David Haycox
asked on
FirePOWER configuration not available on new ASA 5506-X
We have a new Cisco ASA 5506-X. We have it connected up as per the supplied diagram (Management 1/1 connected to GE1/3) and are able to access the ADSM and CLI as normal. However, this device has "FirePOWER Services" but we are unable to see how to configure this. According to the quick start guide (https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5506X/5506x-quick-start.html), we run the Startup Wizard and should get to the "ASA FirePOWER Basic Configuration"; however, this does not appear.
Here is our "show version":
The ASA is on its default IP of 192.168.1.1. We have reset it to factory defaults and upgraded both ASA and ASDM to no effect.
How can we configure the FirePower services?
Here is our "show version":
Cisco Adaptive Security Appliance Software Version 9.9(2)
Firepower Extensible Operating System Version 2.3(1.84)
Device Manager Version 7.9(2)
Compiled on Sun 25-Mar-18 17:29 PDT by builders
System image file is "disk0:/asa992-lfbff-k8.SPA"
Config file at boot was "startup-config"
ciscoasa up 20 mins 29 secs
Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB
The ASA is on its default IP of 192.168.1.1. We have reset it to factory defaults and upgraded both ASA and ASDM to no effect.
How can we configure the FirePower services?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks. Response doesn't look good to the "show module" command:
ciscoasa(config)# sh module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506 JAD194xxx
sfr Unknown N/A JAD194xxx
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 84b2.xxxx.4d22 to 84b2.xxxx.4d2b 1.0 1.1.12 9.9(2)
sfr 84b2.xxxx.4d21 to 84b2.xxxx.4d21 N/A N/A
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Unresponsive Not Applicable
How long has the firewall been up - they take AGES to start properly? Give it a good 20 minutes, if it still wont come up, don't panic, you can re-image it
Re-Image and Update the Cisco FirePOWER Services Module
Pete
Re-Image and Update the Cisco FirePOWER Services Module
Pete
ASKER
Yes, it hadn't been up that long. Have now started a re-image, currently it's showing:
... which I guess means it's working?
Also we formatted the flash and so lost the licence key, but that's another story...
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
sfr Recover Not Applicable
... which I guess means it's working?
Also we formatted the flash and so lost the licence key, but that's another story...
Hi David,
Reimaging the SFR takes hours!!! leave it running overnight bud :) It wont effect the firewall traffic.
>>Also we formatted the flash and so lost the licence key,
If you have the chassis number you can get the activation key from Cisco.
Reimaging the SFR takes hours!!! leave it running overnight bud :) It wont effect the firewall traffic.
>>Also we formatted the flash and so lost the licence key,
If you have the chassis number you can get the activation key from Cisco.
ASKER
>>If you have the chassis number you can get the activation key from Cisco.
Even if you don't have a contract and bought it second hand?
Even if you don't have a contract and bought it second hand?
Mmm - depends on what sort of mood front line support are in!
This might work
1. Create a Cisco CCO account (this is free).
2. Go to http://www.cisco.com/web/go/license
3. Log in.
4. You need to register a licence, there will be an option that looks like "I don't have a PAK' click that.
5. Look for Cisco ASA 3DES/AES Licence > click that.
6. Enter your chassis number (from show version).
7. You will be emailed an activation key.
8. On the ASA, drop to config mode, and enter the new activation key.
9. Sit back light your pipe, and admire your handiwork.
Pete
This might work
1. Create a Cisco CCO account (this is free).
2. Go to http://www.cisco.com/web/go/license
3. Log in.
4. You need to register a licence, there will be an option that looks like "I don't have a PAK' click that.
5. Look for Cisco ASA 3DES/AES Licence > click that.
6. Enter your chassis number (from show version).
7. You will be emailed an activation key.
8. On the ASA, drop to config mode, and enter the new activation key.
9. Sit back light your pipe, and admire your handiwork.
Pete
ASKER
Yes, that worked! However, the licence shows up as base (but with 3DES and so forth, which it didn't have before) whereas it should be Security Plus.
Not sure what to do next; raise a support request?
The SFR is (presumably) happily reimaging, by the way. Will leave it overnight as you suggest.
Not sure what to do next; raise a support request?
The SFR is (presumably) happily reimaging, by the way. Will leave it overnight as you suggest.
>>Not sure what to do next; raise a support request?
Yes they've just given you a licence and its wrong! you can complain now that their licence broke your firewall!
>> Will leave it overnight as you suggest.
Yes they take ages, I update them as soon as they come in now while Im doing other things.
Yes they've just given you a licence and its wrong! you can complain now that their licence broke your firewall!
>> Will leave it overnight as you suggest.
Yes they take ages, I update them as soon as they come in now while Im doing other things.
ASKER
Excellent, thanks!
Cisco ASA 5506-X: Bridged BVI Interface
Pete