08-29-2019 10:29 PM - edited 02-21-2020 09:26 AM
Hello,
I had several A-P 5525X running 9.6(4)12 for the past two years. The SFR modules were running 6.2.3 and were managed by FMC 6.2.3.
This week I updated all firewalls from 9.6(4)12 to 9.6(4)30 and then I noticed all SFR modules report:
asa01/pri/act# show module sfr
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
sfr Unknown N/A FCH11115551U
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
sfr 188b.9d1b.2357 to 188b.9d1b.2357 N/A N/A
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
sfr Unresponsive Not Applicable
show module sfr log console shows logs from the booting process until a SWAP error at the end
Displaying Console Log Information for Module sfr:
***
*** EVENT: Start Parameters: Image: /mnt/disk0/vm/vm_3.img, ISO: , Num CPUs: 3, RAM: 3281MB, Mgmt MAC: 18:8B:9D:1B:23:57, CP MAC: 00:00:00:04:00:01, HDD: -drive file=/dev/md0,cache=none,if=virtio, Dev Driver: virtio
*** TIME: 07:43:31 EEDT Aug 24 20
***
*** EVENT: Start Parameters Continued: RegEx Shared Mem: 32MB, Cmd Op: , Shared Mem Key: 8061, Shared Mem Size: 64, Log Pipe: /dev/ttyS0_vm3, Sock: /dev/ttyS1_vm3, Mem-Path: -mem-path /hugepages
*** TIME: 07:43:31 EEDT Aug 24 2019
***
Status: Mapping host 0x2aab78600000 to VM with size 67108864
Warning: vlan 0 is not connected to host network
LILO 24.2 boot:
Loading 6.2.3.......................................................................................................
BIOS data check successful
[ 1.334606] KVM_IVSHMEM: irq = 11 regaddr = febf1000 reg_size = 256
Activating all swap files/partitions...
swapon: stat failed %SWAP%: No such file or directory [FAILED]
Mounting root file system in read-only mode...
mount: can't find LABEL=3D-%VERSION% [FAILED]
Cannot check root file system because it could not
be mounted in read-only mode.
When you press enter, this system will be halted.
Press enter to continue...
After reading several topics here I am not sure what should I do:
- can I try sw-module module sfr reset
+ I am not sure what's the difference between reset and reload
- or should I go straight for recover
+ how can I pick the right SFR recover version?
+ I was thinking about asasfr-5500x-boot-6.2.3-4.img and asasfr-sys-6.2.3-83.pkg
+ last but not least, considering the failure of all SFR modules in multiple firewalls how can I find out why?
I looked in the sys exec space for any crash files on flash, but there's nothing.
Thanks,
Florin.
08-30-2019 07:46 PM
Updating an interim release should definitely not affect the Firepower service module. You could be hitting a bug that's not public-facing. I checked the interim release notes up through 9.6(4)30 and there's no mention of this behavior.
https://www.cisco.com/web/software/280775065/141317/ASA-964-Interim-Release-Notes.html
What version is your FMC? The recovery image must get the managed modules to a compatible release - i.e. one that is no higher than the managing FMC.
If it happened on multiple modules I'd suspect a bug - is opening a TAC case an option for you?
08-31-2019 02:34 AM
08-31-2019 05:19 AM - edited 08-31-2019 05:20 AM
I'm running 6.4 at a couple of clients. No issues with it so far. They just released 6.4.0.4 a couple of weeks ago so it's getting along as far as minor patches.
TAC hasn't given it the Gold Star just yet so we don't recommend it for the more risk averse environments. But I've not encountered any bugs.
09-02-2019 08:33 PM
09-02-2019 08:39 PM
Here you go...
FMC:
Cisco Fire Linux OS v6.4.0 (build 2) Cisco Firepower Management Center for VMWare v6.4.0.4 (build 34) admin@fmc:~$ sshd -V unknown option -- V CiscoSSH 1.6.20, OpenSSH_7.6p1, CiscoSSL 1.0.2q.6.2.323-fips
FTD:
Cisco Fire Linux OS v6.4.0 (build 2) Cisco Firepower Threat Defense for VMWare v6.4.0.4 (build 34) > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases and will be replaced with a separate expert mode CLI. ************************************************************** admin@vftd-new:~$ sshd --V unknown option -- - CiscoSSH 1.5.18, OpenSSH_7.5p1, CiscoSSL 1.0.2n.6.2.194-fips
09-02-2019 08:39 PM
09-02-2019 09:08 PM
The ASA reload command will automatically initiate a graceful shutdown of the sfr module as part of what it does.
If there was a hard power cycle (non-graceful shutdown) it could possibly corrupt the module as it is a bit more finicky than the parent ASA - after all it is running Linux and has some database elements. A corrupted Linux installation often comes up with the disk in read-only mode and would result in the sort of error you are seeing.
09-02-2019 09:44 PM - edited 09-02-2019 10:07 PM
That is good news ! I though I did it the wrong way all this time.
I ll recover all sensors and see how this goes. Thanks for the support!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide