02-10-2022 09:28 AM
Hi,
I have a FRP-2110 (hardware)and ASA 9.8 OS Image running on it.
I try to upgrade ASA image to a new a version.
Should I use ASDM to upgrade as normal or is there a special requirement for this?
Thanks
Loc.
FYI: below is show run on my firewall
abc-fw1(config)# show version
Cisco Adaptive Security Appliance Software Version 9.8(4)15
Firepower Extensible Operating System Version 2.2(2.121)
Device Manager Version 7.8(2)
Compiled on Thu 14-Nov-19 08:30 PST by builders
System image file is "disk0:/mnt/boot/installables/switch/fxos-k8-fp2k-npu.2.2.2.121.SPA"
Config file at boot was "startup-config"
abc-fw1 up 331 days 19 hours
failover cluster up 1 year 213 days
Hardware: FPR-2110, 6842 MB RAM, CPU MIPS 1200 MHz, 1 CPU (6 cores)
1: Int: Internal-Data0/1 : address is 000f.b748.4801, irq 0
3: Ext: Management1/1 : address is 00fc.ba7a.2b95, irq 0
4: Int: Internal-Data1/1 : address is 0000.0100.0001, irq 0
License mode: Smart Licensing
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 1500
AnyConnect Essentials : Disabled
Other VPN Peers : 1500
Total VPN Peers : 1500
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 4000
Cluster : Disabled
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 4
Carrier : Disabled
AnyConnect Premium Peers : 1500
AnyConnect Essentials : Disabled
Other VPN Peers : 1500
Total VPN Peers : 1500
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 4000
Cluster : Disabled
Serial Number: JADxxxxxxxx
Configuration last modified by root at 09:14:30.899 CST Fri Feb 4 2022
abc-fw1(config)#
Solved! Go to Solution.
02-11-2022 07:20 AM
Also, please check out this link it might be helpful:
02-10-2022 05:28 PM
As long as the firewall is in appliance mode, the procedure for upgrades is same as regular ASA. You can upgrade them using CLI or ASDM.
Run "show fxos mode" to confirm the deployment type.
02-11-2022 06:54 AM
Thanks
colo-fw1# show fxos mode
^
ERROR: % Invalid input detected at '^' marker.
colo-fw1#
Please see the result. I also tried may ways to get into the fxos mode, but fail.
02-11-2022 07:16 AM - edited 02-11-2022 07:36 AM
For your current version only Platform mode is available - you will need to upgrade from the FXOS and chose eighter Platform or Appliance mode.
I found this useful when I converted one FTD 2100 to ASA a few months back :
"
(Firepower 2100) In 9.12 and earlier, only Platform mode is available. In 9.13 and later, Appliance mode is the default. If you upgrade a Platform mode device to 9.13 or later, then the ASA remains in Platform mode. Check the mode by using the show fxos mode command at the ASA CLI. The Firepower 1000 only supports Appliance mode.
If you have an ASA in Platform mode, you must use FXOS to reimage. See ASA→FTD: Firepower 2100 Platform Mode."
I am not sure which is better - Platform or Appliance mode. I use Appliance as it mirrors the ASA and in Platform mode there are configurations (interface) that needs to be done in FXOS.
PS - bugs(SNMP is not working/recent DoS vulnerability) in our current version are forcing us to upgrade to a new release.
current - Version 9.14(2)15
fixed - Version 9.14(3)9
02-11-2022 07:31 AM
Thanks, I am looking into it...
02-11-2022 07:58 AM
I looked into the link but I did not find any instruction to upgrade the version for the ASA from ASA. ( The instructions for ASD to FTD ; or FTD to ASA)
My question here is, should I do it the transitional way:
- log on to ASDM
- Upload new image to disk0
- Set system boot to new image
- Reload the firewall
Please advice.
02-11-2022 07:20 AM
Also, please check out this link it might be helpful:
02-11-2022 08:01 AM
Hi Aref, I think I could not even do step 1. I could not find a way to access the Chassis Manager.
Step 1 | Connect to the Firepower Chassis Manager. |
02-11-2022 08:19 AM - edited 02-11-2022 08:23 AM
Hi Loc, I hope you're doing well, long time no speak! To connect to the chassis manager you need to open your browser and connect to its IP. Alternatively, you can connect to the FXOS CLI via the command "connect fxos", if you need to go back to the ASA mode then you can use the command "connect asa" or exit from the FXOS CLI if you have finished.
02-11-2022 08:32 AM
Yes Sir, It is great to chat with you again.
This is a new firewall that I took over from another team. He is on PTO for a moth now. Luckily I just got information that he will be back on next Monday.
Basically, I don't know how to get into the chassic. web browser to the mgmt ip leads to the ASDM. Do you think there is another ip for chassis manager?
please see the attachment
02-11-2022 08:35 AM - edited 02-11-2022 08:36 AM
02-11-2022 08:46 AM
Same to me my friend! So from the screenshot I see the chassis manager seems to be reachable via the URL "https://firepower-2110". If you try to resolve the hostname "firepower-2110" do you get anything? also, if you try to click directly on that link from the ASDM, does it take you to the chassis manager page?
02-11-2022 08:51 AM
Nope, it doesn't resolve to anything. I did try to ping the name from the firewall, it doesn't work either.
02-11-2022 09:02 AM
Might be using the default IP 192.168.45.45. Try to do this please, go into the FXOS CLI via the command "connect fxos" and then into the fabric interconnect via the command "scope fabric-interconnect a", and finally do "show". If you see the IP address 192.168.45.45 then I would say the chassis manager IP has never been configured. In that case go please through the steps in this link:
Change the FXOS and ASA Management IP Addresses or Gateway
02-11-2022 09:09 AM
Thanks Aref,
I think it can wait until next week when my colleague come back. We will send a tech there if we can not do it remotely.
You have a nice weekend ahead!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide