Go to the top

Re-image Cisco ASA Firepower module SFR

Ziaul / ASA, Firepower, Network Security /
SFR Install

Re-image Cisco ASA Firepower module SFR

Re-imaging the SFR module on ASA would set everything to factory default. Normally, its done when something has gone horribly wrong or the module is not behaving correctly i.e FMC cannot contact the module after ticking all the boxes. All upgrades to SFR should be performed using FMC or other managers. Re-imaging should not be performed as an quick alternative.

 

Checklist before performing re-image: 

  • FTP server accessible by ASA and SFR Management Interface
  • Firepower boot image (eg: asasfr-5500x-boot-6.2.3-4.img)
  • Firepower software image (eg: asasfr-sys-6.2.3-83.pkg)

 

Steps to re-image: 

  • Copy the boot image into the flash of the ASA and verify hash.

copy /noconfirm ftp://x:x@y.y.y.y/asasfr-5500x-boot-6.2.3-4.img disk0:

verify /md5 disk0:asasfr-5500x-boot-6.2.3-4.img

  • Shutdown and uninstall existing SFR module if available

sw-module module sfr shutdown

sw-module module sfr uninstall

  • Set boot image for the module using recover command

sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-6.2.3-4.img

sw-module module sfr recover boot

  • Enable module debug on ASA to view recover process

debug module-boot

At this stage wait approximately 5 to 15 minutes for the ASA SFR module to boot up, and then open a console session to the operational ASA SFR boot image.

session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is ‘CTRL-^X’.

Cisco FirePOWER Services Boot Image 6.2.3

asasfr login: admin
Password: Admin123

Cisco FirePOWER Services Boot 6.2.3 (4)
Type ? for list of commands

asasfr-boot>setup

Configure as prompted ……….
Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying…
Restarting network services…
Restarting NTP service…
Done.
Press ENTER to continue… Enter

  • Now the software image can be installed.

system install noconfirm ftp://x:x@y.y.y.y/asasfr-sys-6 .2.3-83.pkg

Verifying

Downloading

Extracting

Package Detail
Description: Cisco ASA-SFR 6.2.3-83 System Install
Requires reboot: Yes

Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.

………………………………………………………………………………………………….

…………………………………………………………………………………………………..

  • When the installation is complete, the module reboots. Allow ten or more minutes for the application component installation and for the ASA SFR services to start. The output of the show module sfr command should indicate that all processes are Up. This can take from 45 mins to 3 hours.
  • Once the install is complere verify the status of the module using

show module

  • Connect to the SFR once up and configure again.

session sfr

Opening command session with module sfr.
Connected to module sfr. Escape character sequence is ‘CTRL-^X’.

Cisco FirePOWER Services Boot Image 6.2.3

asasfr login: admin
Password: Admin123

Configure as prompted ……….

  • Once the configuration is complete test connectivity to the SFR module using ping. Ping from SFR is not enabled by default but can be enabled using the below command.

expert

sudo chmod u+s /bin/ping

Password: [Admin-Password]

ping 8.8.8.8

 

 

References:

Leave a Comment