Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1451
Views
25
Helpful
11
Replies

Updating Firepower on ASA 5512

Go to solution
jto
Level 1
Level 1

‎04-09-2019 11:58 AM - edited ‎02-21-2020 09:01 AM

Hello I am needing to upgrade a 5512 to Firepower 6.2.2.x. I am currently stepping up Firepower from several older versions. Currently I have IOS 9.5.2 and attempting to first load Firepower 6.0.0. I have loaded the Firepower Boot img file which seemed to go ok. I can log into the sfr module using "session sfr console" command. I do see it is 6.0.0 from there.

 

Next I go to "setup" and assign an IP to sfr and the gateway which is one of the interfaces on the ASA.

 

Next I go to load the pkg file but having an issue there. I am typing in the following:

system install ftp://name:password@IP of FTP server/asasfr.pkg file name

 

Goes to Verifying for a bit then errors out with the following:

"Upload/download url doesn't have a valid ipv4 address" 

 

I know the ftp server is ok and reachable, that is how I got the .img boot file for sfr onto the ASA.

 

Any ideas would be welcome.

 

Thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
GRANT3779
Spotlight
Spotlight

‎04-10-2019 08:48 AM

When uploading the boot file to the ASA this would have been done from the ASA software itself.

 

Are you using the physical management interface for the ASA ? Have you put an IP on it? Within the setup of the initial boot setup of SFR, did you use an address on the same IP range if so? What are you using as the GW? 

 

As Francesco said, there are a few different ways this can be setup so a diagram may help in identifying any problems. The ASA and SFR can share the interface or the SFR can have sole use.

 

As a test also you can try the following more basic command and see if it then prompts for the username/password.

 

system install ftp://x.x.x.x/package.pkg

 

View solution in original post

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to jto

‎04-11-2019 07:17 PM

Wait, I was looking at your last design. You said all SVI GW were on the switch. Why on SFR module you put ASA ip as GW? Can you change it to your SW SVI GW for subnet 10, Then please try again

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

11 Replies 11

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎04-09-2019 08:28 PM

Hi

Sfr uses your asa management interface. Once you installed img file and done setup for the first time, are you able to ping your ftp device?

How everything is connected together (asa cabling and management interface)?

If everything is correct there and traffic passes through asa, is ftp allowed?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
GRANT3779
Spotlight
Spotlight

‎04-10-2019 08:48 AM

When uploading the boot file to the ASA this would have been done from the ASA software itself.

 

Are you using the physical management interface for the ASA ? Have you put an IP on it? Within the setup of the initial boot setup of SFR, did you use an address on the same IP range if so? What are you using as the GW? 

 

As Francesco said, there are a few different ways this can be setup so a diagram may help in identifying any problems. The ASA and SFR can share the interface or the SFR can have sole use.

 

As a test also you can try the following more basic command and see if it then prompts for the username/password.

 

system install ftp://x.x.x.x/package.pkg

 

Go to solution
jto
Level 1
Level 1
In response to GRANT3779

‎04-10-2019 12:51 PM

Thanks Francesco and Grant. I got a bit busy today so sorry for the delay. I am very new to ASA so here is my current setup:

Pings are good from the sfr module all the way to the L3 switch x.x.10.1 but not to the ftp server (Windows 10 box) on the x.x.30.x network. I know that of course is a problem but when I changed the ftp server computer to an address in the x.x.10.x network I was still unable to do the pkg file. 

Capture 1.JPG

0 Helpful

Go to solution
GRANT3779
Spotlight
Spotlight
In response to jto

‎04-10-2019 02:50 PM

The switchport you are connecting the management interface to, I would make this an access port. You have it showing as a trunk.

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to jto

‎04-10-2019 08:56 PM

Thanks for the sketch. First i would set the management as access interface on your L3 switch.
Your L3 switch is the one hosting all your default gateways, isn't it? If yes, can you ping from sfr the default gw of vlan x.x.30.x ?
If the default gw of this vlan is on asa, can you share the routing config if this asa to see how it routes to reach x.x.10.x from x.x.30.x?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
jto
Level 1
Level 1
In response to Francesco Molino

‎04-11-2019 04:35 AM

Hello

 

Thanks, I will change the port on the switch to an access port later today.

Yes all the default GW's are on the L3 Switch. That includes the .30 subnet/vlan.

No I can't ping the .30 subnet GW. I figure that is a big problem for the ftp of course. 

 

Some other config info is this is an internal lab setup and the ASA is new to the config and not being used as a integral part of the configuration right now. It has just has some basic configuration on it. The whole reason for doing what I am doing right now is to get the Firepower updated from the original sfr version of 5.4  to 6.2.2.x. All those other subnets/vlans (20, 30, 40) are able to do inter-vlan routing through the L3 switch. The .10 subnet is only on the ASA/sfr module and of course a vlan on the L3 switch.

 

I am also learning as I do this so thanks for the assistance.

 

 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to jto

‎04-11-2019 07:17 PM

Wait, I was looking at your last design. You said all SVI GW were on the switch. Why on SFR module you put ASA ip as GW? Can you change it to your SW SVI GW for subnet 10, Then please try again

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
jto
Level 1
Level 1
In response to Francesco Molino

‎04-12-2019 04:06 AM

I was told to do that was how to set that GW up. I will change later today and let you know how that goes. Thanks.

0 Helpful

Go to solution
jto
Level 1
Level 1
In response to Francesco Molino

‎04-12-2019 04:07 AM

I was told to do that was how to set that GW up. I will change later today and let you know how that goes. Thanks.

0 Helpful

Go to solution
jto
Level 1
Level 1
In response to Francesco Molino

‎04-12-2019 10:07 AM

BINGO!!

 

Got it to update. Combanation of changing the GW and when using the "asasfr-boot >system install" command I had been using "asasfr-boot >system install asasfr-boot >system install ftp://x.x.x.x/package.pkg".    I changed that to "asasfr-boot >system install ftp://x.x.x.x/package.pkg" and it started the download and install. I have an up sfr module now. Next 3 more updates to get to the current version.

 

Thanks for the help, very much appreciated.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to jto

‎04-13-2019 06:19 PM

Glad it works now.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card