Showing results for 
Search instead for 
Did you mean: 

FP2100 with/ASA FXOS Configuration



Firepower 2100 series platform can run either FTD or ASA software. 

When Firepower 2100 series platform running ASA, has two software, FXOS and ASA. Both have its own management IP address and share same physical Interface Management  1/1. 

Both ASA and FXOS has its own authentication, same with SNMP, Syslog and tech-support logs. 


Screen Shot 2017-10-06 at 2.51.22 PM.png


Toggle between FXOS & ASA prompt: 

From FXOS prompt, you can use "connect asa" to go to ASA prompt, "exit" to come back to FXOS. 

From ASA prompt, you can use "connect fxos" to go to FXOS prompt, "exit" to come back to ASA. 

When using Console, you'll login to fxos prmpt. 

ssh/telnet to ASA Management IP to access ASA. 

ssh to fxos management IP to access FXOS. 


ASA & FXOS Management: 

Screen Shot 2017-10-06 at 3.20.59 PM.png


In order to manage ASA, you have ASDM or CLI (SSH, Telnet). To manager FXOS, we have CLI and FCM-Firepower Chassis Manager - Browser base GUI tool. 


FXOS useful configurations:- 

The Default IP address for FXOS IP address for FP2100 running ASA is 


Verify & Configuring Management IP address for FXOS:-

To Verify FXOS IP address 

firepower-2110# scope fabric-interconnect a

firepower-2110 /fabric-interconnect # show detail

Fire Power:

    ID: A

    Product Name: Cisco FPR 2110

    PID: FPR-2110

    VID: V01

    Vendor: Cisco Systems, Inc.

    Serial (SN): JMX202820M4

    OOB IP Addr:

    OOB Netmask:

    OOB Gateway:

    OOB Gateway Use DataPort: No

    OOB Boot Proto: Static

    OOB IPv6 Address: ::

    Prefix: 64

    OOB IPv6 Gateway: ::

    OOB IPv6 Gateway Use DataPort: No

    IPv6 Boot Proto: Static

    DHCPD Admin State: DHCP Server Enabled


Changing FXOS management IP address: 

firepower# scope fabric-interconnect a

firepower /fabric-interconnect #  set out-of-band static ip netmask gw

firepower /fabric-interconnect* # commit-buffer   (Commit buffer to save config)


some time you may get below error: 

Error: Update failed: [Management ipv4 address (IP / net mask ) is not in the same network of current DHCP server IP range - Either disable DHCP server first or config with a different ipv4 address.] "

If you get above error, you need to either disable DHCP or change DHCP range in the same subnet as new Management IP address. 


Disabling DHCP Server: 

firepower# scope system

firepower /system* # scope services

firepower /system* # disable dhcp-server


firepower /system* # enable dhcp-server     (To enable DHCP server on FXOS) 


Setting Time/Timezone/NTP: 

Configuring NTP or timezone on ASA running on FP2100 is restricted. Clock, timezone,ntp need to be configured on FXOS, which will be sync to ASA. 

firepower# scope system

firepower /system* # scope services

firepower /system/services *# set clock oct 6 2017 17 12 00

firepower /system/services *# set timezone

firepower /system/services *# create ntp-server <ntp-server host/ip address>

firepower /system/services *# commit-buffer   (Commit buffer to save config)


DNS Configuration: 

firepower# scope system

firepower /system* # scope services

firepower /system/services *# create dns 0

firepower /system/services *# create dns 1

firepower /system/services *# commit-buffer   (Commit buffer to save config)


Discard Changes: 

"discard-buffer" can be used to discard changes before committing any changes. 


Could you please help in NTP and Port channel configuration ASA on platform 2100

firepower-2110#scop etc-uplink firepower-2110 /eth-uplink # scope fabric a firepower-2110 /eth-uplink/fabric # create/enter port-channel 11 firepower-2110 /eth-uplink/fabric/port-channel* # create member-port Ethernet1/10 firepower-2110 /eth-uplink/fabric/port-channel* # commit-buffer

Thank you for the excellent primer - I've just deployed my first pair of FPR2100 with ASA, and they work very well indeed.

EXCEPT: I cannot make the FXOS console use a TACACS server (or Radius) for login. I define our TACACS servers (currently ACS; soon ISE) and set the authentication (both console and default) to TACACS, but I see absolutely no connection attempts on tcp/49 and I can only log in with the local fall-back account which is a no-no in our environment for anything but emergencies. (I have set the remote-user default-role to assign-default-role; once I get TACACS communication to work I'll set the appropriate role in ACS).








1. we have Firepower 2110 device, which comes with asa 9.8.2 image, when we try to connect to asa from FXOS, we are not getting the connect asa option, there is only connect local-mgmt. option.

we cross check the configuration with the working firewall and there is no difference in the configuration with respect to asa instance. kindly let us know what could be a the possible issue and work around to connect to asa....


2. Also in Firepower device can we etherchannel one copper port and one fiber ports.




Very helpful! Thank you!!


When I tried to configure the clock and ntp on the ASA, these configuration features are no longer available on the ASA. I am assuming that ntp is only configured on the FXOS under the Platform Settings, is this correct?


Thanks, ~sK


Hi i have a scenario with ASA image of Firepower 2110 but with tagged ports at ASA configuration !

The problem is how to tell Firepower part to handle tagged ports, because they do not come up and if they come up (after reboot) they are not connected with this local ip subnet (only the own local asa ip address of asa tagged port is reachable but not the gateway or other ip adresses within this subnet).

I tested in LAB with untagged asa ports and they worked with ping to the standby asa and also asa failover was successfull, but in real environment we have tagged ports and this does not work !

So i also tested now with tagged ports in LAB with a simple catalyst switch (in real environment we have nexus) and simulate this problems at Layer2 with tagged asa ports.

Any ideas or experiences?


I got into the problem with version 9.9.2 - train

then try to go to 9.8.3  and ran into the issue of a space


not enough disk space


firepower-2130 /firmware # show download-task detail

Download task:
    File Name: cisco-asa-fp2k.
    Protocol: Tftp
    Port: 0
    Downloaded Image Size (KB): 0
    Time stamp: 2018-10-05T13:05:20.208
    State: Failed
    Status: Internal Error - not enough disk space
    Transfer Rate (KB/s): 0.000000
    Current Task: deleting downloadable cisco-asa-fp2k. on local(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:DeleteLocal)
firepower-2130 /firmware # scope system


Okay, my question is along these same lines, but a bit different. I have two FP2110s running ASA code. In the FXOS GUI, I create a port channel for the outside interface as I want to connect each firewall to each physical switch in a pair of Catalyst 6807-XL systems running in VSS mode. I am able to create and stand up a port channel (using static, not LACP or PAgP) in the FXOS GUI with no problem. The upstream switch also shows that the etherchannel is up and functioning. I can see the port channel in the ASA configuration, and the physical interfaces are no longer in the ASA configuration. I am running the firewall set in transparent mode, so I have a bridge interface setup, and the port channel is part of the bridge group. I have no connectivity at all this way. I am using the stand alone FDM to configure FXOS. If I remove the port channel and use the physical interface E1/1 as the outside and E1/2 as the inside, all is working great. How do I get FXOS to allow the ASA software to use the port channel that I have created in FXOS?


Update: I was able to get this to work.  I found that I had to enable LACP on both the FXOS and the upstream switch for it to actually form the Port Channel in the ASA code.  You cannot use non-auto negotiation between a switch and a FP2110 running ASA code.

Content for Community-Ad