cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3354
Views
25
Helpful
8
Replies

sfr Unresponsive after ASA update 9.6

Florin Barhala
Level 6
Level 6

Hello,

I had several A-P 5525X running 9.6(4)12 for the past two years. The SFR modules were running 6.2.3 and were managed by FMC 6.2.3.

 

This week I updated all firewalls from 9.6(4)12 to 9.6(4)30 and then I noticed all SFR modules report:

 

asa01/pri/act# show module sfr

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
sfr Unknown N/A FCH11115551U

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
sfr 188b.9d1b.2357 to 188b.9d1b.2357 N/A N/A

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
sfr Unresponsive Not Applicable

 

show module sfr log console shows logs from the booting process until a SWAP error at the end

 

Displaying Console Log Information for Module sfr:

***
*** EVENT: Start Parameters: Image: /mnt/disk0/vm/vm_3.img, ISO: , Num CPUs: 3, RAM: 3281MB, Mgmt MAC: 18:8B:9D:1B:23:57, CP MAC: 00:00:00:04:00:01, HDD: -drive file=/dev/md0,cache=none,if=virtio, Dev Driver: virtio
*** TIME: 07:43:31 EEDT Aug 24 20

***
*** EVENT: Start Parameters Continued: RegEx Shared Mem: 32MB, Cmd Op: , Shared Mem Key: 8061, Shared Mem Size: 64, Log Pipe: /dev/ttyS0_vm3, Sock: /dev/ttyS1_vm3, Mem-Path: -mem-path /hugepages
*** TIME: 07:43:31 EEDT Aug 24 2019
***
Status: Mapping host 0x2aab78600000 to VM with size 67108864
Warning: vlan 0 is not connected to host network

LILO 24.2 boot:
Loading 6.2.3.......................................................................................................
BIOS data check successful

 

 

[ 1.334606] KVM_IVSHMEM: irq = 11 regaddr = febf1000 reg_size = 256

Activating all swap files/partitions...
swapon: stat failed %SWAP%: No such file or directory [FAILED]
Mounting root file system in read-only mode...
mount: can't find LABEL=3D-%VERSION% [FAILED]

Cannot check root file system because it could not
be mounted in read-only mode.

When you press enter, this system will be halted.
Press enter to continue...

 

After reading several topics here I am not sure what should I do:

 - can I try sw-module module sfr reset

  + I am not sure what's the difference between reset and reload

 - or should I go straight for recover

 + how can I pick the right SFR recover version?

 + I was thinking about asasfr-5500x-boot-6.2.3-4.img and asasfr-sys-6.2.3-83.pkg

 + last but not least, considering the failure of all SFR modules in multiple firewalls how can I find out why?

 I looked in the sys exec space for any crash files on flash, but there's nothing.

 

Thanks,

Florin.

8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

Updating an interim release should definitely not affect the Firepower service module. You could be hitting a bug that's not public-facing. I checked the interim release notes up through 9.6(4)30 and there's no mention of this behavior.

https://www.cisco.com/web/software/280775065/141317/ASA-964-Interim-Release-Notes.html

What version is your FMC? The recovery image must get the managed modules to a compatible release - i.e. one that is no higher than the managing FMC.

If it happened on multiple modules I'd suspect a bug - is opening a TAC case an option for you?

I currently run FMC for VMWare v6.2.3.14 (build 41). I ll try with reimaging using 6.2.3 for the sensor.
On another note, do you or anyone else run FMC 6.4.x? I am particularly interested in OpenSSH version as 6.2.3 (the current recommended version runs OpenSSH 7.3 which contains several vulnerabilities).

As for TAC I have external support not directly to Cisco, but first I will see how the reimage goes.

Thank you Marvin!

I'm running 6.4 at a couple of clients. No issues with it so far. They just released 6.4.0.4 a couple of weeks ago so it's getting along as far as minor patches.

TAC hasn't given it the Gold Star just yet so we don't recommend it for the more risk averse environments. But I've not encountered any bugs.

Sounds good, thanks man!
If you have time please share the openssh version on 6.4? I was requested to update current 7.3
root@firepower:~# sshd -V
OpenSSH_7.3p1, CiscoSSL 1.0.2l.6.1.281-fips

to 7.4

Here you go...

FMC:

Cisco Fire Linux OS v6.4.0 (build 2)
Cisco Firepower Management Center for VMWare v6.4.0.4 (build 34)

admin@fmc:~$ sshd -V
unknown option -- V
CiscoSSH 1.6.20, OpenSSH_7.6p1, CiscoSSL 1.0.2q.6.2.323-fips

FTD:

Cisco Fire Linux OS v6.4.0 (build 2)
Cisco Firepower Threat Defense for VMWare v6.4.0.4 (build 34)

> expert
**************************************************************
NOTICE - Shell access will be deprecated in future releases
         and will be replaced with a separate expert mode CLI.
**************************************************************
admin@vftd-new:~$ sshd --V
unknown option -- -
CiscoSSH 1.5.18, OpenSSH_7.5p1, CiscoSSL 1.0.2n.6.2.194-fips

I was about to uninstall it when I thought what if I reset it first:
sw-module module sfr reset
Module sfr should be shut down before resetting it or loss of configuration
may occur.

What's the daily recommendation about this module? I recently update it the failover firewall config couple times and NEVER shutdown the module. Is this why it currently reports this boot failure

Activating all swap files/partitions...
swapon: stat failed %SWAP%: No such file or directory [FAILED]
Mounting root file system in read-only mode...
mount: can't find LABEL=3D-%VERSION% [FAILED]

Cannot check root file system because it could not
be mounted in read-only mode.

Do you guys manually shutdown the module before you reload the ASA firewall?

The ASA reload command will automatically initiate a graceful shutdown of the sfr module as part of what it does.

If there was a hard power cycle (non-graceful shutdown) it could possibly corrupt the module as it is a bit more finicky than the parent ASA - after all it is running Linux and has some database elements. A corrupted Linux installation often comes up with the disk in read-only mode and would result in the sort of error you are seeing.

That is good news ! I though I did it the wrong way all this time.
I ll recover all sensors and see how this goes. Thanks for the support!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: