10-29-2019 12:55 PM - edited 02-21-2020 09:38 AM
Hello,
I'm attempting to get our SFR module on a ASA5525-X upgraded from 6.2.2 to 6.2.3. I downloaded the Cisco Network Sensor Upgrade (v6.2.1 and above) Version 6.2.3-83 as directed by the Cisco downloads page. I uploaded the file to our FMC (v6.2.3) and attempted the upgrade.
The upgrade hung for about 1 hr 45 min at 26% before I decided to give TAC a jingle. After about another half an hour (upgrade still stuck 26%) I got an engineer on the line. He restarted the SFR module and we gave it another shot.. Same spot, at 26% it just hangs there for over an hour. We tried this one more time before I had to call it a day.
Log just shows this:
ui:Upgrade has begun.
ui:[ 0%] Running script 000_start/000_check_update.sh...
ui:[ 1%] Running script 000_start/100_start_messages.sh...
ui:[ 3%] Running script 000_start/105_check_model_number.sh...
ui:[ 4%] Running script 000_start/106_check_HA_sync.pl...
ui:[ 4%] Running script 000_start/107_version_check.sh...
ui:[ 6%] Running script 000_start/109_check_HA_MDC_status.pl...
ui:[ 8%] Running script 000_start/125_verify_bundle.sh...
ui:[10%] Running script 000_start/400_run_troubleshoot.sh...
ui:[11%] Running script 200_pre/001_check_reg.pl...
ui:[11%] Running script 200_pre/002_check_mounts.sh...
ui:[12%] Running script 200_pre/003_check_health.sh...
ui:[15%] Running script 200_pre/100_check_correlation_rules.pl...
ui:[20%] Running script 200_pre/201_disable_faild.sh...
ui:[20%] Running script 200_pre/202_disable_syncd.sh...
ui:[21%] Running script 200_pre/400_restrict_rpc.sh...
ui:[21%] Running script 200_pre/470_revert_prep.sh...
ui:[22%] Running script 200_pre/500_stop_system.sh...
ui:[23%] Running script 200_pre/600_ftd_onbox_data_export.sh...
ui:[24%] Running script 200_pre/999_enable_sync.sh...
ui:[26%] Running script 300_os/100_install_Fire_Linux_OS.sh...
This is all in preparation to upgrade our FMC to 6.5.0 as directed by our "Multi-State Information Sharing & Analysis Center"
Aka MS-ISAC which informed us that they have found multiple vulnerabilities in the all FMC versions prior to 6.5.0
(CVE-2019-12687, CVE-2019-12688)
Any help would be appreciated. Thank you.
Solved! Go to Solution.
11-07-2019 12:29 PM
I went down that road of letting TAC make changes to the database. Even after changing the IP of the SFR module we weren't able to get it to register. I found a post here: https://community.cisco.com/t5/firepower/adding-firepower-to-fmc-issue/td-p/3310112 where @NETAD was able to get theirs registered by using a Network Discovery ACP rather than a Balanced ACP.
That worked for me. So in the end, both my FMC and SFR module are at 6.2.3. I'll be working on upgrading both to 6.4.0.4 soon.
Thanks for your help @Marvin Rhoads
10-29-2019 09:02 PM
I'd hold off on going all the way to 6.5 in production just yet. 6.4.0.4 is the current recommended release and it addresses the vulnerabilities you mentioned:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-fmc-rce
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-fmc-rce
Often when an ASA firepower service module is giving significant upgrade problems it is easier to just re-image it and re-register and apply policy from the FMC.
I would recommend you first upgrade your FMC to 6.4 and then on to 6.4.0.4 (or possibly the latest 6.4 patch - currently 6.4.0.6). Then re-image your Firepower service module to 6.4. Register it to FMC and apply policy. finally patch it to the same level as FMC and sync policy one last time.
11-01-2019 08:46 AM
Hi Marvin,
Thank you for your input. We went ahead and re-imaged the SFR module with TAC's assistance. The process was painfully slow (5hr call with TAC) and now we're not able to get it registered with the FMC. I decided to restart the FMC this morning and its decided to take an extra long time to start services (over 2hrs now..). It actually just finished booting now as I type this :).
I'll try re-registering now after the FMC reboot.
11-01-2019 07:10 PM
If you're unable to re-register aft4er re-image it is probably due to a stale database entry in FMC. There is a process to remove such entries but it's best done with TAC assistance as it involves direct manipulation of the database from cli.
One workaround that I've found to be effective to to re-register using a new IP address from the Firepower service module. That will create a new entry in the sftunnel.conf file on the FMC side and avoid trying to use the stale entry.
11-07-2019 12:29 PM
I went down that road of letting TAC make changes to the database. Even after changing the IP of the SFR module we weren't able to get it to register. I found a post here: https://community.cisco.com/t5/firepower/adding-firepower-to-fmc-issue/td-p/3310112 where @NETAD was able to get theirs registered by using a Network Discovery ACP rather than a Balanced ACP.
That worked for me. So in the end, both my FMC and SFR module are at 6.2.3. I'll be working on upgrading both to 6.4.0.4 soon.
Thanks for your help @Marvin Rhoads
03-27-2020 10:03 AM
Hi Marvin,
I am facing a similar issue, attempting to upgrade the FP module on an ASA 5508. I have completed the ASA and ASDM SW upgrades already. Currently ASA SW 9.12(3)7,ASDM SW 7.12(2), FP MOD SW 6.2.0.6. I tried and failed to upgrade the FP MOD to Cisco_Network_Sensor_Patch-6.2.3.15-38.sh.REL.tar in ASDM, just got the generic upgrade failed msg after upload ran for several minutes. Do I need to upgrade to 6.2.3 base first? Also what would be the full path(interim upgrades) to be able to end with Cisco_Network_Sensor_Patch-6.4.0.8-28.sh.REL.tar? Thanks
03-27-2020 08:58 PM
The release notes generally specify the upgrade path that you should follow.
The 6.4.0.8 release notes tell us you need to be at 6.4.0 first before installing any 6.4.0.x patch:
You can upgrade to 6.4.0 directly from your 6.2.3.15 build 38:
03-30-2020 09:33 AM
Thanks for pointing me to the release notes, my upgrade did also fail attempting 6.2.2 to 6.2.3.15 build 38. From the 6.4.0 upgrade release notes, it seems the path is 6.2.2 > 6.2.3 base > 6.4.0 base > 6.4.0.8 build 28.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide