Reimaging and System Recovery

This section includes procedures to troubleshoot bootup issues and perform password recovery.

Appliance Mode Failsafe

If the Firepower 1000, Firepower 2100 in Appliance Mode, Secure Firewall 1200, Secure Firewall 3100, or Secure Firewall 4200 fails to boot into ASA, it will boot into FXOS failsafe mode. In this mode, FXOS allows minimal configuration to allow diagnosis and recovery of the system. You can configure the management interface with an IP address, DNS, and NTP so you can download and install the ASA image. Only the management interface can be configured in failsafe mode. When you log into FXOS, use the admin user and the ASA enable password that you set previously.

Firepower 2100 Platform mode allows FXOS configuration of chassis functions at all times.

The procedures in this chapter note Firepower 2100 Appliance Mode and Platform Mode differences.

Perform a Factory Reset (Reset the Password)

If you cannot log into FXOS (either because you forgot the password, or the SSD disk1 file system was corrupted), you can restore the FXOS configuration to the factory default using ROMMON. The admin password is reset to the default Admin123. This procedure also resets the ASA configuration. If you know the password, and want to restore the factory default configuration from within FXOS, see Restore the Factory Default Configuration.

Before you begin

You must have console access for this procedure.

Procedure

Step 1

Connect to the console port, and power on the device. Press Esc during the bootup when prompted to reach the ROMMON prompt.

Pay close attention to the monitor.

Example:


*******************************************************************************
Cisco System ROMMON, Version 1.0.06, RELEASE SOFTWARE
Copyright (c) 1994-2018  by Cisco Systems, Inc.
Compiled Thu 04/06/2018 12:16:16.21 by builder
*******************************************************************************

Current image running: Boot ROM0
Last reset cause: ResetRequest
DIMM_1/1 : Present
DIMM_2/1 : Present

Platform FPR-2130 with 32768 MBytes of main memory
BIOS has been successfully locked !!
MAC Address: 0c:75:bd:08:c9:80

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.

Press Esc at this point.

Step 2

Perform a factory reset.

rommon 2 > factory-reset

Note

 

For ROMMON version 1.0.04, use the password_reset command; this command was changed to factory-reset in later versions. To verify the ROMMON version, enter show info . 

rommon 1 > show info

Cisco System ROMMON, Version 1.0.06, RELEASE SOFTWARE
Copyright (c) 1994-2018  by Cisco Systems, Inc.
Compiled Wed 11/01/2018 18:38:59.66 by builder

You will be prompted multiple times to confirm that you want to erase your configuration, and then boot up the image.

Note

 

If you are not prompted to boot the image, enter the boot command.

Example:

Firepower 2100 Platform Mode:


rommon 2 > factory-reset
Warning: All configuration will be permanently lost with this operation
         and application will be initialized to default configuration.
         This operation cannot be undone after booting the application image.
 
         Are you sure you would like to continue ? yes/no [no]: yes
         Please type 'ERASE' to confirm the operation or any other value to cancel: ERASE
 
Performing factory reset...
File size is 0x0000001b
Located .boot_string
Image size 27 inode num 16, bks cnt 1 blk size 8*512
 
Rommon will continue to boot disk0: fxos-k8-fp2k-lfbff.2.3.1.132.SSB
Are you sure you would like to continue ? yes/no [no]: yes
File size is 0x0817a870
Located fxos-k8-fp2k-lfbff.2.3.1.132.SSB

Firepower 1000, 2100, Secure Firewall 1200, Secure Firewall 3100 and Secure Firewall 4200 Appliance Mode:

Note

 

During bootup, the system prompts you to log into FXOS and to set the admin password; although you will not cause any harm by logging in, you should continue to wait until it boots up the ASA. You should log in at the ASA prompt, where you will be prompted to change the enable password. It is this enable password that the system uses for the FXOS login. 


rommon 2 > factory-reset
Warning: All configuration will be permanently lost with this operation 
         and application will be initialized to default configuration.
         This operation cannot be undone after booting the application image.
 
         Are you sure you would like to continue ? yes/no [no]: yes
         Please type 'ERASE' to confirm the operation or any other value to cancel: ERASE
 
Performing factory reset...
 
 
Execute 'boot' command afterwards for factory-reset to be initiated.
Use of reset/reboot/reload command will cancel the factory-reset request!
rommon 3 > boot
firepower-2140 login:
Cisco ASA: CMD=-start, CSP-ID=cisco-asa.99.13.1.108__asa_001_JAD200900ZRN2001A1, FLAG=''
Cisco ASA starting ...
[...]
firepower-2140 login: admin (automatic login)
Please wait for Cisco ASA to come online...1...
[...]
User enable_1 logged in to ciscoasa
Logins over the last 1 days: 1.  
Failed logins since the last login: 0.  
 Attaching to ASA CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
 
ciscoasa> enable
The enable password is not set.  Please set it now.
Enter  Password: *****
Repeat Password: *****
Note: Save your configuration so that the password can be used for FXOS failsafe access and persists across reboots
("write memory" or "copy running-config startup-config").
ciscoasa# write memory

Step 3

If you are not prompted to boot the image, enter the boot command.

Step 4

Complete the setup tasks in the getting started guide.

Boot from ROMMON

If you cannot boot the device, it will boot into ROMMON where you can boot FXOS from a TFTP server or a USB drive formatted as EXT2/3/4 or VFAT/FAT32. After booting into FXOS, you can then reformat the eMMC (the internal flash device that holds the software images). After you reformat, then you need to re-download the images to the eMMC. This procedure retains all configuration, which is stored on the separate ssd1.

The eMMC file system might get corrupted because of a power failure or other rare condition.

Before you begin

You must have console access for this procedure.

Procedure

Step 1

If you cannot boot up, the system will boot into ROMMON.

If it does not automatically boot into ROMMON, press Esc during the bootup when prompted to reach the ROMMON prompt. Pay close attention to the monitor.

Example:


*******************************************************************************
Cisco System ROMMON, Version 1.0.06, RELEASE SOFTWARE
Copyright (c) 1994-2018  by Cisco Systems, Inc.
Compiled Thu 04/06/2018 12:16:16.21 by builder
*******************************************************************************

Current image running: Boot ROM0
Last reset cause: ResetRequest
DIMM_1/1 : Present
DIMM_2/1 : Present

Platform FPR-2130 with 32768 MBytes of main memory
BIOS has been successfully locked !!
MAC Address: 0c:75:bd:08:c9:80

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.

Press Esc at this point.

Step 2

Boot from an image on a USB drive formatted as EXT2/3/4 or VFAT/FAT32, or boot over the network using TFTP.

Note

 

For 9.12 and earlier, if you boot FXOS from ROMMON, and the currently-installed image is also bootable, make sure you boot the same version as the currently-installed image. Otherwise, an FXOS/ASA version mismatch will cause the ASA to crash. In 9.13 and later, booting FXOS from ROMMON prevents ASA from loading automatically.

If you want to boot from USB:

Note

 

If you insert the USB drive while the system is running, you will need to reboot the system before it will recognize the USB drive.

boot usb:/path/filename

The device boots up to the FXOS CLI. Use the dir usb: command to view the disk contents.

Example:


rommon 1 > dir usb:
rommon 2 > boot usb:/cisco-asa-fp2k.9.20.2.SPA

If you want to boot from TFTP:

Set the network settings for Management 1/1, and load the ASA package using the following ROMMON commands.

address management_ip_address

netmask subnet_mask

server tftp_ip_address

gateway gateway_ip_address

filepath/filename

set

sync

tftpdnld -b

The FXOS image downloads and boots up to the CLI.

See the following information:

  • set —Shows the network settings. You can also use the ping command to verify connectivity to the server.

  • sync —Saves the network settings.

  • tftpdnld -b —Loads FXOS.

Example:


rommon 1 > address 10.86.118.4
rommon 2 > netmask 255.255.252.0
rommon 3 > server 10.86.118.21
rommon 4 > gateway 10.86.118.1
rommon 5 > file cisco-asa-fp2k.9.8.2.SPA
rommon 6 > set
ROMMON Variable Settings:
  ADDRESS=10.86.118.4
  NETMASK=255.255.252.0
  GATEWAY=10.86.118.21
  SERVER=10.86.118.21
  IMAGE=cisco-asa-fp2k.9.8.2.SPA
  CONFIG=
  PS1="rommon ! > "

rommon 7 > sync
rommon 8 > tftpdnld -b
Enable boot bundle: tftp_reqsize = 268435456

             ADDRESS: 10.86.118.4
             NETMASK: 255.255.252.0
             GATEWAY: 10.86.118.21
              SERVER: 10.86.118.1
               IMAGE: cisco-asa-fp2k.9.8.2.SPA
             MACADDR: d4:2c:44:0c:26:00
           VERBOSITY: Progress
               RETRY: 40
          PKTTIMEOUT: 7200
             BLKSIZE: 1460
            CHECKSUM: Yes
                PORT: GbE/1
             PHYMODE: Auto Detect

link up
Receiving cisco-asa-fp2k.9.8.2.SPA from 10.86.118.21!!!!!!!!
[…]

Ping to troubleshoot connectivity to the server:


rommon 1 > ping 10.86.118.21
Sending 10, 32-byte ICMP Echoes to 10.86.118.21 timeout is 4 seconds
!!!!!!!!!!
Success rate is 100 percent (10/10)
rommon 2 >

Step 3

Log in to FXOS using your current admin password.

Note

 

If you do not know your credentials, or cannot log in due to disk corruption, you should perform a factory reset using the ROMMON factory-reset command (see Perform a Factory Reset (Reset the Password)). After performing the factory reset, restart this procedure to boot into FXOS, and log in with the default credentials (admin/Admin123).

Step 4

Reformat the eMMC.

connect local-mgmt

format emmc

Enter yes.

Example:


firepower-2110# connect local-mgmt 
firepower-2110(local-mgmt)# format emmc
All bootable images will be lost.
Do you still want to format? (yes/no):yes

Step 5

Configure the Management interface so you can download the ASA image from a server.

If you use USB, you can skip this step.

  1. Enter the fabric-interconnect scope:

    scope fabric-interconnect a

  2. Set the new management IP information:

    set out-of-band static ip ip netmask netmask gw gateway

  3. Commit the configuration:

    commit-buffer

Example:


firepower# scope fabric-interconnect a
firepower /fabric-interconnect # set out-of-band static ip 10.1.1.5 netmask 255.255.255.0 gw 10.1.1.1
firepower /fabric-interconnect* # commit-buffer

Note

 

If you encounter the following error, you must disable DHCP before committing the change. Follow the commands below to disable DHCP. 

firepower /fabric-interconnect* # commit-buffer
Error: Update failed: [Management ipv4 address (IP <ip> / net mask <netmask> ) is not in the same network of current DHCP server IP range <ip - ip>.
Either disable DHCP server first or config with a different ipv4 address.]
firepower /fabric-interconnect* # exit
firepower* # scope system
firepower /system* # scope services
firepower /system/services* # disable dhcp-server
firepower /system/services* # commit-buffer

Step 6

Re-download and boot the ASA package.

  1. Download the package. Because you booted temporarily from USB or TFTP, you must still download the image to the local disk.

    scope firmware

    download image url

    show download-task

    Specify the URL for the file being imported using one of the following:

    • ftp://username@server/[path/]image_name

    • scp://username@server/[path/]image_name

    • sftp://username@server/[path/]image_name

    • tftp://server[:port]/[path/]image_name

    • usbA:/path/filename

    Example:

    
firepower-2110# scope firmware
firepower-2110 /firmware # download image tftp://10.86.118.21/cisco-asa-fp2k.9.8.2.SPA
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
firepower-2110 /firmware # show download-task
Download task:
    File Name Protocol Server          Port       Userid          State
    --------- -------- --------------- ---------- --------------- -----
    cisco-asa-fp2k.9.8.2.SPA
              Tftp     10.88.29.21             0                 Downloaded

  2. When the package finishes downloading (Downloaded state), boot the package.

    show package

    scope auto-install

    install security-pack version version

    In the show package output, copy the Package-Vers value for the security-pack version number. The chassis installs the ASA image and reboots.

    Example:

    
firepower 2110 /firmware # show package
Name                                          Package-Vers
--------------------------------------------- ------------
cisco-asa-fp2k.9.8.2.SPA                      9.8.2
firepower 2110 /firmware # scope auto-install
firepower 2110 /firmware/auto-install # install security-pack version 9.8.2
The system is currently installed with security software package not set, which has:
   - The platform version: not set
If you proceed with the upgrade 9.8.2, it will do the following:
   - upgrade to the new platform version 2.2.2.52
   - install with CSP asa version 9.8.2
During the upgrade, the system will be reboot

Do you want to proceed ? (yes/no):yes

This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup

Attention:
   If you proceed the system will be re-imaged. All existing configuration will be lost,
   and the default configuration applied.
Do you want to proceed? (yes/no):yes

Triggered the install of software package version 9.8.2
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.

Step 7

Wait for the chassis to finish rebooting (5-10 minutes).

Although FXOS is up, you still need to wait for the ASA to come up (5 minutes). Wait until you see the following messages: 


firepower-2110# 
Cisco ASA: CMD=-install, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG=''
Verifying signature for cisco-asa.9.8.2.2 ...
Verifying signature for cisco-asa.9.8.2.2 ... success

Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG=''
Cisco ASA starting ...
Registering to process manager ...
Cisco ASA started successfully. 
...

Reformat the SSD File System (Firepower 2100)

If you successfully logged into FXOS, but you see disk corruption error messages, you can reformat SSD1 where the FXOS and ASA configuration is stored. This procedure restores the FXOS configuration to the factory default. For Platform Mode, the admin password is reset to the default Admin123. This procedure also resets the ASA configuration.

This procedure does not apply to other models, which do not allow you to erase the SSD while still retaining the startup image.

Procedure

Step 1

Connect to the FXOS CLI from the console port.

  • Firepower 2100 in Appliance Mode—You connect to ASA initially at the console port. To connect to FXOS, enter the connect fxos admin command.

  • Firepower 2100 in Platform Mode—You connect to FXOS initially at the console port. Login as admin and the admin password.

Step 2

Reformat SSD1.

connect local-mgmt

format ssd1

Example:

Firepower 2100 Appliance Mode:

Note

 

During bootup, the system prompts you to log into FXOS and to set the admin password; although you will not cause any harm by logging in, you should continue to wait until it boots up the ASA. You should log in at the ASA prompt, where you will be prompted to change the enable password. It is this enable password that the system uses for the FXOS login. 


firepower-2110# connect local-mgmt 
firepower-2110(local-mgmt)# format ssd1
All configuration will be lost.
Do you still want to format? (yes/no):yes
Broadcast message from root@firepower-2140 (Fri Aug 16 19:53:45 2019):
All shells being terminated due to system /sbin/reboot
[  457.119988] reboot: Restarting system

[...]

*******************************************************************************
Cisco System ROMMON, Version 1.0.12, RELEASE SOFTWARE
Copyright (c) 1994-2019  by Cisco Systems, Inc.
Compiled Mon 06/17/2019 16:23:23.36 by builder
*******************************************************************************
 
Current image running: Boot ROM0
Last reset cause: ResetRequest (0x00001000)
DIMM_1/1 : Present
DIMM_2/1 : Present
 
Platform FPR-2140 with 65536 MBytes of main memory
BIOS has been successfully locked !!
MAC Address: 70:7d:b9:75:23:00
 
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Located '.boot_string' @ cluster 98101.

[...]

Primary SSD discovered
Primary SSD has incorrect partitions
Skipping prompt because disk is blank
Formating Primary SSD...
Creating config partition: START: 1MB END: 1001MB

[...]

firepower-2140 login: 
Waiting for Application infrastructure to be ready...
Verifying the signature of the Application image...
Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.13.0.33__asa_001_JMX2134Y38S4F4RBT1, FLAG=''
Cisco ASA starting ...
Cisco ASA started successfully.

[...]

INFO: Unable to read firewall mode from flash
       Writing default firewall mode (single) to flash
 
INFO: Unable to read cluster interface-mode from flash
        Writing default mode "None" to flash
The 3DES/AES algorithms require a Encryption-3DES-AES entitlement.
The 3DES/AES algorithms require a Encryption-3DES-AES entitlement.
Cisco Adaptive Security Appliance Software Version 9.13.0.33
 
User enable_1 logged in to ciscoasa
Logins over the last 1 days: 1.  
Failed logins since the last login: 0.  
firepower-2140 login: admin (automatic login)
 
Successful login attempts for user 'admin' : 1
Attaching to ASA CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
 
ciscoasa> enable
The enable password is not set.  Please set it now.
Enter  Password: *****
Repeat Password: *****

Step 3

Complete the setup tasks in the getting started guide.

Restore the Factory Default Configuration

You can restore the FXOS configuration to the factory default. This procedure also resets the ASA deployment and configuration. The admin password is also reset to the default Admin123; but because you perform this procedure in FXOS, you must know the current admin password. If you do not know the admin password, use the procedure in Perform a Factory Reset (Reset the Password).

The admin password is the same as the ASA enable password.

Before you begin

You must have console access for this procedure.

Procedure

Step 1

Connect to the FXOS CLI from the console port.

connect fxos admin

Step 2

Connect to local management:

connect local-mgmt

Example:


firepower-2120# connect local-mgmt
firepower-2120(local-mgmt)#

Step 3

Erase all FXOS configuration, and restore the chassis to its original factory default configuration.

erase configuration

Example:


firepower-2120(local-mgmt)# erase configuration
All configurations will be erased and system will reboot. Are you sure? (yes/no):

Step 4

Confirm that you want to erase the configuration by entering yes at the command prompt.

The system erases all configuration from your chassis and then reboots.

Note

 

During bootup, the system prompts you to log into FXOS and to set the admin password; although you will not cause any harm by logging in, you should continue to wait until it boots up the ASA. You should log in at the ASA prompt, where you will be prompted to change the enable password. It is this enable password that the system uses for the FXOS login.

Perform a Secure Erase

The secure erase feature erases all data on the SSDs so that data cannot be recovered even by using special tools on the SSD itself. You should perform a secure erase when decomissioning the device.

For the Firepower 2100, the software image is not erased, so you can still boot into the ASA. For other models, the software image is erased, so the device will boot into ROMMON, where you can download a new image.

Before you begin

  • For the Firepower 1000, if you reimage from an threat defense to an ASA, you may need to power cycle the device to allow the Secure Erase feature. The Secure Erase feature requires a power cycle after you upgrade to threat defense 6.5 or later, or if you reimage to ASA from threat defense 6.4; a reboot alone is not sufficient.

  • You must have console access for this procedure.

Procedure

Step 1

Connect to the FXOS CLI from the console port.

  • Firepower 2100 in Platform Mode—You connect to FXOS initially at the console port. Login as admin and the admin password.

  • All other models—You connect to ASA initially at the console port. To connect to FXOS, enter the connect fxos admin command.

Step 2

Enter local management.

local-mgmt

Example:


Firepower# connect local-mgmt
Firepower(local-mgmt)#

Step 3

Secure erase the SSDs.

erase secure {all | ssd1 | ssd2}

  • all —Erases all SSDs. The Firepower 2100 or Secure Firewall 3100 includes 2 SSDs, while the Firepower 1000 includes only SSD1.

  • ssd1 —Erases only SSD1.

  • ssd2 —Erases only SSD2.

Step 4

(All models except Firepower 2100 in Platform Mode) You boot into ROMMON. Boot a new image according to Boot from ROMMON.

Perform a Complete Reimage

This procedure reformats the device, and returns it to its factory default settings. After performing this procedure, you must download the new software images. You might want to perform a complete reimage if you are repurposing the device and want to remove both configuration and software images.

Before you begin

  • You must have console access for this procedure.

  • Download the ASA package to a TFTP server or a USB drive formatted as EXT2/3/4 or VFAT/FAT32.

  • If you use USB, install the drive before you start. If you insert the USB drive while the system is running, you will need to reboot the system before it will recognize the USB drive.

Procedure

Step 1

Unregister the ASA from the Smart Software Licensing server, either from the ASA CLI/ASDM or from the Smart Software Licensing server.

Step 2

Connect to the FXOS CLI from the console port.

  • Firepower 2100 in Platform Mode—You connect to FXOS initially at the console port. Login as admin and the admin password.

  • All other models—You connect to ASA initially at the console port. To connect to FXOS, enter the connect fxos admin command.

Step 3

Reformat the system.

connect local-mgmt

format everything

Enter yes, and the device reboots.

Example:


firepower-2110# connect local-mgmt 
firepower-2110(local-mgmt)# format everything
All configuration and bootable images will be lost.
Do you still want to format? (yes/no):yes

Step 4

Press Esc during the bootup when prompted to reach the ROMMON prompt. Pay close attention to the monitor.

Example:


*******************************************************************************
Cisco System ROMMON, Version 1.0.03, RELEASE SOFTWARE
Copyright (c) 1994-2017  by Cisco Systems, Inc.
Compiled Thu 04/06/2017 12:16:16.21 by builder
*******************************************************************************

Current image running: Boot ROM0
Last reset cause: ResetRequest
DIMM_1/1 : Present
DIMM_2/1 : Present

Platform FPR-2130 with 32768 MBytes of main memory
BIOS has been successfully locked !!
MAC Address: 0c:75:bd:08:c9:80

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.

Press Esc at this point.

Step 5

Boot from the ASA package on a USB drive formatted as EXT2/3/4 or VFAT/FAT32, or boot over the network using TFTP.

If you want to boot from USB:

Note

 

If you insert the USB drive while the system is running, you will need to reboot the system before it will recognize the USB drive.

boot usb:/path/filename

Use the dir usb: command to view the disk contents in Firepower 1000 and 2100.

Example:


rommon 1 > dir usb:
rommon 2 > boot usb:/cisco-asa-fp2k.9.8.2.SPA

If you want to boot from TFTP:

Set the network settings for Management 1/1, and load the ASA package using the following ROMMON commands.

address management_ip_address

netmask subnet_mask

server tftp_ip_address

gateway gateway_ip_address

filepath/filename

set

sync

tftpdnld -b

See the following information:

  • set —Shows the network settings. You can also use the ping command to verify connectivity to the server.

  • sync —Saves the network settings.

  • tftpdnld -b —Loads the ASA package.

Example:


rommon 1 > address 10.86.118.4
rommon 2 > netmask 255.255.252.0
rommon 3 > server 10.86.118.21
rommon 4 > gateway 10.86.118.1
rommon 5 > file cisco-asa-fp2k.9.8.2.SPA
rommon 6 > set
ROMMON Variable Settings:
  ADDRESS=10.86.118.4
  NETMASK=255.255.252.0
  GATEWAY=10.86.118.21
  SERVER=10.86.118.21
  IMAGE=cisco-asa-fp2k.9.8.2.SPA
  CONFIG=
  PS1="rommon ! > "

rommon 7 > sync
rommon 8 > tftpdnld -b
Enable boot bundle: tftp_reqsize = 268435456

             ADDRESS: 10.86.118.4
             NETMASK: 255.255.252.0
             GATEWAY: 10.86.118.21
              SERVER: 10.86.118.1
               IMAGE: cisco-asa-fp2k.9.8.2.SPA
             MACADDR: d4:2c:44:0c:26:00
           VERBOSITY: Progress
               RETRY: 40
          PKTTIMEOUT: 7200
             BLKSIZE: 1460
            CHECKSUM: Yes
                PORT: GbE/1
             PHYMODE: Auto Detect

link up
Receiving cisco-asa-fp2k.9.8.2.SPA from 10.86.118.21!!!!!!!!
[…]

Ping to troubleshoot connectivity to the server:


rommon 1 > ping 10.86.118.21
Sending 10, 32-byte ICMP Echoes to 10.86.118.21 timeout is 4 seconds
!!!!!!!!!!
Success rate is 100 percent (10/10)
rommon 2 >

Step 6

Once the system comes up, log in to FXOS using the default username: admin and password: Admin123.

Step 7

Configure the Management interface so you can download the ASA image from a server.

If you use USB, you can skip this step.

  1. Enter the fabric-interconnect scope:

    scope fabric-interconnect a

  2. Set the new management IP information:

    set out-of-band static ip ip netmask netmask gw gateway

  3. Commit the configuration:

    commit-buffer

Example:


firepower# scope fabric-interconnect a
firepower /fabric-interconnect # set out-of-band static ip 10.1.1.5 netmask 255.255.255.0 gw 10.1.1.1
firepower /fabric-interconnect* # commit-buffer

Note

 

If you encounter the following error, you must disable DHCP before committing the change. Follow the commands below to disable DHCP. 

firepower /fabric-interconnect* # commit-buffer
Error: Update failed: [Management ipv4 address (IP <ip> / net mask <netmask> ) is not in the same network of current DHCP server IP range <ip - ip>.
Either disable DHCP server first or config with a different ipv4 address.]
firepower /fabric-interconnect* # exit
firepower* # scope system
firepower /system* # scope services
firepower /system/services* # disable dhcp-server
firepower /system/services* # commit-buffer

Step 8

Download and boot the ASA package. Because you booted temporarily from USB or TFTP, you must still download the image to the local disk.

  1. Download the package.

    scope firmware

    download image url

    show download-task

    You can download the package from the same TFTP server or USB drive you used earlier, or another server reachable on Management 1/1. Specify the URL for the file being imported using one of the following:

    • ftp://username@server/[path/]image_name

    • scp://username@server/[path/]image_name

    • sftp://username@server/[path/]image_name

    • tftp://server[:port]/[path/]image_name

    • usbA:/path/filename

    Example:

    
firepower-2110# scope firmware
firepower-2110 /firmware # download image tftp://10.86.118.21/cisco-asa-fp2k.9.8.2.SPA
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
firepower-2110 /firmware # show download-task
Download task:
    File Name Protocol Server          Port       Userid          State
    --------- -------- --------------- ---------- --------------- -----
    cisco-asa-fp2k.9.8.2.SPA
              Tftp     10.88.29.21             0                 Downloaded

  2. When the package finishes downloading (Downloaded state), boot the package.

    show package

    scope auto-install

    install security-pack version version

    In the show package output, copy the Package-Vers value for the security-pack version number. The chassis installs the ASA package and reboots.

    Example:

    
firepower 2110 /firmware # show package
Name                                          Package-Vers
--------------------------------------------- ------------
cisco-asa-fp2k.9.8.2.SPA                      9.8.2
firepower 2110 /firmware # scope auto-install
firepower 2110 /firmware/auto-install # install security-pack version 9.8.2
The system is currently installed with security software package not set, which has:
   - The platform version: not set
If you proceed with the upgrade 9.8.2, it will do the following:
   - upgrade to the new platform version 2.2.2.52
   - install with CSP asa version 9.8.2
During the upgrade, the system will be reboot

Do you want to proceed ? (yes/no):yes

This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup

Attention:
   If you proceed the system will be re-imaged. All existing configuration will be lost,
   and the default configuration applied.
Do you want to proceed? (yes/no):yes

Triggered the install of software package version 9.8.2
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.

    Note

     

    Ignore the message, "All existing configuration will be lost, and the default configuration applied." The configuration will not be erased, and the default configuration is not applied.

Step 9

Wait for the chassis to finish rebooting (5-10 minutes), and log in to FXOS as admin.

Although FXOS is up, you still need to wait for the ASA to come up (5 minutes). Wait until you see the following messages: 


firepower-2110# 
Cisco ASA: CMD=-install, CSP-ID=cisco-asa.9.8.2__asa_001_JAD20280BW90MEZR11, FLAG=''
Verifying signature for cisco-asa.9.8.2 ...
Verifying signature for cisco-asa.9.8.2 ... success

Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.8.2__asa_001_JAD20280BW90MEZR11, FLAG=''
Cisco ASA starting ...
Registering to process manager ...
Cisco ASA started successfully. 
[…]

History for System Recovery

Feature

Version

Details

Secure Erase

9.13(1)

The secure erase feature erases all data on the SSDs so that data cannot be recovered even by using special tools on the SSD itself. You should perform a secure erase when decomissioning the device.

New/Modified commands: erase secure (local-mgmt)