12-23-2017 08:15 PM - edited 02-21-2020 07:01 AM
I started off by upgrading my ASA 5506-x with ASDM 7.9(1) and ASA 9.9(1). After a reboot the Firepower section in the ASDM was missing. No problem, I thought I would just reload the SFR and reconfigure. I loaded the SFR boot image ver asasfr-5500x-boot6.2.2-3.img. I reconfigured an IP address and started a FTP download of asasfr-sys-6.2.2-81.pkg. It uncompressed and started the install just fine. Then it gets to the DB setup section of the install. I receive the following:
Mod-sfr 581> ************ Attention *********
Mod-sfr 582> Initializing the configuration database. Depending on available
Mod-sfr 583> system resources (CPU, memory, and disk), this may take 30 minutes
Mod-sfr 584> or more to complete.
Mod-sfr 585> ************ Attention *********
Mod-sfr 586> Executing S09database-init
Mod-sfr 587> backing up existing firstboot.S09database-init
Mod-sfr 588> '/var/log/firstboot.S09database-init' -> '/var/log/firstboot.S09database-init.1514
Mod-sfr 589> 084677'
Mod-sfr 591> [FAILED]
Mod-sfr 592> Executing S11database-populate
Mod-sfr 593> backing up existing firstboot.S11database-populate
Mod-sfr 594> '/var/log/firstboot.S11database-populate' -> '/var/log/firstboot.S11database-popul
Mod-sfr 595> ate.1514084890'
Mod-sfr 597> [FAILED]
Mod-sfr 598> Executing S12install_infodb
Mod-sfr 599> DB error - will retry: Cannot connect to DB at /usr/local/sf/lib/perl/5.10.1/SF/SF
Mod-sfr 600> DBI.pm line 592.
Mod-sfr 601> DB error - will retry: Cannot connect to DB at /usr/local/sf/lib/perl/5.10.1/SF/SF
Mod-sfr 602> DBI.pm line 592.
Mod-sfr 603> DB error - will retry: Cannot connect to DB at /usr/local/sf/lib/perl/5.10.1/SF/SF
Mod-sfr 604> DBI.pm line 592.
Mod-sfr 605> DB error - will retry: Cannot connect to DB at /usr/local/sf/lib/perl/5.10.1/SF/SF
Mod-sfr 606> DBI.pm line 592.
Mod-sfr 607> DB error - will retry: Cannot connect to DB at /usr/local/sf/lib/perl/5.10.1/SF/SF
Mod-sfr 608> DBI.pm line 592.
Mod-sfr 609> DB error - will retry: Cannot connect to DB at /usr/local/sf/lib/perl/5.10.1/SF/SF
Mod-sfr 610> DBI.pm line 592.
Mod-sfr 611> DB error - will retry: Cannot connect to DB at /usr/local/sf/lib/perl/5.10.1/SF/SF
Mod-sfr 612> DBI.pm line 592.
Mod-sfr 613> DB error - will retry: Cannot connect to DB at /usr/local/sf/lib/perl/5.10.1/SF/SF
At this point it just repeats the error at line 592 and eventually restarts the install over after a timeout period.
Does anyone have information of what might be going on here? Any help would be appreciated.
Solved! Go to Solution.
01-31-2018 11:12 AM
After many failed attempts. This is what fixed the problem.
1. Factory default the ASA5506-x.
2. Upgrade the ASA and ASDM software to 9.9.1 and 7.9.1.
3. Install the latest FirePower.
4. Reconfigure from scratch.
I don't know why a factory default was necessary. But all upgrade attempts with my configuration loaded failed.
Marvin, thank you for your help over the holidays.
12-24-2017 06:12 AM
I tried this install with ROMMON 1.1.8 and ROMMON 1.1.12 with the same results.
12-24-2017 06:38 AM
It's definitely listed as compatible which generally means at least basic verification testing was done during the ASA code QA.
The steps you took match what I would have done. At this point I'd suggest opening a TAC case if you have support on the device. You could try an complete module uninstall - reinstall but that would probably land you back where you are.
12-24-2017 06:45 AM
Marvin, thank you. I will try an uninstall. Unfortunately I don't have support on this ASA at home, but my work ASA's I do. I'll let you know what happens.
12-24-2017 06:48 AM
Sure - please do let us know.
I have an ASA 5506 in my home lab (with support) but I'm using it to run the FTD image. If it wasn't so laborious to switch, I would just flip it over to ASA with Firepower service module to test. But... that takes forever (well a couple of hours anyway) on a 5506.
12-24-2017 08:33 AM - edited 12-24-2017 08:37 AM
After a reboot i tried to uninstall but received the following:
ciscoasa(config)# sw-module module sfr shutdown
Shutdown module sfr? [confirm]
Shutdown issued for module sfr.
ciscoasa(config)# sh mod
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506 JADxxxxxxxx
sfr Unknown N/A JADxxxxxxxx
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 0027.e3c1.9b50 to 0027.e3c1.9b59 2.0 1.1.12 9.9(1)
sfr 0027.e3c1.9b4f to 0027.e3c1.9b4f N/A N/A
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr Unknown No Image Present Not Applicable
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Down Not Applicable
ciscoasa(config)# sw-module module sfr uninstall
Unable to uninstall Module sfr, it does not have a software image installed.
ciscoasa(config)#
I'm going to try one more time to install.
12-24-2017 09:56 AM
12-24-2017 05:57 PM
Well - I'm grasping at straws but here are a few other things I could think to check (in order of their effort required):
1. Verify the MD5 checksum of your asasfr-sys-6.2.2-81.pkg file against what's posted on the cisco.com download site.
2. Try to revert your ASA to 9.8(x) and re-run the sfr installation process.
3. Completely re-initialize the ASA from the disk level up. Follow the procedure for converting from FTD to ASA image in order to do that (reload, interrupt rommon boot to format disk and then load ASA image from tftp) as detailed here:
I'd be more surprised to see anything result from the #2 since (as I understand it) the ASA code shouldn't really be interacting with the sfr code at that point in the installation process.
Also, if you do have other ASAs with Firepower under support you could always open a TAC case case inquiring about any known issues "in preparation for" upgrading one of them.
12-25-2017 08:10 AM
I verified MD5 hashes for ASA, ASDM, SFR packages and they all match what is on the Cisco download site. I'm going to try option 3 and let you know what happens. Happy holidays.
01-31-2018 11:12 AM
After many failed attempts. This is what fixed the problem.
1. Factory default the ASA5506-x.
2. Upgrade the ASA and ASDM software to 9.9.1 and 7.9.1.
3. Install the latest FirePower.
4. Reconfigure from scratch.
I don't know why a factory default was necessary. But all upgrade attempts with my configuration loaded failed.
Marvin, thank you for your help over the holidays.
01-31-2018 09:22 PM
You're welcome. Thanks for updating us on the outcome.
I'll consider myself forewarned before jumping on 9.9(1) just yet. From your experience, it seems the QA is a bit lacking on that release at this point.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide