Hi folks,
In this post I’m going to show you how to perform a clean install of the Firepower module on an ASA5506X. It is an easy task but takes some time to complete since the box is not as powerful as its bigger brothers.
Start downloading the necessary software elements from the Cisco site:
- asasfr-5500x-boot-6.2.3-4.img
- asasfr-sys-6.2.3-83.pkg
- asdm-792-152.bin
- Cisco_Network_Sensor_Patch-6.2.3.1-43.sh.REL.tar
I included the latest ASDM version to avoid compatibility issues. The ASA is already running the latest ASA version “asa992-lfbff-k8.SPA”
Prior to start the process, I recommend enabling the following debug commands for having full visibility on what’s going on in the background:
debug sfr error debug sfr events debug sfr messages debug cplane debug module-boot
Start uninstalling the existing Firepower instance running on the ASA:
sw-module module sfr shutdown
Once the module is down uninstall it:
sw-module module sfr uninstall
Ensure the physical management interface has no IP nor security configuration. This interface will act as a bridge between the internal Firepower management and your physical network, so make sure the interface is cabled and connected to the same subnet as your internal ASA subnet.
Copy the Firepower image file to the ASA disk0 using a TFTP client and issue the following command to configure the base image and boot it:
copy tftp://10.14.14.9/asasfr-5500x-boot-6.2.3-4.img disk0:/asasfr-5500x-boot-6.2.3-4.img sw-module module sfr recover configure image disk0:asasfr-5500x-boot-6.2.3-4.img sw-module module sfr recover boot
Right after issuing the previous command you’ll start seeing the debug messages generated by the module.
Mod-sfr 47> *** EVENT: Disk Image created successfully. Mod-sfr 48> *** TIME: 15:29:48 CEDT May 20 2018 Mod-sfr 49> *** Mod-sfr 50> *** Mod-sfr 51> *** EVENT: Start Parameters: Image: /mnt/disk0/vm/vm_1.img, ISO: -cdrom /mnt/disk0/ Mod-sfr 52> asasfr-5500x-boot-6.2.3-4.img, Num CPUs: 3, RAM: 2249MB, Mgmt MAC: F8:0B:CB:C5:02:A Mod-sfr 53> D, CP MAC: 00:00:00:02:00:01, HDD: -drive file=/dev/sda,cache=none,if=virtio, Dev D Mod-sfr 54> *** Mod-sfr 55> *** EVENT: Start Parameters Continued: RegEx Shared Mem: 0MB, Cmd Op: r, Shared Mem Mod-sfr 56> Key: 8061, Shared Mem Size: 16, Log Pipe: /dev/ttyS0_vm1, Sock: /dev/ttyS1_vm1, Me Mod-sfr 57> m-Path: -mem-path /hugepages Mod-sfr 58> *** TIME: 15:29:48 CEDT May 20 2018 Mod-sfr 59> *** Mod-sfr 60> Status: Mapping host 0x2aab37e00000 to VM with size 16777216 Mod-sfr 61> Warning: vlan 0 is not connected to host network Mod-sfr 62> ISOLINUX 3.73 2009-01-25 Copyright (C) 1994-2008 H. Peter Anvin Mod-sfr 63> Cisco SFR-BOOT-IMAGE and CX-BOOT-IMAGE for SFR - 6.2.3 Mod-sfr 64> (WARNING: ALL DATA ON DISK 1 WILL BE LOST) Mod-sfr 65> Loading bzImage............................................................. Mod-sfr 66> Loading initramfs.gz............................................................... Mod-sfr 67> ................................................................................... Mod-sfr 68> ................................................................................... Mod-sfr 69> ................................................................................... Mod-sfr 70> ................................................................................... Mod-sfr 71> ................................................................................... Mod-sfr 72> ................................................................................... Mod-sfr 73> .................................ready. Mod-sfr 74> [ 0.000000] Initializing cgroup subsys cpuset Mod-sfr 75> [ 0.000000] Initializing cgroup subsys cpu Mod-sfr 76> [ 0.000000] Initializing cgroup subsys cpuacct Mod-sfr 77> [ 0.000000] Linux version 3.10.107sf.cisco-1 (build@1fd5cd658885) (gcc version 4 Mod-sfr 78> .7.1 (GCC) ) #1 SMP PREEMPT Fri Nov 10 17:06:45 UTC 2017 Mod-sfr 79> [ 0.000000] Command line: initrd=initramfs.gz console=ttyS0,9600 BOOT_IMAGE=bzIm Mod-sfr 80> age Mod-sfr 81> [ 0.000000] e820: BIOS-provided physical RAM map: Mod-sfr 82> [ 0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable Mod-sfr 83> [ 0.000000] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved Mod-sfr 84> [ 0.000000] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved Mod-sfr 85> [ 0.000000] BIOS-e820: [mem 0x0000000000100000-0x000000008c8fdfff] usable Mod-sfr 86> [ 0.000000] BIOS-e820: [mem 0x000000008c8fe000-0x000000008c8fffff] reserved Mod-sfr 87> [ 0.000000] BIOS-e820: [mem 0x00000000feffc000-0x00000000feffffff] reserved Mod-sfr 88> [ 0.000000] BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved Mod-sfr 89> [ 0.000000] NX (Execute Disable) protection: active Mod-sfr 90> [ 0.000000] SMBIOS 2.4 present. Mod-sfr 91> [ 0.000000] Hypervisor detected: KVM Mod-sfr 92> [ 0.000000] No AGP bridge found Mod-sfr 93> [ 0.000000] e820: last_pfn = 0x8c8fe max_arch_pfn = 0x400000000 Mod-sfr 94> [ 0.000000] PAT not supported by CPU. Mod-sfr 95> [ 0.000000] found SMP MP-table at [mem 0x000fdac0-0x000fdacf] mapped at [ffff880 Mod-sfr 96> 0000fdac0] Mod-sfr 97> [ 0.000000] init_memory_mapping: [mem 0x00000000-0x000fffff] Mod-sfr 98> [ 0.000000] init_memory_mapping: [mem 0x8c600000-0x8c7fffff] Mod-sfr 99> [ 0.000000] init_memory_mapping: [mem 0x8c000000-0x8c5fffff] Mod-sfr 100> [ 0.000000] init_memory_mapping: [mem 0x80000000-0x8bffffff] Mod-sfr 101> [ 0.000000] init_memory_mapping: [mem 0x00100000-0x7fffffff] Mod-sfr 102> [ 0.000000] init_memory_mapping: [mem 0x8c800000-0x8c8fdfff] Mod-sfr 103> [ 0.000000] RAMDISK: [mem 0x7db0b000-0x7fffffff] Mod-sfr 104> [ 0.000000] ACPI: RSDP 0x00000000000FD900 00014 (v00 BOCHS ) Mod-sfr 105> [ 0.000000] ACPI: RSDT 0x000000008C8FE3E0 00034 (v01 BOCHS BXPCRSDT 00000001 B Mod-sfr 106> XPC 00000001) Mod-sfr 107> [ 0.000000] ACPI: FACP 0x000000008C8FFF80 00074 (v01 BOCHS BXPCFACP 00000001 B Mod-sfr 108> XPC 00000001) Mod-sfr 109> [ 0.000000] ACPI: DSDT 0x000000008C8FE420 011A9 (v01 BXPC BXDSDT 00000001 I Mod-sfr 110> NTL 20100528) Mod-sfr 111> [ 0.000000] ACPI: FACS 0x000000008C8FFF40 00040 Mod-sfr 112> [ 0.000000] ACPI: SSDT 0x000000008C8FF740 007F7 (v01 BOCHS BXPCSSDT 00000001 B Mod-sfr 113> XPC 00000001) Mod-sfr 114> [ 0.000000] ACPI: APIC 0x000000008C8FF610 00088 (v01 BOCHS BXPCAPIC 00000001 B Mod-sfr 115> XPC 00000001) Mod-sfr 116> [ 0.000000] ACPI: HPET 0x000000008C8FF5D0 00038 (v01 BOCHS BXPCHPET 00000001 B Mod-sfr 117> XPC 00000001) Mod-sfr 118> [ 0.000000] No NUMA configuration found Mod-sfr 119> [ 0.000000] Faking a node at [mem 0x0000000000000000-0x000000008c8fdfff] Mod-sfr 120> [ 0.000000] Initmem setup node 0 [mem 0x00000000-0x8c8fdfff] Mod-sfr 121> [ 0.000000] NODE_DATA [mem 0x8c8fa000-0x8c8fdfff] Mod-sfr 122> [ 0.000000] kvm-clock: Using msrs 4b564d01 and 4b564d00 Mod-sfr 123> [ 0.000000] kvm-clock: cpu 0, msr 0:8c8f9001, boot clock Mod-sfr 124> [ 0.000000] Zone ranges: Mod-sfr 125> [ 0.000000] DMA [mem 0x00001000-0x00ffffff] Mod-sfr 126> [ 0.000000] DMA32 [mem 0x01000000-0xffffffff] Mod-sfr 127> [ 0.000000] Normal empty Mod-sfr 128> [ 0.000000] Movable zone start for each node Mod-sfr 129> [ 0.000000] Early memory node ranges Mod-sfr 130> [ 0.000000] node 0: [mem 0x00001000-0x0009efff] Mod-sfr 131> [ 0.000000] node 0: [mem 0x00100000-0x8c8fdfff] Mod-sfr 132> [ 0.000000] ACPI: PM-Timer IO Port: 0xb008 Mod-sfr 133> [ 0.000000] ACPI: LAPIC (acpi_id[0x00] lapic_id[0x00] enabled) Mod-sfr 134> [ 0.000000] ACPI: LAPIC (acpi_id[0x01] lapic_id[0x01] enabled) Mod-sfr 135> [ 0.000000] ACPI: LAPIC (acpi_id[0x02] lapic_id[0x02] enabled) Mod-sfr 136> [ 0.000000] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1]) Mod-sfr 137> [ 0.000000] ACPI: IOAPIC (id[0x00] address[0xfec00000] gsi_base[0]) Mod-sfr 138> [ 0.000000] IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23 Mod-sfr 139> [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl) Mod-sfr 140> [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level) Mod-sfr 141> [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level) Mod-sfr 142> [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level) Mod-sfr 143> [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level) Mod-sfr 144> [ 0.000000] Using ACPI (MADT) for SMP configuration information Mod-sfr 145> [ 0.000000] ACPI: HPET id: 0x8086a201 base: 0xfed00000 Mod-sfr 146> [ 0.000000] smpboot: Allowing 3 CPUs, 0 hotplug CPUs Mod-sfr 147> [ 0.000000] e820: [mem 0x8c900000-0xfeffbfff] available for PCI devices Mod-sfr 148> [ 0.000000] Booting paravirtualized kernel on KVM Mod-sfr 149> [ 0.000000] setup_percpu: NR_CPUS:64 nr_cpumask_bits:64 nr_cpu_ids:3 nr_node_id Mod-sfr 150> s:1 Mod-sfr 151> [ 0.000000] PERCPU: Embedded 24 pages/cpu @ffff88008c400000 s68672 r8192 d21440 Mod-sfr 152> u524288 Mod-sfr 153> [ 0.000000] kvm-clock: cpu 0, msr 0:8c8f9001, primary cpu clock Mod-sfr 154> [ 0.000000] KVM setup async PF for cpu 0 Mod-sfr 155> [ 0.000000] kvm-stealtime: cpu 0, msr 8c40ba40 Mod-sfr 156> [ 0.000000] Built 1 zonelists in Node order, mobility grouping on. Total pages Mod-sfr 157> : 567751 Mod-sfr 158> [ 0.000000] Policy zone: DMA32 Mod-sfr 159> [ 0.000000] Kernel command line: initrd=initramfs.gz console=ttyS0,9600 BOOT_IM Mod-sfr 160> AGE=bzImage Mod-sfr 161> [ 0.000000] PID hash table entries: 4096 (order: 3, 32768 bytes) Mod-sfr 162> [ 0.000000] Checking aperture... Mod-sfr 163> [ 0.000000] No AGP bridge found Mod-sfr 164> [ 0.000000] Memory: 2222688k/2302968k available (4805k kernel code, 392k absent Mod-sfr 165> , 79888k reserved, 2414k data, 896k init) Mod-sfr 166> [ 0.000000] Preemptible hierarchical RCU implementation. Mod-sfr 167> [ 0.000000] RCU restricting CPUs from NR_CPUS=64 to nr_cpu_ids=3. Mod-sfr 168> [ 0.000000] NR_IRQS:4352 nr_irqs:704 16 Mod-sfr 169> [ 0.000000] Console: colour VGA+ 80x25 Mod-sfr 170> [ 0.000000] console [ttyS0] enabled Mod-sfr 171> [ 0.000000] allocated 9437184 bytes of page_cgroup Mod-sfr 172> [ 0.000000] please try 'cgroup_disable=memory' option if you don't want memory Mod-sfr 173> cgroups Mod-sfr 174> [ 0.000000] tsc: Detected 1249.999 MHz processor Mod-sfr 175> [ 0.003000] Calibrating delay loop (skipped) preset value.. 2499.99 BogoMIPS (l Mod-sfr 176> pj=1249999) Mod-sfr 177> [ 0.004020] pid_max: default: 32768 minimum: 301 Mod-sfr 178> [ 0.005147] Security Framework initialized Mod-sfr 179> [ 0.008819] Dentry cache hash table entries: 524288 (order: 10, 4194304 bytes) Mod-sfr 180> [ 0.015037] Inode-cache hash table entries: 262144 (order: 9, 2097152 bytes) Mod-sfr 181> [ 0.018310] Mount-cache hash table entries: 256 Mod-sfr 182> [ 0.020469] Initializing cgroup subsys memory Mod-sfr 183> [ 0.022252] Last level iTLB entries: 4KB 0, 2MB 0, 4MB 0 Mod-sfr 184> [ 0.022252] Last level dTLB entries: 4KB 0, 2MB 0, 4MB 0 Mod-sfr 185> [ 0.022252] tlb_flushall_shift: 6 Mod-sfr 186> [ 0.024066] Freeing SMP alternatives: 12k freed Mod-sfr 187> [ 0.028639] ACPI: Core revision 20130328 Mod-sfr 188> [ 0.034332] ACPI: All ACPI Tables successfully acquired Mod-sfr 189> [ 0.041689] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1 Mod-sfr 190> [ 0.042012] smpboot: CPU0: Intel QEMU Virtual CPU version 1.5.0 (fam: 06, model Mod-sfr 191> : 02, stepping: 03) Mod-sfr 192> [ 0.047000] Performance Events: unsupported p6 CPU model 2 no PMU driver, softw Mod-sfr 193> are events only. Mod-sfr 194> [ 0.054338] smpboot: Booting Node 0, Processors #1[ 0.003000] kvm-clock: Mod-sfr 195> cpu 1, msr 0:8c8f9041, secondary cpu clock Mod-sfr 196> [ 0.071099] KVM setup async PF for cpu 1 Mod-sfr 197> #2 OK Mod-sfr 198> [ 0.071099] kvm-stealtime: cpu 1, msr 8c48ba40 Mod-sfr 199> [ 0.003000] kvm-clock: cpu 2, msr 0:8c8f9081, secondary cpu clock Mod-sfr 200> [ 0.090155] Brought up 3 CPUs Mod-sfr 201> [ 0.090085] KVM setup async PF for cpu 2 Mod-sfr 202> [ 0.090085] kvm-stealtime: cpu 2, msr 8c50ba40 Mod-sfr 203> [ 0.091013] smpboot: Total of 3 processors activated (7499.99 BogoMIPS) Mod-sfr 204> [ 0.094766] devtmpfs: initialized Mod-sfr 205> [ 0.097104] NET: Registered protocol family 16 Mod-sfr 206> [ 0.101704] ACPI: bus type PCI registered Mod-sfr 207> [ 0.104502] PCI: Using configuration type 1 for base access Mod-sfr 208> [ 0.154126] bio: create slab <bio-0> at 0 Mod-sfr 209> [ 0.158123] ACPI: Added _OSI(Module Device) Mod-sfr 210> [ 0.159016] ACPI: Added _OSI(Processor Device) Mod-sfr 211> [ 0.160000] ACPI: Added _OSI(3.0 _SCP Extensions) Mod-sfr 212> [ 0.160000] ACPI: Added _OSI(Processor Aggregator Device) Mod-sfr 213> [ 0.168850] ACPI: Interpreter enabled Mod-sfr 214> [ 0.169027] ACPI: (supports S0 S5) Mod-sfr 215> [ 0.170000] ACPI: Using IOAPIC for interrupt routing Mod-sfr 216> [ 0.170257] PCI: Using host bridge windows from ACPI; if necessary, use "pci=no Mod-sfr 217> crs" and report a bug Mod-sfr 218> [ 0.172688] ACPI: No dock devices found. Mod-sfr 219> [ 0.203713] ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff]) Mod-sfr 220> [ 0.204030] acpi PNP0A03:00: ACPI _OSC support notification failed, disabling P Mod-sfr 221> CIe ASPM Mod-sfr 222> [ 0.205000] acpi PNP0A03:00: Unable to request _OSC control (_OSC support mask: Mod-sfr 223> 0x08) Mod-sfr 224> [ 0.205469] acpi PNP0A03:00: fail to add MMCONFIG information, can't access ext Mod-sfr 225> ended PCI configuration space under this bridge. Mod-sfr 226> [ 0.208169] PCI host bridge to bus 0000:00 Mod-sfr 227> [ 0.209019] pci_bus 0000:00: root bus resource [bus 00-ff] Mod-sfr 228> [ 0.210000] pci_bus 0000:00: root bus resource [io 0x0000-0x0cf7] Mod-sfr 229> [ 0.210000] pci_bus 0000:00: root bus resource [io 0x0d00-0xffff] Mod-sfr 230> [ 0.210000] pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff] Mod-sfr 231> [ 0.211016] pci_bus 0000:00: root bus resource [mem 0xc0000000-0xfebfffff] Mod-sfr 232> [ 0.230881] pci 0000:00:01.3: quirk: [io 0xb000-0xb03f] claimed by PIIX4 ACPI Mod-sfr 233> [ 0.231056] pci 0000:00:01.3: quirk: [io 0xb100-0xb10f] claimed by PIIX4 SMB Mod-sfr 234> [ 0.335431] ACPI: PCI Interrupt Link [LNKA] (IRQs 5 *10 11) Mod-sfr 235> [ 0.338885] ACPI: PCI Interrupt Link [LNKB] (IRQs 5 *10 11) Mod-sfr 236> [ 0.340000] ACPI: PCI Interrupt Link [LNKC] (IRQs 5 10 *11) Mod-sfr 237> [ 0.340000] ACPI: PCI Interrupt Link [LNKD] (IRQs 5 10 *11) Mod-sfr 238> [ 0.342880] ACPI: PCI Interrupt Link [LNKS] (IRQs *9) Mod-sfr 239> [ 0.345920] ACPI: Enabled 16 GPEs in block 00 to 0F Mod-sfr 240> [ 0.348990] vgaarb: device added: PCI:0000:00:02.0,decodes=io+mem,owns=io+mem,l Mod-sfr 241> ocks=none Mod-sfr 242> [ 0.349016] vgaarb: loaded Mod-sfr 243> [ 0.350000] vgaarb: bridge control possible 0000:00:02.0 Mod-sfr 244> [ 0.351938] SCSI subsystem initialized Mod-sfr 245> [ 0.352014] ACPI: bus type ATA registered Mod-sfr 246> [ 0.356711] ACPI: bus type USB registered Mod-sfr 247> [ 0.359190] usbcore: registered new interface driver usbfs Mod-sfr 248> [ 0.362124] usbcore: registered new interface driver hub Mod-sfr 249> [ 0.365145] usbcore: registered new device driver usb Mod-sfr 250> [ 0.368692] pps_core: LinuxPPS API ver. 1 registered Mod-sfr 251> [ 0.370009] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giomett Mod-sfr 252> i <giometti@linux.it> Mod-sfr 253> [ 0.372220] PTP clock support registered Mod-sfr 254> [ 0.374342] PCI: Using ACPI for IRQ routing Mod-sfr 255> [ 0.377796] NetLabel: Initializing Mod-sfr 256> [ 0.378011] NetLabel: domain hash size = 128 Mod-sfr 257> [ 0.379000] NetLabel: protocols = UNLABELED CIPSOv4 Mod-sfr 258> [ 0.379000] NetLabel: unlabeled traffic allowed by default Mod-sfr 259> [ 0.379000] HPET: 3 timers in total, 0 timers will be used for per-cpu timer Mod-sfr 260> [ 0.379000] hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0 Mod-sfr 261> [ 0.379000] hpet0: 3 comparators, 64-bit 100.000000 MHz counter Mod-sfr 262> [ 0.385411] amd_nb: Cannot enumerate AMD northbridges Mod-sfr 263> [ 0.387012] Switching to clocksource kvm-clock Mod-sfr 264> [ 0.390595] pnp: PnP ACPI init Mod-sfr 265> [ 0.392135] ACPI: bus type PNP registered Mod-sfr 266> [ 0.398878] pnp: PnP ACPI: found 8 devices Mod-sfr 267> [ 0.400876] ACPI: bus type PNP unregistered Mod-sfr 268> [ 0.444344] NET: Registered protocol family 2 Mod-sfr 269> [ 0.447550] TCP established hash table entries: 32768 (order: 7, 524288 bytes) Mod-sfr 270> [ 0.452147] TCP bind hash table entries: 32768 (order: 7, 524288 bytes) Mod-sfr 271> [ 0.455530] TCP: Hash tables configured (established 32768 bind 32768) Mod-sfr 272> [ 0.458687] TCP: reno registered Mod-sfr 273> [ 0.460276] UDP hash table entries: 2048 (order: 4, 65536 bytes) Mod-sfr 274> [ 0.463125] UDP-Lite hash table entries: 2048 (order: 4, 65536 bytes) Mod-sfr 275> [ 0.466489] NET: Registered protocol family 1 Mod-sfr 276> [ 0.469201] RPC: Registered named UNIX socket transport module. Mod-sfr 277> [ 0.471972] RPC: Registered udp transport module. Mod-sfr 278> [ 0.474201] RPC: Registered tcp transport module. Mod-sfr 279> [ 0.476426] RPC: Registered tcp NFSv4.1 backchannel transport module. Mod-sfr 280> [ 0.479414] pci 0000:00:00.0: Limiting direct PCI/PCI transfers Mod-sfr 281> [ 0.482206] pci 0000:00:01.0: PIIX3: Enabling Passive Release Mod-sfr 282> [ 0.484938] pci 0000:00:01.0: Activating ISA DMA hang workarounds Mod-sfr 283> [ 0.488320] Trying to unpack rootfs image as initramfs... Mod-sfr 284> [ 2.723443] Freeing initrd memory: 37844k freed Mod-sfr 285> [ 2.749608] microcode: CPU0 sig=0x623, pf=0x0, revision=0x1 Mod-sfr 286> [ 2.752302] microcode: CPU1 sig=0x623, pf=0x0, revision=0x1 Mod-sfr 287> [ 2.754941] microcode: CPU2 sig=0x623, pf=0x0, revision=0x1 Mod-sfr 288> [ 2.757965] microcode: Microcode Update Driver: v2.00 <tigran@aivazian.fsnet.co Mod-sfr 289> .uk>, Peter Oruba Mod-sfr 290> [ 2.765177] HugeTLB registered 2 MB page size, pre-allocated 0 pages Mod-sfr 291> [ 2.769086] VFS: Disk quotas dquot_6.5.2 Mod-sfr 292> [ 2.771094] Dquot-cache hash table entries: 512 (order 0, 4096 bytes) Mod-sfr 293> [ 2.775717] NFS: Registering the id_resolver key type Mod-sfr 294> [ 2.778137] Key type id_resolver registered Mod-sfr 295> [ 2.780109] Key type id_legacy registered Mod-sfr 296> [ 2.782541] msgmni has been set to 4415 Mod-sfr 297> [ 2.787083] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251 Mod-sfr 298> [ 2.790547] io scheduler noop registered Mod-sfr 299> [ 2.792411] io scheduler deadline registered Mod-sfr 300> [ 2.794583] io scheduler cfq registered (default) Mod-sfr 301> [ 2.799982] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input Mod-sfr 302> [ 2.803425] ACPI: Power Button [PWRF] Mod-sfr 303> [ 2.814473] ACPI: PCI Interrupt Link [LNKD] enabled at IRQ 11 Mod-sfr 304> [ 2.820727] ACPI: PCI Interrupt Link [LNKA] enabled at IRQ 10 Mod-sfr 305> [ 2.827646] ACPI: PCI Interrupt Link [LNKC] enabled at IRQ 11 Mod-sfr 306> [ 2.836584] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled Mod-sfr 307> [ 2.867594] 00:05: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A Mod-sfr 308> [ 2.898649] 00:06: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A Mod-sfr 309> [ 2.905482] Non-volatile memory driver v1.3 Mod-sfr 310> [ 2.907484] Linux agpgart interface v0.103 Mod-sfr 311> [ 2.910796] [drm] Initialized drm 1.1.0 20060810 Mod-sfr 312> [ 2.914401] Floppy drive(s): fd0 is 1.44M, fd1 is 1.44M Mod-sfr 313> [ 2.926135] brd: module loaded Mod-sfr 314> [ 2.929550] FDC 0 is a S82078B Mod-sfr 315> [ 2.935196] loop: module loaded Mod-sfr 316> [ 2.942913] vda: vda1 vda2 vda3 < vda5 vda6 vda7 > Mod-sfr 317> [ 2.953346] Loading iSCSI transport class v2.0-870. Mod-sfr 318> [ 2.967716] scsi0 : ata_piix Mod-sfr 319> [ 2.970113] scsi1 : ata_piix Mod-sfr 320> [ 2.972137] ata1: PATA max MWDMA2 cmd 0x1f0 ctl 0x3f6 bmdma 0xc0c0 irq 14 Mod-sfr 321> [ 2.975261] ata2: PATA max MWDMA2 cmd 0x170 ctl 0x376 bmdma 0xc0c8 irq 15 Mod-sfr 322> [ 2.979356] e100: Intel(R) PRO/100 Network Driver, 3.5.24-k2-NAPI Mod-sfr 323> [ 2.982310] e100: Copyright(c) 1999-2006 Intel Corporation Mod-sfr 324> [ 2.985143] igb: Intel(R) Gigabit Ethernet Network Driver - version 5.0.3-k Mod-sfr 325> [ 2.988322] igb: Copyright (c) 2007-2013 Intel Corporation. Mod-sfr 326> [ 2.991156] Fusion MPT base driver 3.04.20 Mod-sfr 327> [ 2.993110] Copyright (c) 1999-2008 LSI Corporation Mod-sfr 328> [ 2.995395] Fusion MPT SPI Host driver 3.04.20 Mod-sfr 329> [ 2.997698] Fusion MPT FC Host driver 3.04.20 Mod-sfr 330> [ 2.999955] Fusion MPT SAS Host driver 3.04.20 Mod-sfr 331> [ 3.002879] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver Mod-sfr 332> [ 3.005921] ehci-pci: EHCI PCI platform driver Mod-sfr 333> [ 3.008262] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver Mod-sfr 334> [ 3.011311] uhci_hcd: USB Universal Host Controller Interface driver Mod-sfr 335> [ 3.014712] usbcore: registered new interface driver usblp Mod-sfr 336> [ 3.017515] usbcore: registered new interface driver usb-storage Mod-sfr 337> [ 3.020703] i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at 0x60,0x64 Mod-sfr 338> irq 1,12 Mod-sfr 339> [ 3.026754] serio: i8042 KBD port at 0x60,0x64 irq 1 Mod-sfr 340> [ 3.029233] serio: i8042 AUX port at 0x60,0x64 irq 12 Mod-sfr 341> [ 3.032605] mousedev: PS/2 mouse device common for all mice Mod-sfr 342> [ 3.037709] input: AT Translated Set 2 keyboard as /devices/platform/i8042/seri Mod-sfr 343> o0/input/input1 Mod-sfr 344> [ 3.041708] rtc_cmos 00:00: RTC can wake from S4 Mod-sfr 345> [ 3.046060] rtc_cmos 00:00: rtc core: registered rtc_cmos as rtc0 Mod-sfr 346> [ 3.049610] rtc_cmos 00:00: alarms up to one day, 114 bytes nvram, hpet irqs Mod-sfr 347> [ 3.053361] i2c /dev entries driver Mod-sfr 348> [ 3.055862] md: raid1 personality registered for level 1 Mod-sfr 349> [ 3.059498] device-mapper: ioctl: 4.24.0-ioctl (2013-01-15) initialised: dm-dev Mod-sfr 350> el@redhat.com Mod-sfr 351> [ 3.063392] cpuidle: using governor ladder Mod-sfr 352> [ 3.066870] hidraw: raw HID events driver (C) Jiri Kosina Mod-sfr 353> [ 3.078644] usbcore: registered new interface driver usbhid Mod-sfr 354> [ 3.081393] usbhid: USB HID core driver Mod-sfr 355> [ 3.083396] ipip: IPv4 over IPv4 tunneling driver Mod-sfr 356> [ 3.086821] TCP: cubic registered Mod-sfr 357> [ 3.088440] Initializing XFRM netlink socket Mod-sfr 358> [ 3.090764] NET: Registered protocol family 10 Mod-sfr 359> [ 3.093706] NET: Registered protocol family 17 Mod-sfr 360> [ 3.095867] Key type dns_resolver registered Mod-sfr 361> [ 3.099358] registered taskstats version 1 Mod-sfr 362> [ 3.102539] console [netcon0] enabled Mod-sfr 363> [ 3.104270] netconsole: network logging started Mod-sfr 364> [ 3.133367] ata1.00: ATA-7: QEMU HARDDISK, 1.5.0, max UDMA/100 Mod-sfr 365> [ 3.136133] ata1.00: 6291456 sectors, multi 16: LBA48 Mod-sfr 366> [ 3.139781] ata1.00: configured for MWDMA2 Mod-sfr 367> [ 3.141785] ata2.00: ATAPI: QEMU DVD-ROM, 1.5.0, max UDMA/100 Mod-sfr 368> [ 3.141986] scsi 0:0:0:0: Direct-Access ATA QEMU HARDDISK 1.5. PQ: Mod-sfr 369> 0 ANSI: 5 Mod-sfr 370> [ 3.142888] sd 0:0:0:0: [sda] 6291456 512-byte logical blocks: (3.22 GB/3.00 Gi Mod-sfr 371> B) Mod-sfr 372> [ 3.143172] sd 0:0:0:0: [sda] Write Protect is off Mod-sfr 373> [ 3.143255] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn' Mod-sfr 374> t support DPO or FUA Mod-sfr 375> [ 3.159184] ata2.00: configured for MWDMA2 Mod-sfr 376> [ 3.160908] sd 0:0:0:0: Attached scsi generic sg0 type 0 Mod-sfr 377> [ 3.162451] sda: unknown partition table Mod-sfr 378> [ 3.163325] sd 0:0:0:0: [sda] Attached SCSI disk Mod-sfr 379> [ 3.169427] scsi 1:0:0:0: CD-ROM QEMU QEMU DVD-ROM 1.5. PQ: Mod-sfr 380> 0 ANSI: 5 Mod-sfr 381> [ 3.174796] sr0: scsi3-mmc drive: 4x/4x cd/rw xa/form2 tray Mod-sfr 382> [ 3.177394] cdrom: Uniform CD-ROM driver Revision: 3.20 Mod-sfr 383> [ 3.182413] sr 1:0:0:0: Attached scsi generic sg1 type 5 Mod-sfr 384> [ 3.185770] Freeing unused kernel memory: 896k freed Mod-sfr 385> INIT: version 2.86 booting Mod-sfr 386> Please wait: booting... Mod-sfr 387> mount: sysfs already mounted or /sys busy Mod-sfr 388> mount: according to mtab, sysfs is already mounted on /sys Mod-sfr 389> Starting udev [ 3.478938] udevd (765): /proc/765/oom_adj is deprecated, please Mod-sfr 390> use /proc/765/oom_score_adj instead. Mod-sfr 391> [ 3.483265] udevd version 124 started Mod-sfr 392> [ 3.681920] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/s Mod-sfr 393> erio1/input/input2 Mod-sfr 394> [ 3.747189] tsc: Refined TSC clocksource calibration: 1249.999 MHz cp_connect: Error - cp_connect() returned -1 cp_check_connection: handle -1, conflicts with connection 1 (-1) cp_check_connection: handle -1, conflicts with connection 2 (-1) cp_check_connection: handle -1, conflicts with connection 3 (-1) cp_update_connection: Error updating connection_id 0Mod-sfr 395> [ 4.478112] end_request: I/O error, dev fd0, sector 0 Mod-sfr 396> [ 4.501112] end_request: I/O error, dev fd0, sector 0 Mod-sfr 397> and populating dev cache Mod-sfr 398> Root filesystem already rw, not remounting Mod-sfr 399> Configuring network interfaces... done. Mod-sfr 400> net.ipv4.conf.default.rp_filter = 1 Mod-sfr 401> net.ipv4.conf.all.rp_filter = 1 Mod-sfr 402> Configuring kvm-ivshmem Mod-sfr 403> Configuring busybox-syslog Mod-sfr 404> System startup links for /etc/init.d/sysklogd already exist. Mod-sfr 405> Configuring openssh-sshd Mod-sfr 406> Adding system startup for /etc/init.d/sshd. Mod-sfr 407> Configuring sudo Mod-sfr 408> Configuring ntpdate Mod-sfr 409> adding crontab Mod-sfr 410> Configuring update-modules Mod-sfr 411> INIT: Entering runlevel: 5 Mod-sfr 412> Starting OpenBSD Secure Shell server: sshd Mod-sfr 413> generating ssh RSA key... Mod-sfr 414> generating ssh DSA key... Mod-sfr 415> done. Mod-sfr 416> Starting Advanced Configuration and Power Interface daemon: acpid. Mod-sfr 417> acpid: starting up with proc fs Mod-sfr 418> acpid: opendir(/etc/acpi/events): No such file or directory Mod-sfr 419> starting Busybox inetd: inetd... done. Mod-sfr 420> Starting ntpd: done Mod-sfr 421> Starting syslogd/klogd: done Mod-sfr 422> Cisco FirePOWER Services Boot Image 6.2.3
Last line informs that the module has been configured and you can connect using the console for the initial network setup. Default Firepower module credentials are “admin/Admin123″. At this stage remember to configure the module with an IP address in the same subnet than your internal network. You will need reachability between your management computer and the Firepower module.
session sfr console
Now download and install the Firepower package using a FTP client this time instead of TFTP. Make sure you have connected your ASA management interface to the same VLAN where the FTP server is running. Issue a ping for double check. Review local OS firewall if necessary.
Run the command system install ftp://10.14.14.9/asasfr-sys-6.2.3-83.pkg (replace with your FTP client IP) and the Firepower package will be downloaded into the box and installed. At the end of the process you will have to reboot the module only. It does not affect to the normal ASA function.
Now it’s time to be patient. The process can take up to 45 min. Once the process is finished you’ll see the Firepower module ready again. Issue the command show module sfr to review the status:
Ok, so far we have the major version installed, let’s apply the latest patch available. For this task we will leverage ASDM. Upload the previously downloaded patch to the module using the Firepower update section:
Now click on “Install” and wait for almost 1 hour to run the script until the module is availabile again. You can review the progress on the tasks pop-up:
After a while our Firepower module is up and running again fully updated!
On my next post I’ll show how to perform a patch upgrade and how to recover the module from a stuck-in-recovery status.
No Comments