Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2771
Views
0
Helpful
10
Replies

SFR missing after 9.9(1) upgrade on ASA 5506-x

Go to solution
jjohnsonphx
Level 1
Level 1

‎12-23-2017 08:15 PM - edited ‎02-21-2020 07:01 AM

I started off by upgrading my ASA 5506-x with ASDM 7.9(1) and ASA 9.9(1).  After a reboot the Firepower section in the ASDM was missing.  No problem, I thought I would just reload the SFR and reconfigure.  I loaded the SFR boot image ver asasfr-5500x-boot6.2.2-3.img. I reconfigured an IP address and started a FTP download of asasfr-sys-6.2.2-81.pkg.  It uncompressed and started the install just fine.  Then it gets to the DB setup section of the install.  I receive the following:

 

Mod-sfr 581> ************ Attention *********

Mod-sfr 582>    Initializing the configuration database.  Depending on available

Mod-sfr 583>    system resources (CPU, memory, and disk), this may take 30 minutes 

Mod-sfr 584>    or more to complete.

Mod-sfr 585> ************ Attention *********

Mod-sfr 586> Executing S09database-init

Mod-sfr 587> backing up existing firstboot.S09database-init

Mod-sfr 588> '/var/log/firstboot.S09database-init' -> '/var/log/firstboot.S09database-init.1514

Mod-sfr 589> 084677'

Mod-sfr 591>                                                                       [FAILED]

Mod-sfr 592> Executing S11database-populate

Mod-sfr 593> backing up existing firstboot.S11database-populate

Mod-sfr 594> '/var/log/firstboot.S11database-populate' -> '/var/log/firstboot.S11database-popul

Mod-sfr 595> ate.1514084890'

Mod-sfr 597>                                                                       [FAILED]

Mod-sfr 598> Executing S12install_infodb

Mod-sfr 599> DB error - will retry: Cannot connect to DB at /usr/local/sf/lib/perl/5.10.1/SF/SF

Mod-sfr 600> DBI.pm line 592.

Mod-sfr 601> DB error - will retry: Cannot connect to DB at /usr/local/sf/lib/perl/5.10.1/SF/SF

Mod-sfr 602> DBI.pm line 592.

Mod-sfr 603> DB error - will retry: Cannot connect to DB at /usr/local/sf/lib/perl/5.10.1/SF/SF

Mod-sfr 604> DBI.pm line 592.

Mod-sfr 605> DB error - will retry: Cannot connect to DB at /usr/local/sf/lib/perl/5.10.1/SF/SF

Mod-sfr 606> DBI.pm line 592.

Mod-sfr 607> DB error - will retry: Cannot connect to DB at /usr/local/sf/lib/perl/5.10.1/SF/SF

Mod-sfr 608> DBI.pm line 592.

Mod-sfr 609> DB error - will retry: Cannot connect to DB at /usr/local/sf/lib/perl/5.10.1/SF/SF

Mod-sfr 610> DBI.pm line 592.

Mod-sfr 611> DB error - will retry: Cannot connect to DB at /usr/local/sf/lib/perl/5.10.1/SF/SF

Mod-sfr 612> DBI.pm line 592.

Mod-sfr 613> DB error - will retry: Cannot connect to DB at /usr/local/sf/lib/perl/5.10.1/SF/SF

 

At this point it just repeats the error at line 592 and eventually restarts the install over after a timeout period.  

 

Does anyone have information of what might be going on here?  Any help would be appreciated.

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jjohnsonphx
Level 1
Level 1
In response to jjohnsonphx

‎01-31-2018 11:12 AM

After many failed attempts.  This is what fixed the problem.

1. Factory default the ASA5506-x.

2. Upgrade the ASA and ASDM software to 9.9.1 and 7.9.1.

3. Install the latest FirePower. 

4. Reconfigure from scratch.

I don't know why a factory default was necessary.  But all upgrade attempts with my configuration loaded failed.

 

Marvin, thank you for your help over the holidays. 

View solution in original post

0 Helpful
10 Replies 10

Go to solution
jjohnsonphx
Level 1
Level 1

‎12-24-2017 06:12 AM

I tried this install with ROMMON 1.1.8 and ROMMON 1.1.12 with the same results.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jjohnsonphx

‎12-24-2017 06:38 AM

It's definitely listed as compatible which generally means at least basic verification testing was done during the ASA code QA.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#id_60529

 

The steps you took match what I would have done. At this point I'd suggest opening a TAC case if you have support on the device. You could try an complete module uninstall - reinstall but that would probably land you back where you are.

0 Helpful

Go to solution
jjohnsonphx
Level 1
Level 1
In response to Marvin Rhoads

‎12-24-2017 06:45 AM

Marvin, thank you.  I will try an uninstall.  Unfortunately I don't have support on this ASA at home, but my work ASA's I do.  I'll let you know what happens.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jjohnsonphx

‎12-24-2017 06:48 AM

Sure - please do let us know.

 

I have an ASA 5506 in my home lab (with support) but I'm using it to run the FTD image. If it wasn't so laborious to switch, I would just flip it over to ASA with Firepower service module to test. But... that takes forever (well a couple of hours anyway) on a 5506.

0 Helpful

Go to solution
jjohnsonphx
Level 1
Level 1
In response to Marvin Rhoads

‎12-24-2017 08:33 AM - edited ‎12-24-2017 08:37 AM

After a reboot i tried to uninstall but received the following:

 

ciscoasa(config)# sw-module module sfr shutdown

 

Shutdown module sfr? [confirm]

Shutdown issued for module sfr.

ciscoasa(config)# sh mod

 

Mod  Card Type                                    Model              Serial No.

---- -------------------------------------------- ------------------ -----------

   1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506            JADxxxxxxxx

sfr Unknown                                      N/A                JADxxxxxxxx

 

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version     

---- --------------------------------- ------------ ------------ ---------------

   1 0027.e3c1.9b50 to 0027.e3c1.9b59  2.0          1.1.12       9.9(1)

sfr 0027.e3c1.9b4f to 0027.e3c1.9b4f  N/A          N/A          

 

Mod  SSM Application Name           Status           SSM Application Version

---- ------------------------------ ---------------- --------------------------

sfr Unknown                        No Image Present Not Applicable

 

Mod  Status             Data Plane Status     Compatibility

---- ------------------ --------------------- -------------

   1 Up Sys             Not Applicable        

sfr Down               Not Applicable        

 

ciscoasa(config)# sw-module module sfr uninstall

Unable to uninstall Module sfr, it does not have a software image installed.

ciscoasa(config)# 

 

I'm going to try one more time to install.

 

0 Helpful

Go to solution
jjohnsonphx
Level 1
Level 1
In response to jjohnsonphx

‎12-24-2017 09:56 AM

Marvin, No luck, an uninstall did not work. Looks like this might be a bug. Do you have any other suggestions? Any would be appreciated.
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jjohnsonphx

‎12-24-2017 05:57 PM

Well - I'm grasping at straws but here are a few other things I could think to check (in order of their effort required):

 

1. Verify the MD5 checksum of your asasfr-sys-6.2.2-81.pkg file against what's posted on the cisco.com download site.

2. Try to revert your ASA to 9.8(x) and re-run the sfr installation process.

3. Completely re-initialize the ASA from the disk level up. Follow the procedure for converting from FTD to ASA image in order to do that (reload, interrupt rommon boot to format disk and then load ASA image from tftp) as detailed here:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html#id_57458

 

I'd be more surprised to see anything result from the #2 since (as I understand it) the ASA code shouldn't really be interacting with the sfr code at that point in the installation process.

 

Also, if you do have other ASAs with Firepower under support you could always open a TAC case case inquiring about any known issues "in preparation for" upgrading one of them.

0 Helpful

Go to solution
jjohnsonphx
Level 1
Level 1
In response to Marvin Rhoads

‎12-25-2017 08:10 AM

I verified MD5 hashes for ASA, ASDM, SFR packages and they all match what is on the Cisco download site.  I'm going to try option 3 and let you know what happens.  Happy holidays.

0 Helpful

Go to solution
jjohnsonphx
Level 1
Level 1
In response to jjohnsonphx

‎01-31-2018 11:12 AM

After many failed attempts.  This is what fixed the problem.

1. Factory default the ASA5506-x.

2. Upgrade the ASA and ASDM software to 9.9.1 and 7.9.1.

3. Install the latest FirePower. 

4. Reconfigure from scratch.

I don't know why a factory default was necessary.  But all upgrade attempts with my configuration loaded failed.

 

Marvin, thank you for your help over the holidays. 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jjohnsonphx

‎01-31-2018 09:22 PM

You're welcome. Thanks for updating us on the outcome.

 

I'll consider myself forewarned before jumping on 9.9(1) just yet. From your experience, it seems the QA is a bit lacking on that release at this point.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card