Upgrade readiness check complete status:Failed - SFR module

draganaxl55 · ‎03-22-2017

Hi all,

trying to install Cisco_Network_Sensor_Hotfix_A-6.2.0.1 with web gui.

Readiness Check status show this:

Failure Logs@ /var/log/sf/Cisco_Network_Sensor_Hotfix_A-6.2.0.1/upgrade_readiness

when I open the main_upgrade_script.log, and the error shows up:

FAILED 200_pre/006_check_snort.sh

Currently the sfr module has version 6.2.0-362.

Can anyone please figure out how to solve this problem?

Regards,

Marvin Rhoads · ‎03-22-2017

First make sure you have a current VDB downloaded to your FMC and then deploy the current Access Control Policy to the sensor. That will ensure that the Snort rules are current on the sensor and restart the Snort engine - a common cause of that error.

If that's all OK and it still fails, you can look at the details of the failure by going onto the sensor in cli expert mode and looking at the directory:

/var/log/sf/Cisco_Network_Sensor_Hotfix_A-6.2.0.1/200_pre

You should see a file named 006_check_snort.log which is a verbose log telling you exactly why this update attempt failed. A successful log file looks like this:

admin@firepower:/var/log/sf/Cisco_Network_Sensor_Hotfix_A-6.2.0.1/200_pre$ more 006_check_snort.sh.log
**********************************************************
[170217 12:55] Starting script: 200_pre/006_check_snort.sh
Entering 200_pre/006_check_snort.sh...
MODEL is Elektra sensor
Exiting 200_pre/006_check_snort.sh.
admin@firepower:/var/log/sf/Cisco_Network_Sensor_Hotfix_A-6.2.0.1/200_pre$

draganaxl55 · ‎03-23-2017

Hi Marvin,

thanks for your answer,

Current VDB version is Build 279. To the updates tab there is available update for Sourcefire Vulnerability and Fingerprint Database Updates - Version 279. When I click install gives me the following info:

- No valid appliances available for Sourcefire Vulnerability and Fingerprint Database Updates 279

This update has either already been applied or cannot be applied to this version.

FYI - The following directory does not exist. Between "Cisco_Network_Sensor...." and "200_pre" there is one more folder "upgrade_rediness"

/var/log/sf/Cisco_Network_Sensor_Hotfix_A-6.2.0.1/200_pre

/var/log/sf/Cisco_Network_Sensor_Hotfix_A-6.2.0.1/upgrade_read
iness/200_pre$

The file 006_check_snort.log gives me the following output:

MODEL is Elektra sensor
Snort build is too old. Please apply AC Policy from DC before attempting upgradee

What is "Snort build"? The version of the software or the signatures?

Thank you,

Marvin Rhoads · ‎03-23-2017

Yes - sorry about mixing up the correct folder name.

What does your sensor show when you type "show version" (from the user shell - i.e., not in expert mode)?

Snort build is the version of Snort (which is included automatically as you apply various upgrades).

draganaxl55 · ‎03-23-2017

Cisco Fire Linux OS v6.2.0 (build 42)
Cisco ASA5516 v6.2.0 (build 362)

> show version
-------------------[ firepower2 ]-------------------
Model : ASA5516 (72) Version 6.2.0 (Build 362)
UUID : 0907cb82-0c39-11e7-ba37-a49b16e4d57a
Rules update version : 2017-03-20-001-vrt
VDB version : 279
--------------------------------------------------

Thanks for your super fast reply :)

Marvin Rhoads · ‎03-23-2017

Hmm that all looks in order.

How about insted of the readiness check you just go ahaed and try to deply the hotfix directly? It might work then since it appears you have the latest rules and VDB.

draganaxl55 · ‎03-23-2017

The update failed at 10%.

How can I check the log about this?

Thank you,

Marvin Rhoads · ‎03-23-2017

Might be the same thing - the original directory I mentioned should be the correct one. Look for the latest subdirectory there and check it's log file.

If that's so, then I would recommend opening a TAC case for more detailed analysis.

draganaxl55 · ‎03-23-2017

there is 2 directories with this log.

/var/log/sf/Cisco_Network_Sensor_Hotfix_A-6.2.0.1/200_pre

/var/log/sf/Cisco_Network_Sensor_Hotfix_A-6.2.0.1/upgrade_readiness/200_pre

They both have the same file 006_check_snort.sh.log and the following output:

[170323 10:53] Starting script: 200_pre/006_check_snort.sh
Entering 200_pre/006_check_snort.sh...
MODEL is Elektra sensor
Snort build is too old. Please apply AC Policy from DC before atteing upgradee

Marvin Rhoads · ‎03-23-2017

I saw one other fellow report that same problem and he never did reply back with his final resolution.

I suspect it is a bug and recommend you open a TAC case to investigate further.

Please let us know what you find.

draganaxl55 · ‎03-23-2017

Do you think it would be ok if I reset the sfr modules and downgrade them to version 6.1.0.

Or some other suggestion?

Thank you!

Marvin Rhoads · ‎03-23-2017

Re-imaging is usually a last resort.

Why not just open a TAC case? If you are upgrading that implies you have service entitlement.

draganaxl55 · ‎03-24-2017

I just downgrade to version 6.1.0. to both devices. We connected them to the firesight manager center. The readiness check was successful. Tried to install the patch, and still don't know if the installation is successful.

Scott Pickles · ‎03-28-2017

I also had this problem and re-deployed my access control policy and then pushed and it worked.

nicos6688 · ‎10-17-2017

Yes, same here - after upgrading Firepower Management Center to 6.2.2 Access control policy needs to be redeployed before you will proceed to update Network Sensor.