Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1880
Views
0
Helpful
4
Replies

SFR Upgrade - Download Failed. Unable to resolve remote hostname. Upgrade aborted.

JackSz
Level 1
Level 1

‎08-17-2018 11:29 PM - edited ‎03-12-2019 06:53 AM

Hello,

I have Cisco ASA 5506 and I had to reinstall the SFR module (it stopped responding completely). However, I have the following problem. After the first step - image installation and configuration I cannot install the pkg file.

 

After this command

system install noconfirm http://<HTTP_SERVER>/asasfr-XXX.pkg

 

The error is 

Download Failed. Unable to resolve remote hostname. Upgrade aborted.

 

I can download the file from

http://<HTTP_SERVER>/asasfr-XXX.pkg

using any other computer in the local network.

 

 

Here are some configuration information:


asasfr-boot>show dns

Local domain:
domain xxx.com.au

Search domain:
search xxx.com.au

DNS servers:
nameserver 1.1.1.1
nameserver 1.0.0.1

 

asasfr-boot>show route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

Kernel IPv6 routing table
Destination Next Hop Flags Metric Ref Use Iface
::1/128 :: U 0 0 1 lo
fe80::5261:bfff:fec9:e211/128 :: U 0 0 1 lo
fe80::/64 :: U 256 0 0 eth0
ff00::/8 :: U 256 0 0 eth0

 

There is no problem with traffic from LAN to WAN, DNS is resolved, I can ping everything from ASA, but I cannot ping outside IPs or domains from SFR.

 


blackhole-1# show interface
Interface GigabitEthernet1/1 "outside", is up, line protocol is up
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 5061.bfc9.e213, MTU 1500
IP address 192.168.15.11, subnet mask 255.255.255.0
178162 packets input, 101568608 bytes, 0 no buffer
Received 8454 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
161267 packets output, 78067136 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (926/887)
output queue (blocks free curr/low): hardware (1023/969)
Traffic Statistics for "outside":
178057 packets input, 97012315 bytes
161267 packets output, 74742128 bytes
2708 packets dropped
1 minute input rate 22 pkts/sec, 12284 bytes/sec
1 minute output rate 20 pkts/sec, 10712 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 27 pkts/sec, 15867 bytes/sec
5 minute output rate 24 pkts/sec, 11886 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet1/2 "inside_1", is up, line protocol is up
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 5061.bfc9.e214, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
231753 packets input, 83566639 bytes, 0 no buffer
Received 10 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
256368 packets output, 119434723 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (990/871)
output queue (blocks free curr/low): hardware (1021/946)
Traffic Statistics for "inside_1":
231753 packets input, 78758420 bytes
256368 packets output, 114560101 bytes
391 packets dropped
1 minute input rate 32 pkts/sec, 11370 bytes/sec
1 minute output rate 37 pkts/sec, 16127 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 44 pkts/sec, 12885 bytes/sec
5 minute output rate 56 pkts/sec, 21225 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet1/3 "SFR", is up, line protocol is up
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 5061.bfc9.e215, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
1651 packets input, 163833 bytes, 0 no buffer
Received 1 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
31187 packets output, 2684922 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (908/895)
output queue (blocks free curr/low): hardware (1023/918)
Traffic Statistics for "SFR":
1651 packets input, 134115 bytes
31187 packets output, 2122440 bytes
1438 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 5 pkts/sec, 367 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 6 pkts/sec, 411 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet1/4 "inside_3", is administratively down, line protocol is down
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is off
MAC address 5061.bfc9.e216, MTU 1500
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (1023/1023)
output queue (blocks free curr/low): hardware (1023/1023)
Traffic Statistics for "inside_3":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet1/5 "inside_4", is administratively down, line protocol is down
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is off
MAC address 5061.bfc9.e217, MTU 1500
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (1023/1023)
output queue (blocks free curr/low): hardware (1023/1023)
Traffic Statistics for "inside_4":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet1/6 "inside_5", is administratively down, line protocol is down
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is off
MAC address 5061.bfc9.e218, MTU 1500
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (1023/1023)
output queue (blocks free curr/low): hardware (1023/1023)
Traffic Statistics for "inside_5":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet1/7 "inside_6", is administratively down, line protocol is down
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is off
MAC address 5061.bfc9.e219, MTU 1500
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (1023/1023)
output queue (blocks free curr/low): hardware (1023/1023)
Traffic Statistics for "inside_6":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet1/8 "inside_7", is administratively down, line protocol is down
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is off
MAC address 5061.bfc9.e21a, MTU 1500
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (1023/1023)
output queue (blocks free curr/low): hardware (1023/1023)
Traffic Statistics for "inside_7":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Management1/1 "", is up, line protocol is up
Hardware is en_vtun rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Available but not configured via nameif
MAC address 5061.bfc9.e212, MTU not set
IP address unassigned
3 packets input, 162 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
3 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (0/0)
output queue (blocks free curr/low): hardware (0/0)
Interface BVI1 "BVI1", is up, line protocol is up
MAC address N/A, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
Traffic Statistics for BVI1:
0 packets input, 0 bytes
18 packets output, 1536 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec

 


Hostname: asasfr
Management Interface Configuration

IPv4 Configuration: static
IP Address: 192.168.1.2
Netmask: 255.255.255.0
Gateway: 192.168.1.1

IPv6 Configuration: Stateless autoconfiguration

DNS Configuration:
Domain: XXX.com.au
Search:
XXX.com.au
DNS Server:
1.1.1.1
1.0.0.1

NTP configuration:
pool.ntp.org

 

Thanks in advance for your help.

 

Cheers

Jack

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-18-2018 08:00 PM

Since you know the IP address for the http server host with the necessary pkg file, have you tried just using that instead of the FQDN?

0 Helpful

JackSz
Level 1
Level 1
In response to Marvin Rhoads

‎08-19-2018 03:48 PM

Hello Marvin,

It is a shared webhosting, so I cannot access it via IP. But I will try to find another place to put that file.

 

My biggest concern is why it is not working via domain. Something is wrong with my configuration. As I mentioned before I had to reinstall SFR as it stopped responding. When I added URL category for filtering (I have the license) it started to filter out all websites not only in that category. Moreover, after that I was not able to connect to SFR module, it stopped responding. 

 

I cannot find what is wrong.

 

Cheers

Jack

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to JackSz

‎08-19-2018 10:44 PM

Note the Firepower module (“sfr” as it appears in the cli) uses the host ASA’s management interface. The ASA itself is most likely using one of its dataplane interfaces for the connectivity you mentioned. 

 

Make sure that the management interface is connected to a switch port interface that’s in the proper VLAN with associated subnet. 

0 Helpful

JackSz
Level 1
Level 1
In response to Marvin Rhoads

‎08-20-2018 04:59 PM

Hello Marvin,

Thanks for your answer.

 

I have 

BVI1 192.168.1.1/255.255.255.0

GigabitEthernet 1/1 (outside) 192.168.15.11/255.255.255.0

GigabitEthernet 1/2 (inside) BVI1

GigabitEthernet 1/3 (SFR) BVI1 connected to the management port

Management1/1 enabled/no ip

 

SFR module


IPv4 Configuration: static
IP Address: 192.168.1.2
Netmask: 255.255.255.0
Gateway: 192.168.1.1

IPv6 Configuration: Stateless autoconfiguration

DNS Configuration:
Domain: xxx.com.au
Search:
xxx.com.au
DNS Server:
1.1.1.1
1.0.0.1

 

I suppose it is the same configuration as in the attached image. I didn't have problems to connect to SFR module in ASDM, when that module was installed. The problem now is to install it again. Previously it was behaving strangely. As I mentioned when I added the category filtering for instance gambling it started to filter out all websites as all requests to DNS were blocked.

 

Cheers

Jack

Preview file
226 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card