FirePOWER configuration not available on new ASA 5506-X

We have a new Cisco ASA 5506-X.  We have it connected up as per the supplied diagram (Management 1/1 connected to GE1/3) and are able to access the ADSM and CLI as normal.  However, this device has "FirePOWER Services" but we are unable to see how to configure this.  According to the quick start guide (https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5506X/5506x-quick-start.html), we run the Startup Wizard and should get to the "ASA FirePOWER Basic Configuration"; however, this does not appear.

Here is our "show version":

Cisco Adaptive Security Appliance Software Version 9.9(2)
Firepower Extensible Operating System Version 2.3(1.84)
Device Manager Version 7.9(2)

Compiled on Sun 25-Mar-18 17:29 PDT by builders
System image file is "disk0:/asa992-lfbff-k8.SPA"
Config file at boot was "startup-config"

ciscoasa up 20 mins 29 secs

Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Open in new window


The ASA is on its default IP of 192.168.1.1.   We have reset it to factory defaults and upgraded both ASA and ASDM to no effect.
How can we configure the FirePower services?
LVL 2
David HaycoxAsked:
Who is Participating?
 
Pete LongTechnical ConsultantCommented:
0
 
Pete LongTechnical ConsultantCommented:
You might want to turn the BVI off as well (I hate that!)

Cisco ASA 5506-X: Bridged BVI Interface


Pete
0
 
David HaycoxAuthor Commented:
Thanks.  Response doesn't look good to the "show module" command:
ciscoasa(config)# sh module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506            JAD194xxx
 sfr Unknown                                      N/A                JAD194xxx

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 84b2.xxxx.4d22 to 84b2.xxxx.4d2b  1.0          1.1.12       9.9(2)
 sfr 84b2.xxxx.4d21 to 84b2.xxxx.4d21  N/A          N/A

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Unresponsive       Not Applicable

Open in new window

0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

REGISTER NOW
 
Pete LongTechnical ConsultantCommented:
How long has the firewall been up - they take AGES to start properly? Give it a good 20 minutes, if it still wont come up, don't panic, you can re-image it

Re-Image and Update the Cisco FirePOWER Services Module


Pete
0
 
David HaycoxAuthor Commented:
Yes, it hadn't been up that long.  Have now started a re-image, currently it's showing:

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
 sfr Recover            Not Applicable

Open in new window


... which I guess means it's working?

Also we formatted the flash and so lost the licence key, but that's another story...
0
 
Pete LongTechnical ConsultantCommented:
Hi David,

Reimaging the SFR takes hours!!! leave it running overnight bud :) It wont effect the firewall traffic.

>>Also we formatted the flash and so lost the licence key,

If you have the chassis number you can get the activation key from Cisco.
0
 
David HaycoxAuthor Commented:
>>If you have the chassis number you can get the activation key from Cisco.

Even if you don't have a contract and bought it second hand?
0
 
Pete LongTechnical ConsultantCommented:
Mmm - depends on what sort of mood front line support are in!

This might work

1. Create a Cisco CCO account (this is free).
2. Go to http://www.cisco.com/web/go/license
3. Log in.
4. You need to register a licence, there will be an option that looks like "I don't have a PAK' click that.
5. Look for Cisco ASA 3DES/AES Licence > click that.
6. Enter your chassis number (from show version).
7. You will be emailed an activation key.
8. On the ASA, drop to config mode, and enter the new activation key.
9. Sit back light your pipe, and admire your handiwork.

Pete
0
 
David HaycoxAuthor Commented:
Yes, that worked!  However, the licence shows up as base (but with 3DES and so forth, which it didn't have before) whereas it should be Security Plus.

Not sure what to do next; raise a support request?

The SFR is (presumably) happily reimaging, by the way.  Will leave it overnight as you suggest.
0
 
Pete LongTechnical ConsultantCommented:
>>Not sure what to do next; raise a support request?

Yes they've just given you a licence and its wrong! you can complain now that their licence broke your firewall!

>> Will leave it overnight as you suggest.

Yes they take ages, I update them as soon as they come in now while Im doing other things.
0
 
David HaycoxAuthor Commented:
Excellent, thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.

Advertise Here