07-07-2016 03:44 AM - edited 03-12-2019 06:03 AM
Hello all,
I have to install 2x 5525x in a Cluster for Firepower. We will use the most current version of Firepower and now I would like to know your recommendations regarding the most stable/best Cisco ASA Software Version to use. We have no special requirements to the featureset, the firewall itself will be the gateway for production networks and has to protect the traffic going from and to this network. No VPNs will be in use, no dynamic routing. The software should be a stable release, that is known to be running fine with Firepower 6.0.1.
As I can see in the documentation for Firepower 6.0.1 (http://www.cisco.com/c/en/us/td/docs/security/firepower/601/relnotes/firepower-system-release-notes-version-601.html) At least we need: "running ASA version 9.4(2), 9.5(2) or 9.6(1)".
Would be great, if someone could share his recommendation about which software I should go for. On a 5506x in my lab I´m currently using 9.5.2 and I didn´t face any problems so far.
Another question regarding the Firepower upgrade process. As described in the firepower manuals, at first the FMC needs to be updated, then the Firepower Module on the Cisco ASA follows. Is it the best way to update the Firepower Module on the ASA to use FMC? Is it the recommenend way? Or can I also upgrade the Firepower Services module in the CLI without loosing its configuration?
Best Regards
Sebastian
Solved! Go to Solution.
07-08-2016 05:44 AM
Hello Team,
I have verified the errors and confirmed that the error can occur if there is an object in the EO tables whose revision is outdated . For this we need the help of Cisco TAC to escalate the issue to the engineering team and get a fix.You are not supposed to edit anything regards with the EO tables. Thus make sure that you contact the Cisco TAC.
Rate if my post helps you.
Regards
jetsy
07-07-2016 05:01 AM
Hello Team,
You can either go ahead with 6.0.1 or 6.0.1.1 which is pretty latest. 6.0.1.1 is very much stable and several issues got resolved in the respective release. Thus based on the release notes you can upgrade or set the ASA and install 6.0.1.1 Firepower.
http://www.cisco.com/c/en/us/td/docs/security/firepower/601/6011/relnotes/firepower-system-release-notes-version-6011.html
How you manage the SFR or Firepower module ? The best way to upgrade the Firepower is to use FMC. Setup the Firesight management Center and attach the sensor in a possible version and that is best recommended way to upgrade the Firepower modules.Whenever you upgrade , the configurations never wipes out. Only during a reimage the configs wipes out.
Rate and mark answers correct if they helps you
Regards
Jetsy
07-07-2016 05:01 AM
Hello Team,
Here is few quick tips for cluster upgrade and Firepower upgrade.
* On a Cluster pair , update occurs on the devices one at a time.
* Update first applies to the secondary device, which goes into maintenance mode until any necessary processes restart and the device is processing traffic again. Once its finsihes, it will start the update on primary .
Rate if the post helps you
Regards
Jetsy
07-07-2016 05:58 AM
Hi Jetsy,
I will use firepower 6.0.1.1. Good to know, that you experienced it as a stable version. My question was more related to which ASA Software version I should use...
I use FMC and I tried to update my sensor on my Lab ASA-5506x, but I got an error.... I want to update from 5.4.1. I already applied the Cisco_Network_Sensor_6.0.0_Pre-install-5.4.1.999-1.sh patch, but as I applied the update to v6.0.0 using "Cisco_Network_Sensor_Upgrade-6.0.0-1005.sh", I got the errormessage:
"Apply to 192.168.1.1. Update Install failed". Any idea, how I can troubleshoot that problem? In FMC v6 I cannot find detailed Logs that could help me to find the root cause of the problem....
Restart the Firepower Module now and I try to apply the patch one more time....I let you know, if it works now...
Best Regards
Sebastian
07-07-2016 06:12 AM
Hello ,
In that given release notes search for "Supported Platforms and Compatibility" and confirm what is the model of the ASA that you have.
Are you trying to get the sensor updated ? Verify if the update got pushed to sensor and upgrade directory exists in sensor.
If so , to verify the upgrade error, navigate to /var/log/ desired upgrade directory/ in the sensor CLI . Let me know the following messages that you can see there.
tail -f status.log
Regards
Jetsy
07-07-2016 06:42 AM
Hi,
I checked the requirements, should everything be fine....
Yes correct I want to upgrade the sensor. FMC is already running with v6.0.0.
I found the directory "/Cisco_Network_Sensor_Upgrade-6.0.0" but there is an error in the status.log:
ui:Upgrade has begun.
ui:[ 0%] Running script 000_start/001_check_HA.pl...
ui:[ 0%] Running script 000_start/001_check_models.pl...
ui:[ 1%] Running script 000_start/003_check_DC_memory.pl...
ui:[ 1%] Running script 000_start/004_correct_fsic.sh...
ui:[ 2%] Running script 000_start/100_start_messages.sh...
ui:[ 2%] Running script 000_start/101_run_pruning.pl...
ui:[ 3%] Running script 000_start/102_check_sru_install_running.pl...
ui:[ 3%] Running script 000_start/105_check_model_number.sh...
ui:[ 4%] Running script 000_start/106_check_HA_updates.pl...
ui:[ 4%] Running script 000_start/107_version_check.sh...
ui:[ 5%] Running script 000_start/108_check_sensors_ver.pl...
ui:[ 5%] Running script 000_start/109_check_HA_MDC_status.pl...
ui:[ 6%] Running script 000_start/110_DB_integrity_check.sh...
ui:[ 6%] Running script 000_start/111_FS_integrity_check.sh...
ui:[ 7%] Running script 000_start/112_CF_check.sh...
ui:[ 7%] Running script 000_start/112_prune_invalid_eos.pl...
ui:[ 8%] Running script 000_start/113_EO_integrity_check.pl...
ui:[ 8%] Running script 000_start/170_link_log.sh...
ui:[ 9%] Running script 000_start/250_check_system_files.sh...
ui:[ 9%] Running script 000_start/320_remove_backups.sh...
ui:[10%] Running script 000_start/400_run_troubleshoot.sh...
ui:[10%] Running script 000_start/410_check_disk_space.sh...
ui:[11%] Running script 200_pre/001_check_reg.pl...
ui:[11%] Running script 200_pre/001_check_ucs_bios_ver.sh...
ui:[12%] Running script 200_pre/002_check_mounts.sh...
ui:[12%] Running script 200_pre/003_check_health.sh...
ui:[13%] Running script 200_pre/005_check_manager.pl...
ui:[13%] Running script 200_pre/006_check_snort.sh...
ui:[13%] Fatal error: Error running script 200_pre/006_check_snort.sh
Thanks,
Sebastian
07-07-2016 06:44 AM
Hello,
Please reapply or re-deploy all the access control policies to the sensor and resatrt the upgrade .
Regards
Jetsy
07-07-2016 06:46 AM
Hello,
Thanks for the update. The error occurred due to the un-updated Access control policy
Please reapply or re-deploy all the access control policies to the sensor and restart the upgrade .
Whenever you upgrade a sensor, reapply all the policies and start the upgrade.
Regards
Jetsy
07-08-2016 05:35 AM
Hi,
as you said I applied the policies, and reapplied the update. But now its stuck in the process. FMC it shows: "Update completed, unable to get status from device."
When I log into the SFRs shell, this is the welcome banner is shown:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The Sourcefire 6.0.0 upgrade has halted, status:
[68%] Fatal error: Error running script 800_post/755_reapply_sensor_policy.pl
Log files for the halted upgrade are located beneath:
/var/log/sf/Cisco_Network_Sensor_Upgrade-6.0.0
If log files indicate upgrade failure please contact technical support.'
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
status.log:
ui:[12%] Running script 200_pre/002_check_mounts.sh...
ui:[12%] Running script 200_pre/003_check_health.sh...
ui:[19%] Running script 200_pre/201_disable_faild.sh...
ui:[20%] Running script 200_pre/202_disable_syncd.sh...
ui:[20%] Running script 200_pre/400_restrict_rpc.sh...
ui:[23%] Running script 200_pre/999_enable_sync.sh...
ui:[25%] Running script 300_os/200_check_chroot_mount.sh...
ui:[53%] Running script 800_post/140_install_VDB.sh...
ui:[68%] Running script 800_post/755_reapply_sensor_policy.pl...
ui:[68%] Fatal error: Error running script 800_post/755_reapply_sensor_policy.pl
755_reapply_sensor_policy.pl.log:
**********************************************************
[160708 12:06] Starting script: 800_post/755_reapply_sensor_policy.pl
entering 800_post/755_reapply_sensor_policy.pl
Reapplying Device Configuration entry
malformed JSON string, neither array, object, number, string or atom, at character offset 0 (before "\x{5}\a\x{3}\x{0}\x{0}...") at /usr/lib/perl5/site_perl/5.10.1/Error.pm line 273
Error::subs::run_clauses('HASH(0xab637f8)', 'malformed JSON string, neither array, object, number, string ...', undef, 'ARRAY(0xab63a68)')
called at /usr/lib/perl5/site_perl/5.10.1/Error.pm line 390
Error::subs::try('CODE(0xa0d2ba0)', 'HASH(0xab637f8)')
called at /usr/local/sf/lib/perl/5.10.1/SF/Sensor.pm line 2938
SF::Sensor::applyChanges(undef, undef, 'HASH(0xa0d9138)')
called at 800_post/755_reapply_sensor_policy.pl line 47
malformed JSON string, neither array, object, number, string or atom, at character offset 0 (before "\x{5}\a\x{3}\x{0}\x{0}...") at /usr/local/sf/lib/perl/5.10.1/SF/EODataHandler/Default.pm line 92.
->stringify()
exiting 1
**********************************************************
Any ideas what to do next?
07-08-2016 05:44 AM
Hello Team,
I have verified the errors and confirmed that the error can occur if there is an object in the EO tables whose revision is outdated . For this we need the help of Cisco TAC to escalate the issue to the engineering team and get a fix.You are not supposed to edit anything regards with the EO tables. Thus make sure that you contact the Cisco TAC.
Rate if my post helps you.
Regards
jetsy
07-12-2016 12:54 AM
Hi Jetsy,
I openend a TAC case... Seems to be an abnormal behaviour...
Thanks for your assistance!
Regards
Sebastian
07-07-2016 06:14 AM
Hi,
You can login to FMC cli and follow the below commands to see where it failed exactly:
$cd /var/log/sf/Cisco_Network_Sensor_6.0.0_Pre-install-5.4.1.999
$cat status.log
This will show at which step upgrade is failing.
Thanks,
Ankita
07-12-2016 01:05 AM
What Cisco ASA software version would you guys suggest me to go for? Any recommendations for either 9.4, 9.5 or 9.6 ?
As I can see in the software reviews, 9.4.2 and 9.6.1,are recommended.....
Regards
Sebastian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide