Prerequisites
Cisco ASA with Firepower service module installed.
Console Connectivity to device
Web server or FTP server to host firepower service image
Correct firepower image to selected hardware model (Eg. asasfr-sys-6.1.0-330.pkg) downloaded from cisco web site
Correct Firepower Service boot image to selected hardware model (Eg. asasfr-5500x-boot-6.1.0-330.img) downloaded from cisco web site
TFTP server which connected to same network
Steps of re-imaging:
- Start the console connectivity to asa 5500-x device
- Copy firepower image to flash storage in ASA using tftp server or ASDM software
- Verify the image copied to flash
asa(config)#show flash:/
- Verify the image copied to flash
disk0:/.boot_string disk0:/asa941-lfbff-k8.SPA
disk0:/asa971-lfbff-k8.SPA
disk0:/asasfr-5500x-boot-6.1.0-330.img
disk0:/asdm-761.bin disk0:/asdm-771.bin
disk0:/coredumpinfo disk0:/crypto_archive
disk0:/log disk0:/oldconfig_2017Mar17_0718.cfg
disk0:/startup-380.cfg
- Shutdown and uninstall existing sourcefire module if available
asa(config)# sw-module module sfr uninstall - Set sourcefire image to new image using recover command
asa(config)# sw-module module sfr recover configure image disk0:/asasfr-5500x-bot-6.1.0-330.img - Enable module debug to view recover process
asa(config)# debug module-boot - Start recover with new image
asa(config)# sw-module module sfr recover boot
Module sfr will be recovered. This may erase all configuration and all data
on that device and attempt to download/install a new image for it. This may take
several minutes.
Recover module sfr? [confirm]
Recover issued for module sfr.
Mod-sfr 8> ***
Mod-sfr 9> *** EVENT: Disk Image created successfully.
Mod-sfr 10> *** TIME: 08:12:28 UTC Mar 17 2017
Mod-sfr 11> ***
Mod-sfr 12> ***
Mod-sfr 13> *** EVENT: Start Parameters: Image: /mnt/disk0/vm/vm_1.img, ISO: -cdrom /mnt/disk0/
Mod-sfr 14> asasfr-5500x-boot-6.1.0-330.img, Num CPUs: 3, RAM: 2249MB, Mgmt MAC: 18:8B:9D:40:51
Mod-sfr 15> :6D, CP MAC: 00:00:00:02:00:01, HDD: -drive file=/dev/sda,cache=none,if=virtio, Dev
Mod-sfr 16> ***
Mod-sfr 17> *** EVENT: Start Parameters Continued: RegEx Shared Mem: 0MB, Cmd Op: r, Shared Mem
Mod-sfr 18> Key: 8061, Shared Mem Size: 16, Log Pipe: /dev/ttyS0_vm1, Sock: /dev/ttyS1_vm1, Me
Mod-sfr 19> m-Path: -mem-path /hugepages
Mod-sfr 20> *** TIME: 08:12:29 UTC Mar 17 2017
Mod-sfr 21> ***
Mod-sfr 22> Status: Mapping host 0x2aab37e00000 to VM with size 16777216
Mod-sfr 23> Warning: vlan 0 is not connected to host network
Mod-sfr 24> ISOLINUX 3.73 2009-01-25 Copyright (C) 1994-2008 H. Peter Anvin
Mod-sfr 25> Cisco SFR-BOOT-IMAGE and CX-BOOT-IMAGE for SFR – 6.1.0
Mod-sfr 26> (WARNING: ALL DATA ON DISK 1 WILL BE LOST)
Mod-sfr 27> Loading bzImage………………………………………………….
Mod-sfr 28> Loading initramfs.gz………………………………………………………
Mod-sfr 29> ………………………………………………………………………..
Mod-sfr 30> …………………
————————————-
Output omitted
————————————-
Mod-sfr 367> INIT: version 2.86 booting
Mod-sfr 368> [ 10.356474] udevd version 124 started
Mod-sfr 369> Please wait: booting…
Mod-sfr 370> mount: sysfs already mounted or /sys busy
Mod-sfr 371> mount: according to mtab, sysfs is already mounted on /sys
Mod-sfr 372> Starting udev [ 10.849261] udev: renamed network interface eth0 to cplane
Mod-sfr 373> [ 10.879128] udev: renamed network interface eth1 to eth0
Mod-sfr 374> [ 11.379166] end_request: I/O error, dev fd0, sector 0
Mod-sfr 375> [ 11.402310] end_request: I/O error, dev fd0, sector 0
Mod-sfr 376> INIT: Entering runlevel: 5
Cisco FirePOWER Services Boot Image 6.1.0
Wait 2-5 minutes to load module properly…
- Login to session console
asa(config)# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is ‘CTRL-^X’.
Cisco FirePOWER Services Boot Image 6.1.0
asasfr login: admin
Password: Sourcefire
Cisco FirePOWER Services Boot 6.1.0 (330)
- Start setup using setup command
asasfr-boot>setup
Welcome to Cisco FirePOWER Services Setup
[hit Ctrl-C to abort]
Default values are inside []
Enter a hostname [asasfr]: asasfr
Do you want to configure IPv4 address on management interface?(y/n) [Y]: 92.168.3.44
Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: N
Enter an IPv4 address [192.168.8.8]: 192.168.3.44
Enter the netmask [255.255.255.0]: 255.255.255.0
Enter the gateway [192.168.8.1]: 192.168.3.1
Need a valid IPv4 address, please enter again.
Enter the gateway [192.168.8.1]: 192.168.3.1
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Stateless autoconfiguration will be enabled for IPv6 addresses.
Enter the primary DNS server IP address: 8.8.8.8
Do you want to configure Secondary DNS Server? (y/n) [n]: n
Do you want to configure Local Domain Name? (y/n) [n]: n
Do you want to configure Search domains? (y/n) [n]: n
Do you want to enable the NTP service? [Y]: N
Please review the final configuration:
Hostname: asasfr
Management Interface Configuration
IPv4 Configuration: static
IP Address: 192.168.3.44
Netmask: 255.255.255.0
Gateway: 192.168.3.1
IPv6 Configuration: Stateless autoconfiguration
DNS Configuration:
DNS Server: 8.8.8.8
NTP configuration: Disabled
CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address
based on network prefix and a device identifier. Although this address is unlikely
to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.
Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying…
Restarting network services…Done.
Press ENTER to continue…
asasfr-boot>
- Set firepower image and start reimaging
asasfr-boot>system install http://192.168.3.29/abc/asasfr-sys-6.1.0-330.pkg
Mod-sfr 378> asasfr login: [ 232.134610] vda: vda1
Mod-sfr 379> [ 236.168151] Adding 4194752k swap on /dev/vda1. Priority:-1 extents:1 across:41
Mod-sfr 380> 94752k
Verifying
Downloading
Extracting
Package Detail
Description: Cisco ASA-SFR 6.1.0-330 System Install
Requires reboot: Yes
Do you want to continue with upgrade? [y]: y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.
Mod-sfr 381> [ 2935.100108] sd 0:0:0:0: [sda] 6291456 512-byte hardware sectors: (3.22 GB/3.00
Mod-sfr 382> GiB)
Mod-sfr 383> [ 2935.104102] sd 0:0:0:0: [sda] Write Protect is off
Mod-sfr 384> [ 2935.106686] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn’
Mod-sfr 385> t support DPO or FUA
Mod-sfr 386> [ 2935.111345] sda: unknown partition table
Upgrading
Starting upgrade process …Mod-sfr 387> [ 2938.124811] sd 0:0:0:0: [sda] 6291456 512-byte hardware sectors: (3.22 GB/3.00
Mod-sfr 388> GiB)
Mod-sfr 389> [ 2938.128381] sd 0:0:0:0: [sda] Write Protect is off
Mod-sfr 390> [ 2938.131125] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn’
Mod-sfr 391> t support DPO or FUA
Mod-sfr 392> [ 2938.135750] sda: sda1 sda2
—————-
Output omitted
—————-
Mod-sfr 404> [ 3057.404383] EXT3-fs: mounted filesystem with ordered data mode.
Reboot is required to complete the upgrade. Press ‘Enter’ to reboot the system.
Broadcast message from root (ttyS1) (Fri Mar 17 09:08:12 2017):
The system is going down for reboot NOW!
Mod-sfr 405> INIT: Switching to runlevel: 6
Mod-sfr 406> INIT: Sending processes the TERM signal
—————-
Output omitted
—————-
Mod-sfr 109> ************ Attention *********
Mod-sfr 110> Initializing the configuration database. Depending on available
Mod-sfr 111> system resources (CPU, memory, and disk), this may take 30 minutes
Mod-sfr 112> or more to complete.
Mod-sfr 113> ************ Attention *********
—————– This process will take 30-40 minutes
- Check module status
asa(config)# sh module
Mod Card Type Model Serial No.
—- ——————————————– —————— ———–
1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506 JAD192800EB
sfr Unknown N/A JAD192800EB
Mod MAC Address Range Hw Version Fw Version Sw Version
—- ——————————— ———— ———— —————
1 188b.9d40.516e to 188b.9d40.5177 1.0 1.1.8 9.7(1)
sfr 188b.9d40.516d to 188b.9d40.516d N/A N/A
Mod SSM Application Name Status SSM Application Version
—- —————————— —————- ————————–
Mod Status Data Plane Status Compatibility
—- —————— ——————— ————-
1 Up Sys Not Applicable
sfr Recover Not Applicable
asa(config)#
- Configure the firepower module and configure using ASDM or firepower management center.