahead with 6.0.1 or 6.0.1.1 which is pretty latest. 6.0.1.1 is very much stable and several issues got resolved in the respective release. Thus based on the release notes you can upgrade or set the ASA and install 6.0.1.1 Firepower.

http://www.cisco.com/c/en/us/td/docs/security/firepower/601/6011/relnotes/firepower-system-release-notes-version-6011.html

How you manage the SFR or Firepower module ? The best way to upgrade the Firepower is to use FMC. Setup the Firesight management Center and attach the sensor in a possible version and that is best recommended way to upgrade the Firepower modules.Whenever you upgrade , the configurations never wipes out. Only during a reimage the configs wipes out.

Rate and mark answers correct if they helps you

Regards

Jetsy 

0 Helpful

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee
In response to Jetsy Mathew

‎07-07-2016 05:01 AM

Hello Team,

Here is few quick tips for cluster upgrade and Firepower upgrade.

Instructions for Clustered Devices Upgrade 

 

* On a Cluster pair , update occurs on the devices one at a time.

 

* Update first applies to the secondary device, which goes into maintenance mode until any necessary processes restart and the device is processing traffic again. Once its finsihes, it will start the update on primary .

 Rate if the post helps you

Regards

Jetsy 

0 Helpful

Go to solution
roesch4alc
Level 1
Level 1
In response to Jetsy Mathew

‎07-07-2016 05:58 AM

Hi Jetsy,

I will use firepower 6.0.1.1. Good to know, that you experienced it as a stable version. My question was more related to which ASA Software version I should use...

I use FMC and I tried to update my sensor on my Lab ASA-5506x, but I got an error.... I want to update from 5.4.1. I already applied the Cisco_Network_Sensor_6.0.0_Pre-install-5.4.1.999-1.sh patch, but as I applied the update to v6.0.0 using "Cisco_Network_Sensor_Upgrade-6.0.0-1005.sh", I got the errormessage:

"Apply to 192.168.1.1. Update Install failed". Any idea, how I can troubleshoot that problem? In FMC v6 I cannot find detailed Logs that could help me to find the root cause of the problem....

Restart the Firepower Module now and I try to apply the patch one more time....I let you know, if it works now...

Best Regards

Sebastian

0 Helpful

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee
In response to roesch4alc

‎07-07-2016 06:12 AM

Hello ,

In that given release notes search for "Supported Platforms and Compatibility" and confirm what is the model of the ASA that you have.

isco ASA with FirePOWER Services (the ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5585-X-SSP-10, ASA 5585-X-SSP-20, ASA 5585-X-SSP-40, and the ASA 5585-X-SSP-60)

managed device

running ASA version 9.4(2), 9.5(2) or 9.6(1)

ASA Firepower software module managed via ASDM (the ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5585-X-SSP-10, ASA 5585-X-SSP-20, ASA 5585-X-SSP-40, and the ASA 5585-X-SSP-60)

management

running:

  • ASA version 9.4(1), 9.4(1.5), 9.4(2), 9.5(2), or 9.6(1)
  • ASDM version 7.5.2(153), or 7.6.1

Are you trying to get the sensor updated ? Verify if the update got pushed to sensor and upgrade directory exists in sensor.

If so , to verify the upgrade error, navigate to /var/log/ desired upgrade directory/ in the sensor CLI . Let me know the following messages that you can see there.

tail -f status.log

Regards

Jetsy 

0 Helpful

Go to solution
roesch4alc
Level 1
Level 1
In response to Jetsy Mathew

‎07-07-2016 06:42 AM

Hi,

I checked the requirements, should everything be fine....

Yes correct I want to upgrade the sensor. FMC is already running with v6.0.0.

I found the directory "/Cisco_Network_Sensor_Upgrade-6.0.0" but there is an error in the status.log:

ui:Upgrade has begun.
ui:[ 0%] Running script 000_start/001_check_HA.pl...
ui:[ 0%] Running script 000_start/001_check_models.pl...
ui:[ 1%] Running script 000_start/003_check_DC_memory.pl...
ui:[ 1%] Running script 000_start/004_correct_fsic.sh...
ui:[ 2%] Running script 000_start/100_start_messages.sh...
ui:[ 2%] Running script 000_start/101_run_pruning.pl...
ui:[ 3%] Running script 000_start/102_check_sru_install_running.pl...
ui:[ 3%] Running script 000_start/105_check_model_number.sh...
ui:[ 4%] Running script 000_start/106_check_HA_updates.pl...
ui:[ 4%] Running script 000_start/107_version_check.sh...
ui:[ 5%] Running script 000_start/108_check_sensors_ver.pl...
ui:[ 5%] Running script 000_start/109_check_HA_MDC_status.pl...
ui:[ 6%] Running script 000_start/110_DB_integrity_check.sh...
ui:[ 6%] Running script 000_start/111_FS_integrity_check.sh...
ui:[ 7%] Running script 000_start/112_CF_check.sh...
ui:[ 7%] Running script 000_start/112_prune_invalid_eos.pl...
ui:[ 8%] Running script 000_start/113_EO_integrity_check.pl...
ui:[ 8%] Running script 000_start/170_link_log.sh...
ui:[ 9%] Running script 000_start/250_check_system_files.sh...
ui:[ 9%] Running script 000_start/320_remove_backups.sh...
ui:[10%] Running script 000_start/400_run_troubleshoot.sh...
ui:[10%] Running script 000_start/410_check_disk_space.sh...
ui:[11%] Running script 200_pre/001_check_reg.pl...
ui:[11%] Running script 200_pre/001_check_ucs_bios_ver.sh...
ui:[12%] Running script 200_pre/002_check_mounts.sh...
ui:[12%] Running script 200_pre/003_check_health.sh...
ui:[13%] Running script 200_pre/005_check_manager.pl...
ui:[13%] Running script 200_pre/006_check_snort.sh...
ui:[13%] Fatal error: Error running script 200_pre/006_check_snort.sh

Thanks,

Sebastian

0 Helpful

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee
In response to roesch4alc

‎07-07-2016 06:44 AM

Hello,

Please reapply or re-deploy all the access control policies to the sensor and resatrt the upgrade .

Regards

Jetsy 

0 Helpful

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee
In response to roesch4alc

‎07-07-2016 06:46 AM

Hello,

Thanks for the update. The error occurred due to the un-updated Access control policy

Please reapply or re-deploy all the access control policies to the sensor and restart the upgrade .

Whenever you upgrade a sensor, reapply all the policies and start the upgrade.

Regards

Jetsy 

0 Helpful

Go to solution
roesch4alc
Level 1
Level 1
In response to Jetsy Mathew

‎07-08-2016 05:35 AM

Hi,

as you said I applied the policies, and reapplied the update. But now its stuck in the process. FMC it shows: "Update completed, unable to get status from device."

When I log into the SFRs shell, this is the welcome banner is shown:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The Sourcefire 6.0.0 upgrade has halted, status:
[68%] Fatal error: Error running script 800_post/755_reapply_sensor_policy.pl

Log files for the halted upgrade are located beneath:
/var/log/sf/Cisco_Network_Sensor_Upgrade-6.0.0
If log files indicate upgrade failure please contact technical support.'
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

status.log:

ui:[12%] Running script 200_pre/002_check_mounts.sh...
ui:[12%] Running script 200_pre/003_check_health.sh...
ui:[19%] Running script 200_pre/201_disable_faild.sh...
ui:[20%] Running script 200_pre/202_disable_syncd.sh...
ui:[20%] Running script 200_pre/400_restrict_rpc.sh...
ui:[23%] Running script 200_pre/999_enable_sync.sh...
ui:[25%] Running script 300_os/200_check_chroot_mount.sh...
ui:[53%] Running script 800_post/140_install_VDB.sh...
ui:[68%] Running script 800_post/755_reapply_sensor_policy.pl...
ui:[68%] Fatal error: Error running script 800_post/755_reapply_sensor_policy.pl

755_reapply_sensor_policy.pl.log:

**********************************************************
[160708 12:06] Starting script: 800_post/755_reapply_sensor_policy.pl
entering 800_post/755_reapply_sensor_policy.pl
Reapplying Device Configuration entry


malformed JSON string, neither array, object, number, string or atom, at character offset 0 (before "\x{5}\a\x{3}\x{0}\x{0}...") at /usr/lib/perl5/site_perl/5.10.1/Error.pm line 273
Error::subs::run_clauses('HASH(0xab637f8)', 'malformed JSON string, neither array, object, number, string ...', undef, 'ARRAY(0xab63a68)')
called at /usr/lib/perl5/site_perl/5.10.1/Error.pm line 390
Error::subs::try('CODE(0xa0d2ba0)', 'HASH(0xab637f8)')
called at /usr/local/sf/lib/perl/5.10.1/SF/Sensor.pm line 2938
SF::Sensor::applyChanges(undef, undef, 'HASH(0xa0d9138)')
called at 800_post/755_reapply_sensor_policy.pl line 47
malformed JSON string, neither array, object, number, string or atom, at character offset 0 (before "\x{5}\a\x{3}\x{0}\x{0}...") at /usr/local/sf/lib/perl/5.10.1/SF/EODataHandler/Default.pm line 92.
->stringify()
exiting 1
**********************************************************

Any ideas what to do next?

0 Helpful

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee
In response to roesch4alc

‎07-08-2016 05:44 AM

Hello Team,

I have verified the errors and confirmed that the error can occur if there is an object in the EO tables whose revision is outdated . For this we need the help of Cisco TAC to escalate the issue to the engineering team and get a fix.You are not supposed to edit anything regards with the EO tables. Thus make sure that you contact the Cisco TAC.

Rate if my post helps you.

Regards

jetsy 

Go to solution
roesch4alc
Level 1
Level 1
In response to Jetsy Mathew

‎07-12-2016 12:54 AM

Hi Jetsy,

I openend a TAC case... Seems to be an abnormal behaviour...

Thanks for your assistance!

Regards

Sebastian

0 Helpful

Go to solution
ankojha
Level 3
Level 3
In response to roesch4alc

‎07-07-2016 06:14 AM

Hi,

You can login to FMC cli and follow the below commands to see where it failed exactly:

$cd /var/log/sf/Cisco_Network_Sensor_6.0.0_Pre-install-5.4.1.999

$cat status.log

This will show at which step upgrade is failing.

Thanks,

Ankita

0 Helpful

Go to solution
roesch4alc
Level 1
Level 1

‎07-12-2016 01:05 AM

What Cisco ASA software version would you guys suggest me to go for? Any recommendations for either 9.4, 9.5 or 9.6 ? 

As I can see in the software reviews, 9.4.2 and 9.6.1,are recommended.....


Regards

Sebastian

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card