Re: Unable to start http service on Firepower 2100

Scott12 · ‎04-11-2022

Hello,

I am trying to start using the firewall 2100 via https, but for some reason I am getting this: System is coming up, please wait...

Also the service is up,

firepower-2110 /system # scope services
firepower-2110 /system/services # show ip-b

Permitted IP Block:
IP Address Prefix Length Protocol
--------------- ------------- --------
172.31.7.0 24 https
172.31.7.0 24 ssh
192.168.45.0 24 https
192.168.45.0 24 ssh

BTW, is it possible to set up this type of ASA using ASDM instead of this new platform?

Any idea?

Thank you

Marvin Rhoads · ‎04-12-2022

Are you running the ASA image or FTD image on your appliance?

If ASA image it the appliance in platform or appliance mode?

https://community.cisco.com/t5/network-security/fp-2100-asa-appliance-mode-or-platform-mode/td-p/4166810

Scott12 · ‎04-13-2022

Hello,

I would like to run the ASA image instead of FTD image on the appliance, I mean continue using the ASDM and conventional CLI.

is it possible?

Marvin Rhoads · ‎04-15-2022

Do you know which is running now? If you have FTD and want to switch to ASA you need to reimage the appliance.

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html

Scott12 · ‎04-18-2022

Many thanks for your time, I really appreciate it.

I was able to reimage the FTD -> ASA, following the link that you shared,

But, for some reason I am not able to start the ASDM, I can ping the ASA (inside interface), however it's accessible from the management interface. I checked everything and both inside and management interfaces are configured equally.

UNABLE TO LAUNCH DEVICE MANAGER

Here is the procedure that I executed.

FTD→ASA: Firepower 1000, 2100; Secure Firewall 3100

This task lets you reimage the Firepower 1000 or 2100, or the Secure Firewall 3100 from FTD to ASA. By default, the ASA is in Appliance mode. After you reimage, you can change the ASA to Platform mode.

Note

After performing this procedure, the FXOS admin password is reset to Admin123.

Procedure

Step 1

Make sure the image you want to upload is available on an FTP, SCP, SFTP, or TFTP server connected to the Management 1/1 interface, or a USB drive.

For more information about the Management 1/1 interface settings, see the FTD show network and configure network commands in the FTD command reference.

Step 2

Unlicense the FTD.

If you are managing the FTD from the Firepower Management Center, delete the device from the Management Center.
If you are managing the FTD using Firepower Device Manager, be sure to unregister the device from the Smart Software Licensing server, either from the Firepower Device Manager or from the Smart Software Licensing server.

Step 3

Connect to the FXOS CLI, either the console port (preferred) or using SSH to the Management 1/1 interface. If you connect at the console port, you access the FXOS CLI immediately. Enter the FXOS login credentials. The default username is admin and the default password is Admin123.

If you connect to the FTD management IP address using SSH, enter connect fxos to access FXOS.

Step 4

Download the package to the chassis.

Enter firmware mode.

scope firmware

Example:

firepower-2110# scope firmware
firepower-2110 /firmware#

Download the package.
download image url
Specify the URL for the file being imported using one of the following:
- ftp://username@server/[path/]image_name
- scp://username@server/[path/]image_name
- sftp://username@server/[path/]image_name
- tftp://server[:port]/[path/]image_name
- usbA:/path/filename
Example:
```
firepower-2110 /firmware # download image scp://admin@10.88.29.181/cisco-asa-fp2k.9.10.1.1.SPA
Password:
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
```

Monitor the download process.

show download-task

Example:

firepower-2110 /firmware # show download

Download task:
    File Name Protocol Server          Port       Userid          State
    --------- -------- --------------- ---------- --------------- -----
    cisco-asa-fp2k.9.10.1.1.SPA
              Scp      10.122.84.45             0 admin           Downloading
firepower-2110 /firmware #

Step 5

When the new package finishes downloading (Downloaded state), boot the package.

View and copy the version number of the new package.

show package

Example:

firepower-2110 /firmware # show package
Name                                          Package-Vers
--------------------------------------------- ------------
cisco-asa-fp2k.9.10.1.1.SPA                   9.10.1.1
cisco-ftd-fp2k.6.3.0-1.SPA                    6.3.0-1
firepower-2110 /firmware #

Install the package.

Caution

This step erases your configuration.

scope auto-install

install security-pack version version

In the show package output, copy the Package-Vers value for the security-pack version number. The chassis installs the image and reboots.This process, including reloading, can take approximately 30 minutes.

Note

If you see the below error, you may have entered the package name, instead of the package version:

Invalid software pack
Please contact technical support for help

Example:

firepower 2110 /firmware # scope auto-install
firepower-2110 /firmware/auto-install # install security-pack version 9.10.1.1

The system is currently installed with security software package 6.3.0-1, which has:
   - The platform version: 2.5.1.52
   - The CSP (ftd) version: 6.3.0-1
If you proceed with the upgrade 9.10.1.1, it will do the following:
   - upgrade to the new platform version 2.5.1.78
   - reimage the system from CSP ftd version 6.3.0.1 to the CSP asa version 9.10.1.1

Do you want to proceed ? (yes/no): yes   

This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup

Attention:
   If you proceed the system will be re-imaged. All existing configuration will be lost,
   and the default configuration applied.
Do you want to proceed? (yes/no): yes  

Triggered the install of software package version 9.10.1.1
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
firepower-2110 /firmware/auto-install #

Step 6

Wait for the chassis to finish rebooting.

ASA 9.13 and later (defaults to Appliance mode)

The ASA starts up, and you access user EXEC mode at the CLI.

Example:

 [...]
Attaching to ASA CLI ...
Type help or '?' for a list of available commands.
ciscoasa>

ASA 9.12 and earlier (defaults to Platform mode)

FXOS comes up first, but you still need to wait for the ASA to come up.

After the application comes up and you connect to the application, you access user EXEC mode at the CLI.

Example:

 [...]
Cisco FPR Series Security Appliance
firepower-2110 login: admin
Password: 

Successful login attempts for user 'admin' : 1
Cisco Firepower Extensible Operating System (FX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2009-2018, Cisco Systems, Inc. All rights reserved.
[...]

User enable_1 logged in to ciscoasa
Logins over the last 1 days: 1.  
Failed logins since the last login: 0.
[press Enter to see the prompt below:]
 
firepower-2110# connect asa
Attaching to ASA CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.

ciscoasa>