cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

736
Views
25
Helpful
15
Replies
loc.nguyen
Beginner

Upgrade ASA image on FPR-2110

Hi,

 

I have a FRP-2110 (hardware)and ASA 9.8 OS Image running on it.  

I try to upgrade ASA image to a new a version.

Should I use ASDM to upgrade as normal or is there a special requirement for this?

Thanks

Loc.

 

FYI: below is show run on my firewall

abc-fw1(config)# show version

Cisco Adaptive Security Appliance Software Version 9.8(4)15
Firepower Extensible Operating System Version 2.2(2.121)
Device Manager Version 7.8(2)

Compiled on Thu 14-Nov-19 08:30 PST by builders
System image file is "disk0:/mnt/boot/installables/switch/fxos-k8-fp2k-npu.2.2.2.121.SPA"
Config file at boot was "startup-config"

abc-fw1 up 331 days 19 hours
failover cluster up 1 year 213 days

Hardware: FPR-2110, 6842 MB RAM, CPU MIPS 1200 MHz, 1 CPU (6 cores)


1: Int: Internal-Data0/1 : address is 000f.b748.4801, irq 0
3: Ext: Management1/1 : address is 00fc.ba7a.2b95, irq 0
4: Int: Internal-Data1/1 : address is 0000.0100.0001, irq 0

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 1500
AnyConnect Essentials : Disabled
Other VPN Peers : 1500
Total VPN Peers : 1500
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 4000
Cluster : Disabled


Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 4
Carrier : Disabled
AnyConnect Premium Peers : 1500
AnyConnect Essentials : Disabled
Other VPN Peers : 1500
Total VPN Peers : 1500
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 4000
Cluster : Disabled


Serial Number: JADxxxxxxxx
Configuration last modified by root at 09:14:30.899 CST Fri Feb 4 2022
abc-fw1(config)#

1 ACCEPTED SOLUTION

Accepted Solutions
Aref Alsouqi
Rising star
15 REPLIES 15
UdupiKrishna
Cisco Employee

As long as the firewall is in appliance mode, the procedure for upgrades is same as regular ASA. You can upgrade them using CLI or ASDM.

Run "show fxos mode" to confirm the deployment type. 

Thanks

 

colo-fw1# show fxos mode
^
ERROR: % Invalid input detected at '^' marker.
colo-fw1#

 

Please see the result. I also tried may ways to get into the fxos mode, but fail.

 

 

 

 

For your current version only Platform mode is available - you will need to upgrade from the FXOS and chose eighter Platform or Appliance mode. 

I found this useful when I converted one FTD 2100  to ASA a few months back :

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html#concept_dwb_pyj_fdb

"

  • (Firepower 2100) In 9.12 and earlier, only Platform mode is available. In 9.13 and later, Appliance mode is the default. If you upgrade a Platform mode device to 9.13 or later, then the ASA remains in Platform mode. Check the mode by using the show fxos mode command at the ASA CLI. The Firepower 1000 only supports Appliance mode.

    If you have an ASA in Platform mode, you must use FXOS to reimage. See ASA→FTD: Firepower 2100 Platform Mode."

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html#task_eln_qv5_5hb

I am not sure which is better - Platform or Appliance mode. I use Appliance as it mirrors the ASA and in Platform mode there are configurations (interface)  that needs to be done in FXOS.

 

PS -  bugs(SNMP is not working/recent DoS vulnerability)  in our current version are forcing us to upgrade to a new release.

current - Version 9.14(2)15 

fixed - Version 9.14(3)9

Thanks, I am looking into it...

I looked into the link but I did not find any instruction to upgrade the version for the ASA from ASA. ( The instructions for ASD to FTD ; or FTD to ASA)

My question here is, should I do it the transitional way: 

- log on to ASDM

- Upload new image to disk0

- Set system boot to new image 

- Reload the firewall

Please advice.

Aref Alsouqi
Rising star

Hi Aref, I think I could not even do step 1. I could not find a way to access the Chassis Manager.

Step 1

Connect to the Firepower Chassis Manager.

Hi Loc, I hope you're doing well, long time no speak! To connect to the chassis manager you need to open your browser and connect to its IP. Alternatively, you can connect to the FXOS CLI via the command "connect fxos", if you need to go back to the ASA mode then you can use the command "connect asa" or exit from the FXOS CLI if you have finished.

Yes Sir, It  is great to chat with you again. 

This is a new firewall that I took over from another team. He is on PTO for a moth now. Luckily I just got information that he will be back on next Monday.

Basically, I don't know how to get into the chassic. web browser to the mgmt ip leads to the ASDM. Do you think there is another ip for chassis manager? 

please see the attachment 

 

Same to me my friend! So from the screenshot I see the chassis manager seems to be reachable via the URL "https://firepower-2110". If you try to resolve the hostname "firepower-2110" do you get anything? also, if you try to click directly on that link from the ASDM, does it take you to the chassis manager page?

Nope, it doesn't resolve to anything. I did try to ping the name from the firewall, it doesn't work either. 

Might be using the default IP 192.168.45.45. Try to do this please, go into the FXOS CLI via the command "connect fxos" and then into the fabric interconnect via the command "scope fabric-interconnect a", and finally do "show". If you see the IP address 192.168.45.45 then I would say the chassis manager IP has never been configured. In that case go please through the steps in this link:

Change the FXOS and ASA Management IP Addresses or Gateway

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp2100/firepower-2100-gsg/asa-platform.html#task_h3b_tzc_qhb

Thanks Aref,

 

 I think it can wait until next week when my colleague come back.  We will send a tech there if we can not do it remotely.

 

You have a nice weekend ahead!

Create
Recognize Your Peers
Content for Community-Ad