Reimage Firepower module in Cisco 5500-X firewall models


Prerequisites

Cisco ASA with Firepower service module installed.

Console Connectivity to device

Web server or FTP server to host firepower service image

Correct firepower image to selected hardware model (Eg. asasfr-sys-6.1.0-330.pkg) downloaded from cisco web site

Correct Firepower Service boot image to selected hardware model (Eg. asasfr-5500x-boot-6.1.0-330.img) downloaded from cisco web site

TFTP server which connected to same network

Steps of re-imaging:

  1. Start the console connectivity to asa 5500-x device
  2. Copy firepower image to flash storage in ASA using tftp server or ASDM software
    1. Verify the image copied to flash
      asa(config)#show flash:/

                            disk0:/.boot_string                       disk0:/asa941-lfbff-k8.SPA

                           disk0:/asa971-lfbff-k8.SPA              

                           disk0:/asasfr-5500x-boot-6.1.0-330.img

                            disk0:/asdm-761.bin                       disk0:/asdm-771.bin

                           disk0:/coredumpinfo                       disk0:/crypto_archive

                           disk0:/log                                disk0:/oldconfig_2017Mar17_0718.cfg

                           disk0:/startup-380.cfg                 

  1. Shutdown and uninstall existing sourcefire module if available
            asa(config)# sw-module module sfr uninstall
  2. Set sourcefire image to new image using recover command
           asa(config)# sw-module module sfr recover configure image disk0:/asasfr-5500x-bot-6.1.0-330.img
  3. Enable module debug to view recover process
         asa(config)# debug module-boot
  4. Start recover with new image
         asa(config)# sw-module module sfr recover boot

            Module sfr will be recovered. This may erase all configuration and all data

            on that device and attempt to download/install a new image for it. This may take

            several minutes.

            Recover module sfr? [confirm]

            Recover issued for module sfr.

            Mod-sfr 8> ***

            Mod-sfr 9> *** EVENT: Disk Image created successfully.

            Mod-sfr 10> *** TIME: 08:12:28 UTC Mar 17 2017

            Mod-sfr 11> ***

            Mod-sfr 12> ***

            Mod-sfr 13> *** EVENT: Start Parameters: Image: /mnt/disk0/vm/vm_1.img, ISO: -cdrom /mnt/disk0/

            Mod-sfr 14> asasfr-5500x-boot-6.1.0-330.img, Num CPUs: 3, RAM: 2249MB, Mgmt MAC: 18:8B:9D:40:51

            Mod-sfr 15> :6D, CP MAC: 00:00:00:02:00:01, HDD: -drive file=/dev/sda,cache=none,if=virtio, Dev

            Mod-sfr 16> ***

            Mod-sfr 17> *** EVENT: Start Parameters Continued: RegEx Shared Mem: 0MB, Cmd Op: r, Shared Mem

            Mod-sfr 18>  Key: 8061, Shared Mem Size: 16, Log Pipe: /dev/ttyS0_vm1, Sock: /dev/ttyS1_vm1, Me

            Mod-sfr 19> m-Path: -mem-path /hugepages

            Mod-sfr 20> *** TIME: 08:12:29 UTC Mar 17 2017

            Mod-sfr 21> ***

            Mod-sfr 22> Status: Mapping host 0x2aab37e00000 to VM with size 16777216

            Mod-sfr 23> Warning: vlan 0 is not connected to host network

            Mod-sfr 24> ISOLINUX 3.73 2009-01-25  Copyright (C) 1994-2008 H. Peter Anvin

            Mod-sfr 25>                    Cisco SFR-BOOT-IMAGE and CX-BOOT-IMAGE for SFR – 6.1.0

            Mod-sfr 26>     (WARNING: ALL DATA ON DISK 1 WILL BE LOST)

            Mod-sfr 27> Loading bzImage………………………………………………….

            Mod-sfr 28> Loading initramfs.gz………………………………………………………

            Mod-sfr 29> ………………………………………………………………………..

            Mod-sfr 30> …………………

————————————-

Output omitted

————————————-

            Mod-sfr 367> INIT: version 2.86 booting

            Mod-sfr 368> [   10.356474] udevd version 124 started

            Mod-sfr 369> Please wait: booting…

            Mod-sfr 370> mount: sysfs already mounted or /sys busy

            Mod-sfr 371> mount: according to mtab, sysfs is already mounted on /sys

            Mod-sfr 372> Starting udev [   10.849261] udev: renamed network interface eth0 to cplane

            Mod-sfr 373> [   10.879128] udev: renamed network interface eth1 to eth0

            Mod-sfr 374> [   11.379166] end_request: I/O error, dev fd0, sector 0

            Mod-sfr 375> [   11.402310] end_request: I/O error, dev fd0, sector 0

            Mod-sfr 376> INIT: Entering runlevel: 5

            Cisco FirePOWER Services Boot Image 6.1.0

                        Wait 2-5 minutes to load module properly…

 

  1. Login to session console
    asa(config)# session sfr console

            Opening console session with module sfr.

            Connected to module sfr. Escape character sequence is ‘CTRL-^X’.

             Cisco FirePOWER Services Boot Image 6.1.0

             asasfr login: admin

            Password: Sourcefire

            Cisco FirePOWER Services Boot 6.1.0 (330)

  1. Start setup using setup command
    asasfr-boot>setup

            Welcome to Cisco FirePOWER Services Setup

                          [hit Ctrl-C to abort]

                        Default values are inside []

            Enter a hostname [asasfr]: asasfr

            Do you want to configure IPv4 address on management interface?(y/n) [Y]: 92.168.3.44

            Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y

            Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: N

            Enter an IPv4 address [192.168.8.8]: 192.168.3.44

            Enter the netmask [255.255.255.0]: 255.255.255.0

            Enter the gateway [192.168.8.1]: 192.168.3.1

            Need a valid IPv4 address, please enter again.

            Enter the gateway [192.168.8.1]: 192.168.3.1

            Do you want to configure static IPv6 address on management interface?(y/n) [N]: N

            Stateless autoconfiguration will be enabled for IPv6 addresses.

            Enter the primary DNS server IP address: 8.8.8.8

            Do you want to configure Secondary DNS Server? (y/n) [n]: n

            Do you want to configure Local Domain Name? (y/n) [n]: n

            Do you want to configure Search domains? (y/n) [n]: n

            Do you want to enable the NTP service? [Y]: N

            Please review the final configuration:

            Hostname:               asasfr

            Management Interface Configuration

            IPv4 Configuration:     static

                    IP Address:     192.168.3.44

                    Netmask:        255.255.255.0

                    Gateway:        192.168.3.1

            IPv6 Configuration:     Stateless autoconfiguration

            DNS Configuration:

                   DNS Server:                        8.8.8.8

            NTP configuration:      Disabled

            CAUTION:

            You have selected IPv6 stateless autoconfiguration, which assigns a global address

            based on network prefix and a device identifier. Although this address is unlikely

            to change, if it does change, the system will stop functioning correctly.

            We suggest you use static addressing instead.

            Apply the changes?(y,n) [Y]: Y

            Configuration saved successfully!

            Applying…

            Restarting network services…Done.

            Press ENTER to continue…

            asasfr-boot>

  1. Set firepower image and start reimaging

            asasfr-boot>system install http://192.168.3.29/abc/asasfr-sys-6.1.0-330.pkg

            Mod-sfr 378> asasfr login: [  232.134610]  vda: vda1

            Mod-sfr 379> [  236.168151] Adding 4194752k swap on /dev/vda1.  Priority:-1 extents:1 across:41

            Mod-sfr 380> 94752k

            Verifying    

            Downloading    

            Extracting    

            Package Detail

                    Description:                    Cisco ASA-SFR 6.1.0-330 System Install

                    Requires reboot:                Yes

            Do you want to continue with upgrade? [y]: y

            Warning: Please do not interrupt the process or turn off the system.

            Doing so might leave system in unusable state.

            Mod-sfr 381> [ 2935.100108] sd 0:0:0:0: [sda] 6291456 512-byte hardware sectors: (3.22 GB/3.00

            Mod-sfr 382> GiB)

            Mod-sfr 383> [ 2935.104102] sd 0:0:0:0: [sda] Write Protect is off

            Mod-sfr 384> [ 2935.106686] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn’

            Mod-sfr 385> t support DPO or FUA

            Mod-sfr 386> [ 2935.111345]  sda: unknown partition table

            Upgrading    

            Starting upgrade process …Mod-sfr 387> [ 2938.124811] sd 0:0:0:0: [sda] 6291456 512-byte hardware sectors: (3.22 GB/3.00

            Mod-sfr 388> GiB)

            Mod-sfr 389> [ 2938.128381] sd 0:0:0:0: [sda] Write Protect is off

            Mod-sfr 390> [ 2938.131125] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn’

            Mod-sfr 391> t support DPO or FUA

            Mod-sfr 392> [ 2938.135750]  sda: sda1 sda2

—————-

Output omitted

—————-

            Mod-sfr 404> [ 3057.404383] EXT3-fs: mounted filesystem with ordered data mode.

            Reboot is required to complete the upgrade. Press ‘Enter’ to reboot the system.

            Broadcast message from root (ttyS1) (Fri Mar 17 09:08:12 2017):

            The system is going down for reboot NOW!

            Mod-sfr 405> INIT: Switching to runlevel: 6

            Mod-sfr 406> INIT: Sending processes the TERM signal

—————-

Output omitted

—————-

            Mod-sfr 109> ************ Attention *********

            Mod-sfr 110>    Initializing the configuration database.  Depending on available

            Mod-sfr 111>    system resources (CPU, memory, and disk), this may take 30 minutes

            Mod-sfr 112>    or more to complete.

            Mod-sfr 113> ************ Attention *********

—————– This process will take 30-40 minutes

 

  1. Check module status

            asa(config)# sh module

             Mod  Card Type                                    Model              Serial No.

            —- ——————————————– —————— ———–

               1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506            JAD192800EB

             sfr Unknown                                      N/A                JAD192800EB

             Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version    

            —- ——————————— ———— ———— —————

               1 188b.9d40.516e to 188b.9d40.5177  1.0          1.1.8        9.7(1)

             sfr 188b.9d40.516d to 188b.9d40.516d  N/A          N/A         

             Mod  SSM Application Name           Status           SSM Application Version

            —- —————————— —————- ————————–

             Mod  Status             Data Plane Status     Compatibility

            —- —————— ——————— ————-

               1 Up Sys             Not Applicable       

             sfr Recover            Not Applicable       

             asa(config)#

 

  1. Configure the firepower module and configure using ASDM or firepower management center.