cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1630
Views
0
Helpful
7
Replies

Upgrade SFR Module from 6.2.2 to 6.2.3 on ASA5525-X

-Sparrow-
Beginner
Beginner

Hello,

I'm attempting to get our SFR module on a ASA5525-X upgraded from 6.2.2 to 6.2.3. I downloaded the Cisco Network Sensor Upgrade (v6.2.1 and above) Version 6.2.3-83 as directed by the Cisco downloads page.  I uploaded the file to our FMC (v6.2.3) and attempted the upgrade.  

 

The upgrade hung for about 1 hr 45 min at 26%  before I decided to give TAC a jingle. After about another half an hour (upgrade still stuck 26%) I got an engineer on the line. He restarted the SFR module and we gave it another shot.. Same spot, at 26% it just hangs there for over an hour. We tried this one more time before I had to call it a day.  

 

Log just shows this:

ui:Upgrade has begun.
ui:[ 0%] Running script 000_start/000_check_update.sh...
ui:[ 1%] Running script 000_start/100_start_messages.sh...
ui:[ 3%] Running script 000_start/105_check_model_number.sh...
ui:[ 4%] Running script 000_start/106_check_HA_sync.pl...
ui:[ 4%] Running script 000_start/107_version_check.sh...
ui:[ 6%] Running script 000_start/109_check_HA_MDC_status.pl...
ui:[ 8%] Running script 000_start/125_verify_bundle.sh...
ui:[10%] Running script 000_start/400_run_troubleshoot.sh...
ui:[11%] Running script 200_pre/001_check_reg.pl...
ui:[11%] Running script 200_pre/002_check_mounts.sh...
ui:[12%] Running script 200_pre/003_check_health.sh...
ui:[15%] Running script 200_pre/100_check_correlation_rules.pl...
ui:[20%] Running script 200_pre/201_disable_faild.sh...
ui:[20%] Running script 200_pre/202_disable_syncd.sh...
ui:[21%] Running script 200_pre/400_restrict_rpc.sh...
ui:[21%] Running script 200_pre/470_revert_prep.sh...
ui:[22%] Running script 200_pre/500_stop_system.sh...
ui:[23%] Running script 200_pre/600_ftd_onbox_data_export.sh...
ui:[24%] Running script 200_pre/999_enable_sync.sh...
ui:[26%] Running script 300_os/100_install_Fire_Linux_OS.sh...

 

This is all in preparation to upgrade our FMC to 6.5.0 as directed by our "Multi-State Information Sharing & Analysis Center"

Aka MS-ISAC which informed us that they have found multiple vulnerabilities in the all FMC versions prior to 6.5.0 

(CVE-2019-12687, CVE-2019-12688)

 

Any help would be appreciated. Thank you.

 

 

1 Accepted Solution

Accepted Solutions

I went down that road of letting TAC make changes to the database.  Even after changing the IP of the SFR module we weren't able to get it to register.  I found a post here:  https://community.cisco.com/t5/firepower/adding-firepower-to-fmc-issue/td-p/3310112 where @NETAD was able to get theirs registered by using a Network Discovery ACP rather than a Balanced ACP.

 

That worked for me.  So in the end, both my FMC and SFR module are at 6.2.3.  I'll be working on upgrading both to 6.4.0.4 soon.

 

Thanks for your help @Marvin Rhoads 

View solution in original post

7 Replies 7

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

I'd hold off on going all the way to 6.5 in production just yet. 6.4.0.4 is the current recommended release and it addresses the vulnerabilities you mentioned:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-fmc-rce

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-fmc-rce

Often when an ASA firepower service module is giving significant upgrade problems it is easier to just re-image it and re-register and apply policy from the FMC.

I would recommend you first upgrade your FMC to 6.4 and then on to 6.4.0.4 (or possibly the latest 6.4 patch - currently 6.4.0.6). Then re-image your Firepower service module to 6.4. Register it to FMC and apply policy. finally patch it to the same level as FMC and sync policy one last time.

Hi Marvin,

 

Thank you for your input.  We went ahead and re-imaged the SFR module with TAC's assistance.  The process was painfully slow (5hr call with TAC) and now we're not able to get it registered with the FMC.   I decided to restart the FMC this morning and its decided to take an extra long time to start services (over 2hrs now..).  It actually just finished booting now as I type this :).

 

I'll try re-registering now after the FMC reboot.

If you're unable to re-register aft4er re-image it is probably due to a stale database entry in FMC. There is a process to remove such entries but it's best done with TAC assistance as it involves direct manipulation of the database from cli.

One workaround that I've found to be effective to to re-register using a new IP address from the Firepower service module. That will create a new entry in the sftunnel.conf file on the FMC side and avoid trying to use the stale entry.

I went down that road of letting TAC make changes to the database.  Even after changing the IP of the SFR module we weren't able to get it to register.  I found a post here:  https://community.cisco.com/t5/firepower/adding-firepower-to-fmc-issue/td-p/3310112 where @NETAD was able to get theirs registered by using a Network Discovery ACP rather than a Balanced ACP.

 

That worked for me.  So in the end, both my FMC and SFR module are at 6.2.3.  I'll be working on upgrading both to 6.4.0.4 soon.

 

Thanks for your help @Marvin Rhoads 

Hi Marvin,

I am facing a similar issue, attempting to upgrade the FP module on an ASA 5508. I have completed the ASA and ASDM SW upgrades already. Currently ASA SW 9.12(3)7,ASDM SW 7.12(2), FP MOD SW 6.2.0.6. I tried and failed to upgrade the FP MOD to Cisco_Network_Sensor_Patch-6.2.3.15-38.sh.REL.tar in ASDM, just got the generic upgrade failed msg after upload ran for several minutes. Do I need to upgrade to 6.2.3 base first? Also what would be the full path(interim upgrades) to be able to end with Cisco_Network_Sensor_Patch-6.4.0.8-28.sh.REL.tar? Thanks

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

The release notes generally specify the upgrade path that you should follow.

The 6.4.0.8 release notes tell us you need to be at 6.4.0 first before installing any 6.4.0.x patch:

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/640x/relnotes/firepower-release-notes-640x/upgrade.html#id_88320

You can upgrade to 6.4.0 directly from your 6.2.3.15 build 38:

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/relnotes/firepower-release-notes-640/upgrade.html#id_88320

Thanks for pointing me to the release notes, my upgrade did also fail attempting 6.2.2 to 6.2.3.15 build 38. From the 6.4.0 upgrade release notes, it seems the path is 6.2.2 > 6.2.3 base > 6.4.0 base > 6.4.0.8 build 28.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers