Firepower 2110 - Unable to change between Appliance mode and Platform mode

thisguyhere · ‎06-10-2020

We purchased a pair of Firepower 2110's with the intent to configure them as ASA using Appliance mode. During installation we found that only certain configuration settings can be changed from FXOS, such as enabling interfaces, and speed duplex.

The documentation states that these firewalls come default in appliance mode and that all configurations should be available from ASA, this is not the case here and would appear we're running in platform mode.

The 'fxos' and 'show fxos' commands are not available, the ASA does not recognize these as valid commands so there is no option to switch between appliance and platform mode, nor confirm which mode we're currently operating.

Code is: cisco-asa-fp2k.9.12.3.12.SPA

Any help with this would be appreciated.

b.pugelnik · ‎06-10-2020

Hi,

Appliance mode is introduced in ASA version 9.13, so first you need to upgrade.

BrianSekleckiGE · ‎04-08-2022

Did this toggle function get retracted? I'm on 9.14.x and I dont see FXOS Commands inside ASA running in Appliance mode:



ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 9.14(1)
SSP Operating System Version 2.8(1.105)
Device Manager Version 7.14(1)

Compiled on Wed 01-Apr-20 13:10 PDT by builders
System image file is "disk0:/installables/switch/fxos-k8-fp1k-lfbff.2.8.1.105.SPA"
Config file at boot was "startup-config"

ciscoasa up 32 mins 49 secs

Hardware: FPR-1120, 13872 MB RAM, CPU Atom C3000 series 2000 MHz, 1 CPU (12 cores)

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)
Driver version : 4.1.0
Number of accelerators: 6

1: Int: Internal-Data0/0 : address is 00a0.c900.0002, irq 10
3: Int: Not licensed : irq 0
4: Ext: Management1/1 : address is 1859.f5ba.6781, irq 0
5: Int: Internal-Data1/1 : address is 0000.0100.0001, irq 0

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 512
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Disabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 150
AnyConnect Essentials : Disabled
Other VPN Peers : 150
Total VPN Peers : 150
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 320
Cluster : Disabled

Serial Number: xxxxxxxxxxx
Configuration register is 0x1
Configuration last modified by enable_15 at 14:41:18.589 UTC Fri Apr 8 2022
ciscoasa#
ciscoasa# conf t
ciscoasa(config)# fxos ?
ERROR: % Unrecognized command
ciscoasa(config)# fxos

BrianSekleckiGE · ‎04-08-2022

Also, can anyone comment on the advantages of using an FRP1xxx FRP2xxx running ASA in Platform (vs default of Appliance mode?)

b.pugelnik · ‎04-19-2022

If you are in appliance mode, FXOS is used only for advanced troubleshooting. To get into FXOS from ASA you need to enter "connect fxos".

From my point of view, platform mode is pretty annoying since you need to configure device on two different places. For example, if you need to configure new interface you need to enable that interface in FXOS and in ASA but if you are in appliance mode everything is configured from ASA. Regarding stability and bugs, I didn't notice a difference.

BrianSekleckiGE · ‎04-20-2022

Thanks for insight; It would still be nice to know the process to toggle the chassis between operating modes.

I suspect Platform mode would be more appropriate mode if one is deploying FirePower chassis to the field with ASA, but planning to migrate to FXOS/NGFW mode sooner than later (without a chassis swap)

b.pugelnik · ‎04-20-2022

It's simple to switch between modes, just in ASA global configuration mode enter fxos mode appliance or platform.

Please be aware that when you are switching between modes you will lose running configuration and device will be in default configuration.

When you are switching on FTD software, there is no difference which fxos mode you are using with ASA software, since you need to reimage device.

BrianSekleckiGE · ‎05-31-2022

On an FPR-1120 Chassis, running 9.16.x (SSP manager 2.10.x), in Appliance mode, the "Fxos mode" command is missing from Global Config syntax. I think Cisco is shipping them from the factory locked in appliance mode?

(Possibly Platform mode was too confusing for blokes with no GNU/Linux/POSIX SysAdmin or Hypervisor/Virtualization experience)

ciscoasa(config)#
ciscoasa(config)# no fxos mode appliance
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)# sh ver

Cisco Adaptive Security Appliance Software Version 9.16(2)14
SSP Operating System Version 2.10(1.182)
Device Manager Version 7.16(1)

Compiled on Wed 09-Feb-22 01:55 GMT by builders
System image file is "disk0:/installables/switch/fxos-k8-fp1k-lfbff.2.10.1.182.SPA"
Config file at boot was "startup-config"

ciscoasa up 29 mins 47 secs

Hardware: FPR-1120, 14336 MB RAM, CPU Atom C3000 series 2000 MHz, 1 CPU (12 cores)

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)
Driver version : 4.11.0
Number of accelerators: 6

1: Int: Internal-Data0/0 : address is 00a0.c900.0002, irq 10
3: Int: Not licensed : irq 0
4: Ext: Management1/1 : address is 1859.f5ba.6781, irq 0
5: Int: Internal-Data1/1 : address is 0000.0100.0001, irq 0

License mode: Smart Licensing

Firepower 2110 - Unable to change between Appliance mode and Platform mode

AnyConnect Certificate Based Authentication.

Getting past intermittent/unexplained 802.1x problems on Windows 7

Insights About Multiple Vulnerabilities in Cisco Discovery Protocol Implementations (CDPwn)