Sometimes it is faster to just re-image the firepower module than to go through the step-by-step upgrade process where you must upgrade to the next release and then apply the all the updates. If the module is several releases behind than this process must be repeated several times. Luckily, in certain scenarios this can be avoided by just re-imaging to the latest Cisco recommended release. This will not only bypass some of the frustrations with upgrades such as long waiting times and upgrade errors where it can require a restart of the upgrade process or even starting from scratch due to a failed upgrade.
Re-imaging is only ideal in certain situations. If the firepower module is already managed by FMC than obviously all updates should go through the FMC. However, there will be scenarios where standalone firepower modules will need to be added to FMC for management. For example: A bigger company buying a smaller company and want to centralizing management via FMC. If the firepower module is incompatible with the FMC version than the firepower module must be upgraded to a compatible version before it can be added to FMC for management
Before re-imaging check the latest Cisco Firepower Compatibility Guide and make sure that the running version of FMC supports the version of firepower that will be upgraded to. Also, check the version of the ASA that will support the upgraded firepower module.
For my situation the firepower module was on an older version , 5.4(X) and the FMC was running 6.6.5 and the firepower module can cannot be managed by the FMC. In this scenario an upgrade or re-image was necessary.
Version 6.6.X requres a minimum version of 9.5(2) for the ASA.
You will need the following:
- FTP server to copy files to the ASA and for installation for the .pkg.
- A Compatible version of ASA and optionally, ASDM for management
- A Cisco recommended version of firepower software with compatibility with the running version of FMC.
- Console access to the ASA
1. Download the software from Cisco.
Two files are needed:
- The boot image: asasfr-5500x-boot-6.6.5-2.img
- The firepower installation package: asasfr-sys-6.6.5-81.pkg
2. Copy boot .img to the ASA flash drive:
Connect to the ASA using a console session and use the preferred method to copy the boot image to the flash drive of the ASA.
3. Uninstall the current firepower software
4. Set the Boot Image
5. Turn on debug to see the recover process.
6. Start the recover process
7. Session into the firepower module and run the setup script to input IP and relevant information.
8. Configure the firepower to install from image path and start the reimage process.
Note: This process normally takes about 1 hour. It can take up to several hours if the upgrade image and the device is not at the same location. For instance, if you are re-imaging remotely via VPN and the image and firepower is not both local this can take several hours. I was re-imaging remotely with the package downloaded locally on my computer and the re-image took about 4 hours. During the re-image process, at times it will appear that the process has stalled but it is important to not interrupt the process until it is complete finished. Doing so will require starting from the beginning.
9. Finishing up.
Once the re-image is completed the firepower will go back to the login screen. Use the default login and password to log into the re-imaged firepower. The firepower will reinitialize the setup script and it will be necessary accept the EULA and re-enter the hostname, management IP address and other relevant network information again.
Once management information is completed. The firepower services module can then be added to FMC
As always if you have any questions on ASA Firepower for you and your business and would like to schedule a free consultation with us, please reach out to us at firstname.lastname@example.org and we’ll be happy to help!
Rick Wong, Principal Network Architect