Clean install Firepower module 6.2.3.1 on ASA5506X

Hi folks,

In this post I’m going to show you how to perform a clean install of the Firepower module on an ASA5506X. It is an easy task but takes some time to complete since the box is not as powerful as its bigger brothers.

Start downloading the necessary software elements from the Cisco site:

asasfr-5500x-boot-6.2.3-4.img
asasfr-sys-6.2.3-83.pkg
asdm-792-152.bin
Cisco_Network_Sensor_Patch-6.2.3.1-43.sh.REL.tar

I included the latest ASDM version to avoid compatibility issues. The ASA is already running the latest ASA version “asa992-lfbff-k8.SPA”

Prior to start the process, I recommend enabling the following debug commands for having full visibility on what’s going on in the background:

debug sfr error
debug sfr events
debug sfr messages
debug cplane
debug module-boot

Start uninstalling the existing Firepower instance running on the ASA:

sw-module module sfr shutdown

Once the module is down uninstall it:

sw-module module sfr uninstall

Ensure the physical management interface has no IP nor security configuration. This interface will act as a bridge between the internal Firepower management and your physical network, so make sure the interface is cabled and connected to the same subnet as your internal ASA subnet.

Copy the Firepower image file to the ASA disk0 using a TFTP client and issue the following command to configure the base image and boot it:

copy tftp://10.14.14.9/asasfr-5500x-boot-6.2.3-4.img disk0:/asasfr-5500x-boot-6.2.3-4.img
sw-module module sfr recover configure image disk0:asasfr-5500x-boot-6.2.3-4.img
sw-module module sfr recover boot

Right after issuing the previous command you’ll start seeing the debug messages generated by the module.

Mod-sfr 47> *** EVENT: Disk Image created successfully.
Mod-sfr 48> *** TIME: 15:29:48 CEDT May 20 2018
Mod-sfr 49> ***
Mod-sfr 50> ***
Mod-sfr 51> *** EVENT: Start Parameters: Image: /mnt/disk0/vm/vm_1.img, ISO: -cdrom /mnt/disk0/
Mod-sfr 52> asasfr-5500x-boot-6.2.3-4.img, Num CPUs: 3, RAM: 2249MB, Mgmt MAC: F8:0B:CB:C5:02:A
Mod-sfr 53> D, CP MAC: 00:00:00:02:00:01, HDD: -drive file=/dev/sda,cache=none,if=virtio, Dev D
Mod-sfr 54> ***
Mod-sfr 55> *** EVENT: Start Parameters Continued: RegEx Shared Mem: 0MB, Cmd Op: r, Shared Mem
Mod-sfr 56> Key: 8061, Shared Mem Size: 16, Log Pipe: /dev/ttyS0_vm1, Sock: /dev/ttyS1_vm1, Me
Mod-sfr 57> m-Path: -mem-path /hugepages
Mod-sfr 58> *** TIME: 15:29:48 CEDT May 20 2018
Mod-sfr 59> ***
Mod-sfr 60> Status: Mapping host 0x2aab37e00000 to VM with size 16777216
Mod-sfr 61> Warning: vlan 0 is not connected to host network
Mod-sfr 62> ISOLINUX 3.73 2009-01-25 Copyright (C) 1994-2008 H. Peter Anvin
Mod-sfr 63> Cisco SFR-BOOT-IMAGE and CX-BOOT-IMAGE for SFR - 6.2.3
Mod-sfr 64> (WARNING: ALL DATA ON DISK 1 WILL BE LOST)
Mod-sfr 65> Loading bzImage.............................................................
Mod-sfr 66> Loading initramfs.gz...............................................................
Mod-sfr 67> ...................................................................................
Mod-sfr 68> ...................................................................................
Mod-sfr 69> ...................................................................................
Mod-sfr 70> ...................................................................................
Mod-sfr 71> ...................................................................................
Mod-sfr 72> ...................................................................................
Mod-sfr 73> .................................ready.
Mod-sfr 74> [ 0.000000] Initializing cgroup subsys cpuset
Mod-sfr 75> [ 0.000000] Initializing cgroup subsys cpu
Mod-sfr 76> [ 0.000000] Initializing cgroup subsys cpuacct
Mod-sfr 77> [ 0.000000] Linux version 3.10.107sf.cisco-1 (build@1fd5cd658885) (gcc version 4
Mod-sfr 78> .7.1 (GCC) ) #1 SMP PREEMPT Fri Nov 10 17:06:45 UTC 2017
Mod-sfr 79> [ 0.000000] Command line: initrd=initramfs.gz console=ttyS0,9600 BOOT_IMAGE=bzIm
Mod-sfr 80> age 
Mod-sfr 81> [ 0.000000] e820: BIOS-provided physical RAM map:
Mod-sfr 82> [ 0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
Mod-sfr 83> [ 0.000000] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
Mod-sfr 84> [ 0.000000] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
Mod-sfr 85> [ 0.000000] BIOS-e820: [mem 0x0000000000100000-0x000000008c8fdfff] usable
Mod-sfr 86> [ 0.000000] BIOS-e820: [mem 0x000000008c8fe000-0x000000008c8fffff] reserved
Mod-sfr 87> [ 0.000000] BIOS-e820: [mem 0x00000000feffc000-0x00000000feffffff] reserved
Mod-sfr 88> [ 0.000000] BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved
Mod-sfr 89> [ 0.000000] NX (Execute Disable) protection: active
Mod-sfr 90> [ 0.000000] SMBIOS 2.4 present.
Mod-sfr 91> [ 0.000000] Hypervisor detected: KVM
Mod-sfr 92> [ 0.000000] No AGP bridge found
Mod-sfr 93> [ 0.000000] e820: last_pfn = 0x8c8fe max_arch_pfn = 0x400000000
Mod-sfr 94> [ 0.000000] PAT not supported by CPU.
Mod-sfr 95> [ 0.000000] found SMP MP-table at [mem 0x000fdac0-0x000fdacf] mapped at [ffff880
Mod-sfr 96> 0000fdac0]
Mod-sfr 97> [ 0.000000] init_memory_mapping: [mem 0x00000000-0x000fffff]
Mod-sfr 98> [ 0.000000] init_memory_mapping: [mem 0x8c600000-0x8c7fffff]
Mod-sfr 99> [ 0.000000] init_memory_mapping: [mem 0x8c000000-0x8c5fffff]
Mod-sfr 100> [ 0.000000] init_memory_mapping: [mem 0x80000000-0x8bffffff]
Mod-sfr 101> [ 0.000000] init_memory_mapping: [mem 0x00100000-0x7fffffff]
Mod-sfr 102> [ 0.000000] init_memory_mapping: [mem 0x8c800000-0x8c8fdfff]
Mod-sfr 103> [ 0.000000] RAMDISK: [mem 0x7db0b000-0x7fffffff]
Mod-sfr 104> [ 0.000000] ACPI: RSDP 0x00000000000FD900 00014 (v00 BOCHS )
Mod-sfr 105> [ 0.000000] ACPI: RSDT 0x000000008C8FE3E0 00034 (v01 BOCHS BXPCRSDT 00000001 B
Mod-sfr 106> XPC 00000001)
Mod-sfr 107> [ 0.000000] ACPI: FACP 0x000000008C8FFF80 00074 (v01 BOCHS BXPCFACP 00000001 B
Mod-sfr 108> XPC 00000001)
Mod-sfr 109> [ 0.000000] ACPI: DSDT 0x000000008C8FE420 011A9 (v01 BXPC BXDSDT 00000001 I
Mod-sfr 110> NTL 20100528)
Mod-sfr 111> [ 0.000000] ACPI: FACS 0x000000008C8FFF40 00040
Mod-sfr 112> [ 0.000000] ACPI: SSDT 0x000000008C8FF740 007F7 (v01 BOCHS BXPCSSDT 00000001 B
Mod-sfr 113> XPC 00000001)
Mod-sfr 114> [ 0.000000] ACPI: APIC 0x000000008C8FF610 00088 (v01 BOCHS BXPCAPIC 00000001 B
Mod-sfr 115> XPC 00000001)
Mod-sfr 116> [ 0.000000] ACPI: HPET 0x000000008C8FF5D0 00038 (v01 BOCHS BXPCHPET 00000001 B
Mod-sfr 117> XPC 00000001)
Mod-sfr 118> [ 0.000000] No NUMA configuration found
Mod-sfr 119> [ 0.000000] Faking a node at [mem 0x0000000000000000-0x000000008c8fdfff]
Mod-sfr 120> [ 0.000000] Initmem setup node 0 [mem 0x00000000-0x8c8fdfff]
Mod-sfr 121> [ 0.000000] NODE_DATA [mem 0x8c8fa000-0x8c8fdfff]
Mod-sfr 122> [ 0.000000] kvm-clock: Using msrs 4b564d01 and 4b564d00
Mod-sfr 123> [ 0.000000] kvm-clock: cpu 0, msr 0:8c8f9001, boot clock
Mod-sfr 124> [ 0.000000] Zone ranges:
Mod-sfr 125> [ 0.000000] DMA [mem 0x00001000-0x00ffffff]
Mod-sfr 126> [ 0.000000] DMA32 [mem 0x01000000-0xffffffff]
Mod-sfr 127> [ 0.000000] Normal empty
Mod-sfr 128> [ 0.000000] Movable zone start for each node
Mod-sfr 129> [ 0.000000] Early memory node ranges
Mod-sfr 130> [ 0.000000] node 0: [mem 0x00001000-0x0009efff]
Mod-sfr 131> [ 0.000000] node 0: [mem 0x00100000-0x8c8fdfff]
Mod-sfr 132> [ 0.000000] ACPI: PM-Timer IO Port: 0xb008
Mod-sfr 133> [ 0.000000] ACPI: LAPIC (acpi_id[0x00] lapic_id[0x00] enabled)
Mod-sfr 134> [ 0.000000] ACPI: LAPIC (acpi_id[0x01] lapic_id[0x01] enabled)
Mod-sfr 135> [ 0.000000] ACPI: LAPIC (acpi_id[0x02] lapic_id[0x02] enabled)
Mod-sfr 136> [ 0.000000] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
Mod-sfr 137> [ 0.000000] ACPI: IOAPIC (id[0x00] address[0xfec00000] gsi_base[0])
Mod-sfr 138> [ 0.000000] IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23
Mod-sfr 139> [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
Mod-sfr 140> [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
Mod-sfr 141> [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
Mod-sfr 142> [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
Mod-sfr 143> [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
Mod-sfr 144> [ 0.000000] Using ACPI (MADT) for SMP configuration information
Mod-sfr 145> [ 0.000000] ACPI: HPET id: 0x8086a201 base: 0xfed00000
Mod-sfr 146> [ 0.000000] smpboot: Allowing 3 CPUs, 0 hotplug CPUs
Mod-sfr 147> [ 0.000000] e820: [mem 0x8c900000-0xfeffbfff] available for PCI devices
Mod-sfr 148> [ 0.000000] Booting paravirtualized kernel on KVM
Mod-sfr 149> [ 0.000000] setup_percpu: NR_CPUS:64 nr_cpumask_bits:64 nr_cpu_ids:3 nr_node_id
Mod-sfr 150> s:1
Mod-sfr 151> [ 0.000000] PERCPU: Embedded 24 pages/cpu @ffff88008c400000 s68672 r8192 d21440
Mod-sfr 152> u524288
Mod-sfr 153> [ 0.000000] kvm-clock: cpu 0, msr 0:8c8f9001, primary cpu clock
Mod-sfr 154> [ 0.000000] KVM setup async PF for cpu 0
Mod-sfr 155> [ 0.000000] kvm-stealtime: cpu 0, msr 8c40ba40
Mod-sfr 156> [ 0.000000] Built 1 zonelists in Node order, mobility grouping on. Total pages
Mod-sfr 157> : 567751
Mod-sfr 158> [ 0.000000] Policy zone: DMA32
Mod-sfr 159> [ 0.000000] Kernel command line: initrd=initramfs.gz console=ttyS0,9600 BOOT_IM
Mod-sfr 160> AGE=bzImage 
Mod-sfr 161> [ 0.000000] PID hash table entries: 4096 (order: 3, 32768 bytes)
Mod-sfr 162> [ 0.000000] Checking aperture...
Mod-sfr 163> [ 0.000000] No AGP bridge found
Mod-sfr 164> [ 0.000000] Memory: 2222688k/2302968k available (4805k kernel code, 392k absent
Mod-sfr 165> , 79888k reserved, 2414k data, 896k init)
Mod-sfr 166> [ 0.000000] Preemptible hierarchical RCU implementation.
Mod-sfr 167> [ 0.000000] RCU restricting CPUs from NR_CPUS=64 to nr_cpu_ids=3.
Mod-sfr 168> [ 0.000000] NR_IRQS:4352 nr_irqs:704 16
Mod-sfr 169> [ 0.000000] Console: colour VGA+ 80x25
Mod-sfr 170> [ 0.000000] console [ttyS0] enabled
Mod-sfr 171> [ 0.000000] allocated 9437184 bytes of page_cgroup
Mod-sfr 172> [ 0.000000] please try 'cgroup_disable=memory' option if you don't want memory 
Mod-sfr 173> cgroups
Mod-sfr 174> [ 0.000000] tsc: Detected 1249.999 MHz processor
Mod-sfr 175> [ 0.003000] Calibrating delay loop (skipped) preset value.. 2499.99 BogoMIPS (l
Mod-sfr 176> pj=1249999)
Mod-sfr 177> [ 0.004020] pid_max: default: 32768 minimum: 301
Mod-sfr 178> [ 0.005147] Security Framework initialized
Mod-sfr 179> [ 0.008819] Dentry cache hash table entries: 524288 (order: 10, 4194304 bytes)
Mod-sfr 180> [ 0.015037] Inode-cache hash table entries: 262144 (order: 9, 2097152 bytes)
Mod-sfr 181> [ 0.018310] Mount-cache hash table entries: 256
Mod-sfr 182> [ 0.020469] Initializing cgroup subsys memory
Mod-sfr 183> [ 0.022252] Last level iTLB entries: 4KB 0, 2MB 0, 4MB 0
Mod-sfr 184> [ 0.022252] Last level dTLB entries: 4KB 0, 2MB 0, 4MB 0
Mod-sfr 185> [ 0.022252] tlb_flushall_shift: 6
Mod-sfr 186> [ 0.024066] Freeing SMP alternatives: 12k freed
Mod-sfr 187> [ 0.028639] ACPI: Core revision 20130328
Mod-sfr 188> [ 0.034332] ACPI: All ACPI Tables successfully acquired
Mod-sfr 189> [ 0.041689] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1
Mod-sfr 190> [ 0.042012] smpboot: CPU0: Intel QEMU Virtual CPU version 1.5.0 (fam: 06, model
Mod-sfr 191> : 02, stepping: 03)
Mod-sfr 192> [ 0.047000] Performance Events: unsupported p6 CPU model 2 no PMU driver, softw
Mod-sfr 193> are events only.
Mod-sfr 194> [ 0.054338] smpboot: Booting Node 0, Processors #1[ 0.003000] kvm-clock: 
Mod-sfr 195> cpu 1, msr 0:8c8f9041, secondary cpu clock
Mod-sfr 196> [ 0.071099] KVM setup async PF for cpu 1
Mod-sfr 197> #2 OK
Mod-sfr 198> [ 0.071099] kvm-stealtime: cpu 1, msr 8c48ba40
Mod-sfr 199> [ 0.003000] kvm-clock: cpu 2, msr 0:8c8f9081, secondary cpu clock
Mod-sfr 200> [ 0.090155] Brought up 3 CPUs
Mod-sfr 201> [ 0.090085] KVM setup async PF for cpu 2
Mod-sfr 202> [ 0.090085] kvm-stealtime: cpu 2, msr 8c50ba40
Mod-sfr 203> [ 0.091013] smpboot: Total of 3 processors activated (7499.99 BogoMIPS)
Mod-sfr 204> [ 0.094766] devtmpfs: initialized
Mod-sfr 205> [ 0.097104] NET: Registered protocol family 16
Mod-sfr 206> [ 0.101704] ACPI: bus type PCI registered
Mod-sfr 207> [ 0.104502] PCI: Using configuration type 1 for base access
Mod-sfr 208> [ 0.154126] bio: create slab <bio-0> at 0
Mod-sfr 209> [ 0.158123] ACPI: Added _OSI(Module Device)
Mod-sfr 210> [ 0.159016] ACPI: Added _OSI(Processor Device)
Mod-sfr 211> [ 0.160000] ACPI: Added _OSI(3.0 _SCP Extensions)
Mod-sfr 212> [ 0.160000] ACPI: Added _OSI(Processor Aggregator Device)
Mod-sfr 213> [ 0.168850] ACPI: Interpreter enabled
Mod-sfr 214> [ 0.169027] ACPI: (supports S0 S5)
Mod-sfr 215> [ 0.170000] ACPI: Using IOAPIC for interrupt routing
Mod-sfr 216> [ 0.170257] PCI: Using host bridge windows from ACPI; if necessary, use "pci=no
Mod-sfr 217> crs" and report a bug
Mod-sfr 218> [ 0.172688] ACPI: No dock devices found.
Mod-sfr 219> [ 0.203713] ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff])
Mod-sfr 220> [ 0.204030] acpi PNP0A03:00: ACPI _OSC support notification failed, disabling P
Mod-sfr 221> CIe ASPM
Mod-sfr 222> [ 0.205000] acpi PNP0A03:00: Unable to request _OSC control (_OSC support mask:
Mod-sfr 223> 0x08)
Mod-sfr 224> [ 0.205469] acpi PNP0A03:00: fail to add MMCONFIG information, can't access ext
Mod-sfr 225> ended PCI configuration space under this bridge.
Mod-sfr 226> [ 0.208169] PCI host bridge to bus 0000:00
Mod-sfr 227> [ 0.209019] pci_bus 0000:00: root bus resource [bus 00-ff]
Mod-sfr 228> [ 0.210000] pci_bus 0000:00: root bus resource [io 0x0000-0x0cf7]
Mod-sfr 229> [ 0.210000] pci_bus 0000:00: root bus resource [io 0x0d00-0xffff]
Mod-sfr 230> [ 0.210000] pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff]
Mod-sfr 231> [ 0.211016] pci_bus 0000:00: root bus resource [mem 0xc0000000-0xfebfffff]
Mod-sfr 232> [ 0.230881] pci 0000:00:01.3: quirk: [io 0xb000-0xb03f] claimed by PIIX4 ACPI
Mod-sfr 233> [ 0.231056] pci 0000:00:01.3: quirk: [io 0xb100-0xb10f] claimed by PIIX4 SMB
Mod-sfr 234> [ 0.335431] ACPI: PCI Interrupt Link [LNKA] (IRQs 5 *10 11)
Mod-sfr 235> [ 0.338885] ACPI: PCI Interrupt Link [LNKB] (IRQs 5 *10 11)
Mod-sfr 236> [ 0.340000] ACPI: PCI Interrupt Link [LNKC] (IRQs 5 10 *11)
Mod-sfr 237> [ 0.340000] ACPI: PCI Interrupt Link [LNKD] (IRQs 5 10 *11)
Mod-sfr 238> [ 0.342880] ACPI: PCI Interrupt Link [LNKS] (IRQs *9)
Mod-sfr 239> [ 0.345920] ACPI: Enabled 16 GPEs in block 00 to 0F
Mod-sfr 240> [ 0.348990] vgaarb: device added: PCI:0000:00:02.0,decodes=io+mem,owns=io+mem,l
Mod-sfr 241> ocks=none
Mod-sfr 242> [ 0.349016] vgaarb: loaded
Mod-sfr 243> [ 0.350000] vgaarb: bridge control possible 0000:00:02.0
Mod-sfr 244> [ 0.351938] SCSI subsystem initialized
Mod-sfr 245> [ 0.352014] ACPI: bus type ATA registered
Mod-sfr 246> [ 0.356711] ACPI: bus type USB registered
Mod-sfr 247> [ 0.359190] usbcore: registered new interface driver usbfs
Mod-sfr 248> [ 0.362124] usbcore: registered new interface driver hub
Mod-sfr 249> [ 0.365145] usbcore: registered new device driver usb
Mod-sfr 250> [ 0.368692] pps_core: LinuxPPS API ver. 1 registered
Mod-sfr 251> [ 0.370009] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giomett
Mod-sfr 252> i <giometti@linux.it>
Mod-sfr 253> [ 0.372220] PTP clock support registered
Mod-sfr 254> [ 0.374342] PCI: Using ACPI for IRQ routing
Mod-sfr 255> [ 0.377796] NetLabel: Initializing
Mod-sfr 256> [ 0.378011] NetLabel: domain hash size = 128
Mod-sfr 257> [ 0.379000] NetLabel: protocols = UNLABELED CIPSOv4
Mod-sfr 258> [ 0.379000] NetLabel: unlabeled traffic allowed by default
Mod-sfr 259> [ 0.379000] HPET: 3 timers in total, 0 timers will be used for per-cpu timer
Mod-sfr 260> [ 0.379000] hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0
Mod-sfr 261> [ 0.379000] hpet0: 3 comparators, 64-bit 100.000000 MHz counter
Mod-sfr 262> [ 0.385411] amd_nb: Cannot enumerate AMD northbridges
Mod-sfr 263> [ 0.387012] Switching to clocksource kvm-clock
Mod-sfr 264> [ 0.390595] pnp: PnP ACPI init
Mod-sfr 265> [ 0.392135] ACPI: bus type PNP registered
Mod-sfr 266> [ 0.398878] pnp: PnP ACPI: found 8 devices
Mod-sfr 267> [ 0.400876] ACPI: bus type PNP unregistered
Mod-sfr 268> [ 0.444344] NET: Registered protocol family 2
Mod-sfr 269> [ 0.447550] TCP established hash table entries: 32768 (order: 7, 524288 bytes)
Mod-sfr 270> [ 0.452147] TCP bind hash table entries: 32768 (order: 7, 524288 bytes)
Mod-sfr 271> [ 0.455530] TCP: Hash tables configured (established 32768 bind 32768)
Mod-sfr 272> [ 0.458687] TCP: reno registered
Mod-sfr 273> [ 0.460276] UDP hash table entries: 2048 (order: 4, 65536 bytes)
Mod-sfr 274> [ 0.463125] UDP-Lite hash table entries: 2048 (order: 4, 65536 bytes)
Mod-sfr 275> [ 0.466489] NET: Registered protocol family 1
Mod-sfr 276> [ 0.469201] RPC: Registered named UNIX socket transport module.
Mod-sfr 277> [ 0.471972] RPC: Registered udp transport module.
Mod-sfr 278> [ 0.474201] RPC: Registered tcp transport module.
Mod-sfr 279> [ 0.476426] RPC: Registered tcp NFSv4.1 backchannel transport module.
Mod-sfr 280> [ 0.479414] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
Mod-sfr 281> [ 0.482206] pci 0000:00:01.0: PIIX3: Enabling Passive Release
Mod-sfr 282> [ 0.484938] pci 0000:00:01.0: Activating ISA DMA hang workarounds
Mod-sfr 283> [ 0.488320] Trying to unpack rootfs image as initramfs...
Mod-sfr 284> [ 2.723443] Freeing initrd memory: 37844k freed
Mod-sfr 285> [ 2.749608] microcode: CPU0 sig=0x623, pf=0x0, revision=0x1
Mod-sfr 286> [ 2.752302] microcode: CPU1 sig=0x623, pf=0x0, revision=0x1
Mod-sfr 287> [ 2.754941] microcode: CPU2 sig=0x623, pf=0x0, revision=0x1
Mod-sfr 288> [ 2.757965] microcode: Microcode Update Driver: v2.00 <tigran@aivazian.fsnet.co
Mod-sfr 289> .uk>, Peter Oruba
Mod-sfr 290> [ 2.765177] HugeTLB registered 2 MB page size, pre-allocated 0 pages
Mod-sfr 291> [ 2.769086] VFS: Disk quotas dquot_6.5.2
Mod-sfr 292> [ 2.771094] Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
Mod-sfr 293> [ 2.775717] NFS: Registering the id_resolver key type
Mod-sfr 294> [ 2.778137] Key type id_resolver registered
Mod-sfr 295> [ 2.780109] Key type id_legacy registered
Mod-sfr 296> [ 2.782541] msgmni has been set to 4415
Mod-sfr 297> [ 2.787083] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251
Mod-sfr 298> [ 2.790547] io scheduler noop registered
Mod-sfr 299> [ 2.792411] io scheduler deadline registered
Mod-sfr 300> [ 2.794583] io scheduler cfq registered (default)
Mod-sfr 301> [ 2.799982] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input
Mod-sfr 302> [ 2.803425] ACPI: Power Button [PWRF]
Mod-sfr 303> [ 2.814473] ACPI: PCI Interrupt Link [LNKD] enabled at IRQ 11
Mod-sfr 304> [ 2.820727] ACPI: PCI Interrupt Link [LNKA] enabled at IRQ 10
Mod-sfr 305> [ 2.827646] ACPI: PCI Interrupt Link [LNKC] enabled at IRQ 11
Mod-sfr 306> [ 2.836584] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
Mod-sfr 307> [ 2.867594] 00:05: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
Mod-sfr 308> [ 2.898649] 00:06: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A
Mod-sfr 309> [ 2.905482] Non-volatile memory driver v1.3
Mod-sfr 310> [ 2.907484] Linux agpgart interface v0.103
Mod-sfr 311> [ 2.910796] [drm] Initialized drm 1.1.0 20060810
Mod-sfr 312> [ 2.914401] Floppy drive(s): fd0 is 1.44M, fd1 is 1.44M
Mod-sfr 313> [ 2.926135] brd: module loaded
Mod-sfr 314> [ 2.929550] FDC 0 is a S82078B
Mod-sfr 315> [ 2.935196] loop: module loaded
Mod-sfr 316> [ 2.942913] vda: vda1 vda2 vda3 < vda5 vda6 vda7 >
Mod-sfr 317> [ 2.953346] Loading iSCSI transport class v2.0-870.
Mod-sfr 318> [ 2.967716] scsi0 : ata_piix
Mod-sfr 319> [ 2.970113] scsi1 : ata_piix
Mod-sfr 320> [ 2.972137] ata1: PATA max MWDMA2 cmd 0x1f0 ctl 0x3f6 bmdma 0xc0c0 irq 14
Mod-sfr 321> [ 2.975261] ata2: PATA max MWDMA2 cmd 0x170 ctl 0x376 bmdma 0xc0c8 irq 15
Mod-sfr 322> [ 2.979356] e100: Intel(R) PRO/100 Network Driver, 3.5.24-k2-NAPI
Mod-sfr 323> [ 2.982310] e100: Copyright(c) 1999-2006 Intel Corporation
Mod-sfr 324> [ 2.985143] igb: Intel(R) Gigabit Ethernet Network Driver - version 5.0.3-k
Mod-sfr 325> [ 2.988322] igb: Copyright (c) 2007-2013 Intel Corporation.
Mod-sfr 326> [ 2.991156] Fusion MPT base driver 3.04.20
Mod-sfr 327> [ 2.993110] Copyright (c) 1999-2008 LSI Corporation
Mod-sfr 328> [ 2.995395] Fusion MPT SPI Host driver 3.04.20
Mod-sfr 329> [ 2.997698] Fusion MPT FC Host driver 3.04.20
Mod-sfr 330> [ 2.999955] Fusion MPT SAS Host driver 3.04.20
Mod-sfr 331> [ 3.002879] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
Mod-sfr 332> [ 3.005921] ehci-pci: EHCI PCI platform driver
Mod-sfr 333> [ 3.008262] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
Mod-sfr 334> [ 3.011311] uhci_hcd: USB Universal Host Controller Interface driver
Mod-sfr 335> [ 3.014712] usbcore: registered new interface driver usblp
Mod-sfr 336> [ 3.017515] usbcore: registered new interface driver usb-storage
Mod-sfr 337> [ 3.020703] i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at 0x60,0x64 
Mod-sfr 338> irq 1,12
Mod-sfr 339> [ 3.026754] serio: i8042 KBD port at 0x60,0x64 irq 1
Mod-sfr 340> [ 3.029233] serio: i8042 AUX port at 0x60,0x64 irq 12
Mod-sfr 341> [ 3.032605] mousedev: PS/2 mouse device common for all mice
Mod-sfr 342> [ 3.037709] input: AT Translated Set 2 keyboard as /devices/platform/i8042/seri
Mod-sfr 343> o0/input/input1
Mod-sfr 344> [ 3.041708] rtc_cmos 00:00: RTC can wake from S4
Mod-sfr 345> [ 3.046060] rtc_cmos 00:00: rtc core: registered rtc_cmos as rtc0
Mod-sfr 346> [ 3.049610] rtc_cmos 00:00: alarms up to one day, 114 bytes nvram, hpet irqs
Mod-sfr 347> [ 3.053361] i2c /dev entries driver
Mod-sfr 348> [ 3.055862] md: raid1 personality registered for level 1
Mod-sfr 349> [ 3.059498] device-mapper: ioctl: 4.24.0-ioctl (2013-01-15) initialised: dm-dev
Mod-sfr 350> el@redhat.com
Mod-sfr 351> [ 3.063392] cpuidle: using governor ladder
Mod-sfr 352> [ 3.066870] hidraw: raw HID events driver (C) Jiri Kosina
Mod-sfr 353> [ 3.078644] usbcore: registered new interface driver usbhid
Mod-sfr 354> [ 3.081393] usbhid: USB HID core driver
Mod-sfr 355> [ 3.083396] ipip: IPv4 over IPv4 tunneling driver
Mod-sfr 356> [ 3.086821] TCP: cubic registered
Mod-sfr 357> [ 3.088440] Initializing XFRM netlink socket
Mod-sfr 358> [ 3.090764] NET: Registered protocol family 10
Mod-sfr 359> [ 3.093706] NET: Registered protocol family 17
Mod-sfr 360> [ 3.095867] Key type dns_resolver registered
Mod-sfr 361> [ 3.099358] registered taskstats version 1
Mod-sfr 362> [ 3.102539] console [netcon0] enabled
Mod-sfr 363> [ 3.104270] netconsole: network logging started
Mod-sfr 364> [ 3.133367] ata1.00: ATA-7: QEMU HARDDISK, 1.5.0, max UDMA/100
Mod-sfr 365> [ 3.136133] ata1.00: 6291456 sectors, multi 16: LBA48 
Mod-sfr 366> [ 3.139781] ata1.00: configured for MWDMA2
Mod-sfr 367> [ 3.141785] ata2.00: ATAPI: QEMU DVD-ROM, 1.5.0, max UDMA/100
Mod-sfr 368> [ 3.141986] scsi 0:0:0:0: Direct-Access ATA QEMU HARDDISK 1.5. PQ: 
Mod-sfr 369> 0 ANSI: 5
Mod-sfr 370> [ 3.142888] sd 0:0:0:0: [sda] 6291456 512-byte logical blocks: (3.22 GB/3.00 Gi
Mod-sfr 371> B)
Mod-sfr 372> [ 3.143172] sd 0:0:0:0: [sda] Write Protect is off
Mod-sfr 373> [ 3.143255] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn'
Mod-sfr 374> t support DPO or FUA
Mod-sfr 375> [ 3.159184] ata2.00: configured for MWDMA2
Mod-sfr 376> [ 3.160908] sd 0:0:0:0: Attached scsi generic sg0 type 0
Mod-sfr 377> [ 3.162451] sda: unknown partition table
Mod-sfr 378> [ 3.163325] sd 0:0:0:0: [sda] Attached SCSI disk
Mod-sfr 379> [ 3.169427] scsi 1:0:0:0: CD-ROM QEMU QEMU DVD-ROM 1.5. PQ: 
Mod-sfr 380> 0 ANSI: 5
Mod-sfr 381> [ 3.174796] sr0: scsi3-mmc drive: 4x/4x cd/rw xa/form2 tray
Mod-sfr 382> [ 3.177394] cdrom: Uniform CD-ROM driver Revision: 3.20
Mod-sfr 383> [ 3.182413] sr 1:0:0:0: Attached scsi generic sg1 type 5
Mod-sfr 384> [ 3.185770] Freeing unused kernel memory: 896k freed
Mod-sfr 385> INIT: version 2.86 booting
Mod-sfr 386> Please wait: booting...
Mod-sfr 387> mount: sysfs already mounted or /sys busy
Mod-sfr 388> mount: according to mtab, sysfs is already mounted on /sys
Mod-sfr 389> Starting udev [ 3.478938] udevd (765): /proc/765/oom_adj is deprecated, please 
Mod-sfr 390> use /proc/765/oom_score_adj instead.
Mod-sfr 391> [ 3.483265] udevd version 124 started
Mod-sfr 392> [ 3.681920] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/s
Mod-sfr 393> erio1/input/input2
Mod-sfr 394> [ 3.747189] tsc: Refined TSC clocksource calibration: 1249.999 MHz

cp_connect: Error - cp_connect() returned -1
cp_check_connection: handle -1, conflicts with connection 1 (-1)
cp_check_connection: handle -1, conflicts with connection 2 (-1)
cp_check_connection: handle -1, conflicts with connection 3 (-1)
cp_update_connection: Error updating connection_id 0Mod-sfr 395> [ 4.478112] end_request: I/O error, dev fd0, sector 0
Mod-sfr 396> [ 4.501112] end_request: I/O error, dev fd0, sector 0
Mod-sfr 397> and populating dev cache 
Mod-sfr 398> Root filesystem already rw, not remounting
Mod-sfr 399> Configuring network interfaces... done.
Mod-sfr 400> net.ipv4.conf.default.rp_filter = 1
Mod-sfr 401> net.ipv4.conf.all.rp_filter = 1
Mod-sfr 402> Configuring kvm-ivshmem
Mod-sfr 403> Configuring busybox-syslog
Mod-sfr 404> System startup links for /etc/init.d/sysklogd already exist.
Mod-sfr 405> Configuring openssh-sshd
Mod-sfr 406> Adding system startup for /etc/init.d/sshd.
Mod-sfr 407> Configuring sudo
Mod-sfr 408> Configuring ntpdate
Mod-sfr 409> adding crontab
Mod-sfr 410> Configuring update-modules
Mod-sfr 411> INIT: Entering runlevel: 5
Mod-sfr 412> Starting OpenBSD Secure Shell server: sshd
Mod-sfr 413> generating ssh RSA key...
Mod-sfr 414> generating ssh DSA key...
Mod-sfr 415> done.
Mod-sfr 416> Starting Advanced Configuration and Power Interface daemon: acpid.
Mod-sfr 417> acpid: starting up with proc fs
Mod-sfr 418> acpid: opendir(/etc/acpi/events): No such file or directory
Mod-sfr 419> starting Busybox inetd: inetd... done.
Mod-sfr 420> Starting ntpd: done
Mod-sfr 421> Starting syslogd/klogd: done
Mod-sfr 422> Cisco FirePOWER Services Boot Image 6.2.3

Last line informs that the module has been configured and you can connect using the console for the initial network setup. Default Firepower module credentials are “admin/Admin123″. At this stage remember to configure the module with an IP address in the same subnet than your internal network. You will need reachability between your management computer and the Firepower module.

session sfr console

Now download and install the Firepower package using a FTP client this time instead of TFTP. Make sure you have connected your ASA management interface to the same VLAN where the FTP server is running. Issue a ping for double check. Review local OS firewall if necessary.

Run the command system install ftp://10.14.14.9/asasfr-sys-6.2.3-83.pkg (replace with your FTP client IP) and the Firepower package will be downloaded into the box and installed. At the end of the process you will have to reboot the module only. It does not affect to the normal ASA function.

Now it’s time to be patient. The process can take up to 45 min. Once the process is finished you’ll see the Firepower module ready again. Issue the command show module sfr to review the status:

Ok, so far we have the major version installed, let’s apply the latest patch available. For this task we will leverage ASDM. Upload the previously downloaded patch to the module using the Firepower update section:

Now click on “Install” and wait for almost 1 hour to run the script until the module is availabile again. You can review the progress on the tasks pop-up: