Here's a link regarding the Cisco Firepower (FPR) 2100 upgrade in ASA version 9.12 and earlier (Platform mode). You can only perform the upgrade via the FXOS CLI and it will remain in Platform mode. You can change to Appliance mode after it has been upgraded to ASA version 9.13 and above.
Here's a link on how to perform the FTD to ASA re-image procedure (and vice versa). This is in case you've received the wrong Firepower appliance image.
You can check the ASA version using the show version command. Notice it's version 9.12 and runs in Platform mode (default).
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.12(1)2
Firepower Extensible Operating System Version 2.6(1.113)
Device Manager Version 7.12(1)
ciscoasa# show fx?
ERROR: % Unrecognized command
ciscoasa# configure terminal
ciscoasa(config)# fxos ?
configure mode commands/options:
https Configure FXOS HTTPS options
snmp Configure FXOS SNMP options
ssh Configure FXOS SSH options
You can transfer the ASA image using the scope firmware FX-OS CLI command. Use the show download-task to check the transfer status.
Cisco FPR Series Security Appliance
firepower-2120 login: admin
Password: <Admin123>
firepower-2120# scope firmware
firepower-2120 /firmware # download image ftp://ftpuser@172.27.25.253/cisco-asa-fp2k.9.16.3.19.SPA
Password: <FTP PASSWORD>
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
firepower-2120 /firmware # show download-task
Download task:
File Name Protocol Server Port Userid State
--------- -------- --------------- ---------- --------------- -----
cisco-asa-fp2k.9.16.3.19.SPA
Ftp 172.27.25.253 0 ftpuser Failed
firepower-2120 /firmware # show download-task
Download task:
File Name Protocol Server Port Userid State
--------- -------- --------------- ---------- --------------- -----
cisco-asa-fp2k.9.16.3.19.SPA
Tftp 172.27.25.253 0 Failed
I tried FTP and FTP file transfer but both failed. I made a search and learned that I encountered an ASA bug. The only way to transfer the image file is via USB (slot beside the CONSOLE port).
firepower-2120 /firmware # show fault
Severity Code Last Transition Time ID Description
--------- -------- ------------------------ -------- -----------
Cleared F16517 2022-09-13T03:01:59.715 153432 [FSM:STAGE:FAILED]: deleting downloadable cisco-asa-fp2k.9.16.3.19.SPA on local(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:DeleteLocal)
Cleared F77957 2022-09-13T03:01:59.715 153430 [FSM:STAGE:REMOTE-ERROR]: Result: end-point-failed Code: unspecified Message: End point timed out. Check for IP, port, password, disk space or network access related issues.#(sam:dme:FirmwareDownloaderDownload:DeleteLocal)
Cleared F999557 2022-09-13T03:01:59.715 153438 [FSM:FAILED]: downloading image cisco-asa-fp2k.9.16.3.19.SPA from 172.27.25.253(FSM:sam:dme:FirmwareDownloaderDownload)
firepower-2120# scope firmware
firepower-2120 /firmware # download image usbA:/cisco-asa-fp2k.9.16.3.19.SPA
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
firepower-2120 /firmware # show download-task detail
Download task:
File Name: cisco-asa-fp2k.9.16.3.19.SPA
Protocol: Usb A
Server:
Port: 0
Userid:
Path:
Downloaded Image Size (KB): 463204
Time stamp: 2022-09-13T17:25:39.762
State: Downloading
Status: validating and unpacking the image
Transfer Rate (KB/s): 18528.160156
Current Task: unpacking image cisco-asa-fp2k.9.16.3.19.SPA on primary(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:UnpackLocal)
firepower-2120 /firmware # show download-task
Download task:
File Name Protocol Server Port Userid State
--------- -------- --------------- ---------- --------------- -----
cisco-asa-fp2k.9.16.3.19.SPA
Usb A 0 Downloading
firepower-2120 /firmware # show download-task
Download task:
File Name Protocol Server Port Userid State
--------- -------- --------------- ---------- --------------- -----
cisco-asa-fp2k.9.16.3.19.SPA
Usb A 0 Downloaded // WAIT FOR STATE: DOWNLOADED TO FULLY DOWNLOAD THE PACKAGE FILE
firepower-2120 /firmware # show package
Name Package-Vers
--------------------------------------------- ------------
cisco-asa-fp2k.9.12.1.2.SPA 9.12.1.2
cisco-asa-fp2k.9.16.3.19.SPA 9.16.3.19
cisco-ftd-fp2k.6.2.1-341.SPA 6.2.1-341 // DELETE UNUSED FTD PACKAGE
firepower-2120 /firmware # delete package cisco-ftd-fp2k.6.2.1-341.SPA
firepower-2120 /firmware # show package !! WAIT FOR FEW SECONDS TO COMPLETE REMOVE OLD PACKAGE
Name Package-Vers
--------------------------------------------- ------------
cisco-asa-fp2k.9.12.1.2.SPA 9.12.1.2
cisco-asa-fp2k.9.16.3.19.SPA 9.16.3.19 // TAKE NOTE OF PACKAGE VERSION
firepower-2120 /firmware # scope auto-install
firepower-2120 /firmware/auto-install # install security-pack version 9.16.3.19
The system is currently installed with security software package 9.12.1.2, which has:
- The platform version: 2.6.1.113
- The CSP (asa) version: 9.12.1.2
If you proceed with the upgrade 9.16.3.19, it will do the following:
- upgrade to the new platform version 2.10.1.207
- upgrade to the CSP asa version 9.16.3.19
During the upgrade, the system will be reboot
Do you want to proceed ? (yes/no):yes
This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup
Do you want to proceed? (yes/no):yes
Triggered the install of software package version 9.16.3.19
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
firepower-2120 /firmware/auto-install # show
Firmware Auto-Install:
Package-Vers Oper State Upgrade State
------------ ---------------------------- -------------
9.16.3.19 Scheduled Ready
firepower-2120 /firmware/auto-install # show detail
Firmware Auto-Install:
Package-Vers: 9.16.3.19
Oper State: Scheduled
Installation Time: 2022-09-14T01:59:56.258
Upgrade State: Ready
Upgrade Status:
Validation Software Pack Status:
Firmware Upgrade Status:
Current Task:
Wait for a few seconds for FRP 2100 to auto reload.
Cisco FPR Series Security Appliance
ciscoasa login:
Cisco ASA: CMD=-stop, CSP-ID=cisco-asa.9.12.1.2__asa_001_TSP2621AGGS0CCABCD, FLAG=''
Cisco ASA stopping ...
Cisco ASA stopped successfully.
INIT:
Cisco ASA: CMD=-stop, CSP-ID=cisco-asa.9.12.1.2__asa_001_TSP2621AGGS0CCABCD, FLAG=''
Cisco ASA stopping ...
Sep 14 02:01:14 ciscoasa SF-IMS[27201]: [27201] pmtool:pmtool [ERROR] Unable to connect to UNIX socket at /var/sf/run/PM_Control.sock: No such file or directory
Cisco ASA stopped successfully.
Stopping all devices.
Stopping Octeon Serial Logd...
Stopping Octeon Serial Logd... success
Stopping OpenBSD Secure Shell server: sshd
stopped /usr/sbin/sshd (pid 1490)
done.
Stopping Octeon NPU ...
Stopping Octeon NPU ... failed
Stopping Advanced Configuration and Power Interface daemon: stopped /usr/sbin/acpid (pid 1688)
acpid.
Stopping system message bus: dbus.
stopping mountd: done
stopping nfsd: .done
Stopping ntpd: stopped process in pidfile '/var/run/ntp.pid' (pid 30244)
done
Stopping internet superserver: xinetd.
stopping statd: done
Failed to stop kdump!
Stopping crond: OK
Stopping rpcbind daemon...
done.
Stopping fan control daemon: fancontrol... no process in pidfile '/var/run/fancontrol.pid' found; none killed
done.
Stopping sensors logging daemon: sensord... stopped /usr/sbin/sensord (pid 3694)
done.
Deconfiguring network interfaces... done.
ip6tables: Setting chains to policy ACCEPT: filter [ OK ]
ip6tables: Flushing firewall rules: [ OK ]
ip6tables: Unloading modules: [ OK ]
iptables: Setting chains to policy ACCEPT: raw filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
SSP-Security-Module is shutting down ...
Wed Sep 14 02:01:26 UTC 2022 SHUTDOWN WARNING: Beginning System Shutdown request for CSP Apps
Wed Sep 14 02:01:26 UTC 2022 SHUTDOWN WARNING: Continue System Shutdown request for CSP Apps
Wed Sep 14 02:01:26 UTC 2022 SHUTDOWN WARNING: Nothing to do for Apps-Services-Down
Sending ALL processes the TERM signal ...
Note: SIGKILL_ALL will be triggered after after 0 + 2 secs ...
Sending ALL processes the KILL signal ...
Deactivating swap...
Unmounting local filesystems...
Rebooting... [970793.313649] reboot: Restarting system
*******************************************************************************
Cisco System ROMMON, Version 1.0.12, RELEASE SOFTWARE
Copyright (c) 1994-2019 by Cisco Systems, Inc.
Compiled Mon 06/17/2019 16:23:23.36 by builder
*******************************************************************************
Current image running: Boot ROM0
Last reset cause: ResetRequest (0x00001000)
DIMM_1/1 : Present
DIMM_2/1 : Absent
Platform FPR-2120 with 16384 MBytes of main memory
WARNING: This board is using a temporary MAC address.
WARNING: The temporary MAC address override value = 00:11:22:33:12:34
WARNING: Please clear this value to use the programmed MAC address.
WARNING: Use the following two CLI commands:
WARNING: unset MACADDR
WARNING: sync
BIOS has been successfully locked !!
MAC Address: ac:bc:d9:90:bd:00
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Located '.boot_string' @ cluster 458394.
Attempt autoboot: "boot disk0:installables/switch/fxos-k8-fp2k-lfbff.2.10.1.207.SPA"
Located 'installables/switch/fxos-k8-fp2k-lfbff.2.10.1.207.SPA' @ cluster 347763.
#####################################################################################
#####################################################################################
+-------------------------------------------------------------------+
+------------------------- SUCCESS ---------------------------------+
+-------------------------------------------------------------------+
| |
| LFBFF signature authentication passed !!! |
| |
+-------------------------------------------------------------------+
LFBFF signature verified.
+-------------------------------------------------------------------+
+------------------------- SUCCESS ---------------------------------+
+-------------------------------------------------------------------+
| |
| LFBFF controller type check passed !!! |
| |
+-------------------------------------------------------------------+
Linux version: 4.18.45-yocto-standard (oe-user@oe-host) #1 SMP Thu Jul 21 06:32:09 UTC 2022
kernel_image = 0x8dafdc68, kernel_size=0x6402a0
Image validated
INIT: version 2.88 booting
Starting udev
Hardware tweak APPLIED: Disable SATA Throttle.1
Hardware tweak APPLIED: Disable SATA Throttle.2
Configuring network interfaces... done.
Starting random number generator daemon.
Starting Power Off Shutdown Handler (poshd)
poshd: using FPGA version and PSEQ version
Starting TAm services ...
Device configuration status = TAM_SUCCESS
TAm Services started successfully
Primary SSD discovered
fsck from util-linux 2.32.1
[/sbin/fsck.ext3 (1) -- /dev/sda1] fsck.ext3 -a /dev/sda1
/dev/sda1: clean, 104/61056 files, 25185/244224 blocks
fsck(/dev/sda1) returned 0
fsck from util-linux 2.32.1
[/sbin/fsck.ext3 (1) -- /dev/sda2] fsck.ext3 -a /dev/sda2
/dev/sda2: clean, 111/61056 files, 11498/243968 blocks
fsck(/dev/sda2) returned 0
fsck from util-linux 2.32.1
[/sbin/fsck.ext3 (1) -- /dev/sda3] fsck.ext3 -a /dev/sda3
/dev/sda3: clean, 13/732960 files, 85969/2929664 blocks
fsck(/dev/sda3) returned 0
mount_disk_xfs. device: /dev/sda4, dir: /opt/cisco/csp, mount returned: 0.
fsck from util-linux 2.32.1
[/sbin/fsck.vfat (1) -- /dev/sdb1] fsck.vfat -a /dev/sdb1
fsck.fat 4.1 (2017-01-24)
/dev/sdb1: 48 files, 206397/1919063 clusters
fsck(/dev/sdb1) returned 0
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
FIPS POST Test Script
NOTICE: The FIPS POST is not run because the FIPS feature is not enabled
INIT: Entering runlevel: 3rst bo
Starting system message bus: dbus.
Starting OpenBSD Secure Shell server: sshd
done.
Starting rpcbind daemon...done.
starting statd: done
Starting Advanced Configuration and Power Interface daemon: acpid.
acpid: starting up with netlink and the input layer
acpid: 1 rule loaded
acpid: waiting for events: event logging is off
Starting DHCP server: .
starting 8 nfsd kernel threads: done
starting mountd: done
Starting ntpd: done
Starting internet superserver: xinetd.
Starting Octeon NPU ...
Starting Octeon NPU ... success
Starting fan control daemon: fancontrol... done.
INFO: beginning of manager_install
INFO: manager_install: fxmgr=/mnt/boot/installables/switch/fxos-k9-fp2k-manager.2.10.1.207.SPA chmgr=/mnt/boot/installables/switch/fxos-k9-mgmtext.2.10.1.56.SPA update=false
INFO: manager_install: fxmgr is dummy, skip_fxmgr_install=true
INFO: in validating image ...
INFO: manager_validate_image: fxmgr_absfilename /mnt/boot/installables/switch/fxos-k9-fp2k-manager.2.10.1.207.SPA
INFO: Validating image /mnt/boot/installables/switch/fxos-k9-fp2k-manager.2.10.1.207.SPA signature ...
: File /mnt/boot/installables/switch/fxos-k9-fp2k-manager.2.10.1.207.SPA size 1296
Done!
Computed Hash SHA2: 9130e107f1aa8ea50662a5030ce04b08
9b5f9f2dc557034d63e1ec55210f7b35
097dee327a9df9af7717c0368709db42
3467cb651726b6d17d7b31d65cb41234
Embedded Hash SHA2: 9130e107f1aa8ea50662a5030ce04b08
9b5f9f2dc557034d63e1ec55210f7b35
097dee327a9df9af7717c0368709db42
3467cb651726b6d17d7b31d65cb4abcd
The digital signature of the file: fxos-k9-fp2k-manager.2.10.1.207.SPA verified successfully
INFO: manager_validate_image: chmgr_absfilename /mnt/boot/installables/switch/fxos-k9-mgmtext.2.10.1.56.SPA
INFO: Validating image /mnt/boot/installables/switch/fxos-k9-mgmtext.2.10.1.56.SPA signature ...
: File /mnt/boot/installables/switch/fxos-k9-mgmtext.2.10.1.56.SPA size 37136160
Done!
Computed Hash SHA2: b3f080a08c44e4606e7ddde319c8ba3a
649a58ba202b149475250273c48f2326
0f9e7d060a620fbb68f56b35a1226e5d
1b4a0af4387940803b56475322d71234
Embedded Hash SHA2: b3f080a08c44e4606e7ddde319c8ba3a
649a58ba202b149475250273c48f2326
0f9e7d060a620fbb68f56b35a1226e5d
1b4a0af4387940803b56475322d7fabcd
The digital signature of the file: fxos-k9-mgmtext.2.10.1.56.SPA verified successfully
INFO: manager_install: skip_fxmgr_install=true - delete unnecessary files and skip
INFO: deleting unnecessary xml file..!!
INFO: deleted unnecessary xml file..!!
INFO: manager_post_install ...
INFO: manager_post_install: fxmgr=/mnt/boot/installables/switch/fxos-k9-fp2k-manager.2.10.1.207.SPA chmgr=/mnt/boot/installables/switch/fxos-k9-mgmtext.2.10.1.56.SPA update=false
INFO: manager_post_install: fxmgr is dummy
INFO: manager_post_install: Linking libraries ...
INFO: manager_post_install: Linking binaries ...
INFO: Creating directory /tmp/chmgr
INFO: creating /isan/apache/chassis-mgr/
INFO: Change permission /isan/apache/chassis-mgr/.deploy_onbox.sh
INFO: Change permission /isan/apache/chassis-mgr/.httpd.conf
INFO: Change permission /isan/apache/chassis-mgr/kpmgmt/onbox-version.txt
INFO: manager_post_install: succesful install chassis mgr
INFO: Trying to add iptables and ip6tables rules ...
INFO: Set up Application Diagnostic Interface ...
INFO: Configure management0 interface ...
2022-09-14T02:03:33 [WARN/lldpctl] unknown command from argument 4: `status`
INFO: Configure system files ...
INFO: System Name is: ciscoasa
Starting sensors logging daemon: sensord... done.
INFO: /mnt/boot/installables/switch/fxos-k8-fp2k-npu.2.10.1.207.SPA
INFO: Need to validate the image
: File /mnt/boot/installables/switch/fxos-k8-fp2k-npu.2.10.1.207.SPA size 73825264
Done!
Computed Hash SHA2: 0dc26fabc2e1a37cad057537f9dd4391
92f03d2d249c31bf025a790d7ae2d2d3
6ac796ceb616943e6fda35335d334295
990f35850c39ca56e7ddab4eee1234
Embedded Hash SHA2: 0dc26fabc2e1a37cad057537f9dd4391
92f03d2d249c31bf025a790d7ae2d2d3
6ac796ceb616943e6fda35335d334295
990f35850c39ca56e7ddab4eeeabcd
The digital signature of the file: fxos-k8-fp2k-npu.2.10.1.207.SPA verified successfully
INFO: Creating directory /tmp/npu
INFO: all files are there ...
INFO: console : ttyS0, speed : 9600
INFO: manager_startup: setting up fxmgr apache ...
INFO: manager_startup: Start manager httpd setup...
INFO: manager_startup: using HTTPD_INFO persistent cache
/bin/rm: cannot remove '/tmp/openssl.conf': No such file or directory
httpdRegister INFO: [httpd.2501 -s -4 10.110.4.104 -n localhost]
httpdRegister INFO: SKIP httpd syntax check
httpdRegister INFO: Starting httpd setup/registration...
httpdRegister INFO: Completed httpd setup/registration!
INFO: httpdRegister [httpd.2501 script exit]
INFO: manager_startup: Completed manager httpd setup!
INFO: manager_startup: configuring chassis manager
INFO: unconfig older conf files
httpdAppconf INFO: [httpd.2563 -d /isan/apache/.httpd.conf]
httpdAppconf [fpr21xx] PARAMS: [GLOBAL_DEL:/isan/apache/.httpd.conf]
httpdAppconf INFO: /isan/apache/.httpd.conf changes already removed
httpdAppconf INFO: httpd.conf GLOBAL_DEL update for /isan/apache/.httpd.conf already applied
INFO: httpdAppconf [httpd.2563 script exit]
httpdAppconf INFO: [httpd.2595 -V -d /isan/apache/.httpd.conf]
httpdAppconf [fpr21xx] PARAMS: [VHOST_DEL:/isan/apache/.httpd.conf]
httpdAppconf INFO: SUCCESSFUL httpd.conf VHOST_DEL update for /isan/apache/.httpd.conf
INFO: httpdAppconf [httpd.2595 script exit]
INFO: Configuring httpd
httpdAppconf INFO: [httpd.2644 -V -a /isan/apache/.httpd.conf]
httpdAppconf [fpr21xx] PARAMS: [VHOST_ADD:/isan/apache/.httpd.conf]
httpdAppconf INFO: SUCCESSFUL httpd.conf VHOST_ADD update for /isan/apache/.httpd.conf
INFO: httpdAppconf [httpd.2644 script exit]
INFO: manager_startup: successfully configured chassis mgr
nscd: 2693 monitoring file `/etc/hosts` (1)
nscd: 2693 monitoring directory `/etc` (2)
nscd: 2693 monitoring file `/etc/resolv.conf` (3)
nscd: 2693 monitoring directory `/etc` (2)
Starting crond: OK
FTD
1:/opt/cisco/csp/cores
/opt/cisco/csp/cores 31457280
Cisco ASA: CMD=-bootup, CSP-ID=cisco-asa.9.12.1.2__asa_001_TSP2621AGGS0CCABCD, FLAG=''
Cisco ASA booting up ...
INFO:-MspCheck: Configuration Xml found is /opt/cisco/csp/applications/configs/cspCfg_cisco-asa.9.12.1.2__asa_001_TSP2621AGGS0CCABCD.xml
INFO:INFO: System Disks /dev/sda is present. Status: Operable. /dev/sdb is present. Status: Inoperable.
ciscoasa login:
Waiting for Application infrastructure to be ready...
Verifying the signature of the Application image...
Sep 14 02:03:59 ciscoasa rst_manager: Reset Manager not required on this platform: 1
Sep 14 02:04:42 ciscoasa port-manager: Alert: Ethernet1/3 link changed to UP
Sep 14 02:04:42 ciscoasa port-manager: Alert: Ethernet1/2 link changed to UP
Sep 14 02:04:42 ciscoasa port-manager: Alert: Ethernet1/1 link changed to UP
Cisco ASA: CMD=-upgrade, CSP-ID=cisco-asa.9.16.3.19__asa_001_TSP2621AGGS0CCABCD, FLAG='cisco-asa.9.12.1.2__asa_001_TSP2621AGGS0CCABCD'
Cisco ASA begins upgrade ...
Verifying signature for cisco-asa.9.16.3.19 ...
Verifying signature for cisco-asa.9.16.3.19 ... success
Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.16.3.19__asa_001_TSP2621AGGS0CCABCD, FLAG=''
Cisco ASA starting ...
Registering to process manager ...
Cisco ASA started successfully.
lina_init_env: memif is not enabled.
System Cores 8 Nodes 1 Max Cores 48
Number of Cores 8
Global Reserve Memory Per Node: 692060160 bytes Nodes=1
LCMB: HEAP-CACHE POOL got 683671552 bytes on numa-id=0, virt=0x0000005555600000
total_reserved_mem = 1073741824
total_heapcache_mem = 683671552
total mem 7168280331 system 7222935552 kernel 54655221 image 0
new 7168280331 old 1073741824 reserve 1757413376 priv new 5465522176 priv old 0
Processor memory: 6908362752
POST started...
POST finished, result is 0 (hint: 1 means it failed)
Cisco Adaptive Security Appliance Software Version 9.16(3)19
Compiled on Wed 03-Aug-22 05:26 GMT by builders
Platform is FPR-2120
Adding Cavium NIC interface 1 port 0
Total NICs found: 4
NIC pci:id 00, slot 0, port 1, bus -1, dev -1 func 0, irq 00, internal, ten_gb-ethernet, ind 1
NIC pci:id 01, slot 0, port -1, bus 0, dev 0 func 0, irq 00, internal, , ind 0
NIC pci:id 02, slot 1, port 1, bus -1, dev -1 func -1, irq 00, external, gb-ethernet, ind 1
NIC pci:id 03, slot 1, port 1, bus -1, dev -1 func -1, irq 00, internal, gb-ethernet, ind 1
Sep 14 02:09:23 ciscoasa port-manager: Alert: Internal1/3 link changed to UP
en_vtun rev00 Backplane Ext-Mgmt Interface @ index 02 MAC: acbc.d990.bd01
en_vtun rev00 Backplane Tap Interface @ index 03 MAC: 0000.0100.0001
WARNING: Attribute already exists in the dictionary.
Use software crypto.
The 3DES/AES algorithms require a Encryption-3DES-AES entitlement.
The 3DES/AES algorithms require a Encryption-3DES-AES entitlement.
Cisco Adaptive Security Appliance Software Version 9.16(3)19
****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************
Cisco Adaptive Security Appliance Software, version 9.16
Copyright (c) 1996-2022 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please visit
http://www.cisco.com/go/asa-opensource
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Reading from flash...
!!.WARNING: This command will not take effect until interface 'outside' has been assigned an IPv4 address
*** Output from config line 141, "ip-client outside"
..
Cryptochecksum (unchanged): cb62e249 bf3eb8fa cc728bc1 7d07b9ef
INFO: Power-On Self-Test in process.
......................................
INFO: Power-On Self-Test complete.
INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...
Trustpoint CA certificate accepted.
Creating trustpoint "_SmartCallHome_ServerCA2" and installing certificate...
Trustpoint CA certificate accepted.
User enable_1 logged in to ciscoasa
ciscoasa: Cryptochecksum: d344c6ff d1849478 4ec0ac2c cc645192
11665 bytes copied in 0.850 secs
It took around 10 mins for the upgrade/boot process to complete.
firepower-2120 login: admin
Password: <Admin123>
Successful login attempts for user 'admin' : 1
Cisco Firepower Extensible Operating System (FX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2009-2019, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license.
Certain components of this software are licensed under the "GNU General Public
License, version 3" provided with ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, Version 3", available here:
http://www.gnu.org/licenses/gpl.html. See User Manual (''Licensing'') for
details.
Certain components of this software are licensed under the "GNU General Public
License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html. See User Manual
(''Licensing'') for details.
Certain components of this software are licensed under the "GNU LESSER GENERAL
PUBLIC LICENSE, version 3" provided with ABSOLUTELY NO WARRANTY under the terms
of "GNU LESSER GENERAL PUBLIC LICENSE" Version 3", available here:
http://www.gnu.org/licenses/lgpl.html. See User Manual (''Licensing'') for
details.
Certain components of this software are licensed under the "GNU Lesser General
Public License, version 2.1" provided with ABSOLUTELY NO WARRANTY under the
terms of "GNU Lesser General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html. See User Manual
(''Licensing'') for details.
Certain components of this software are licensed under the "GNU Library General
Public License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms
of "GNU Library General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html. See User Manual
(''Licensing'') for details.
firepower-2120# connect asa
Attaching to ASA CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
ciscoasa> enable
Password: ********
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.16(3)19
SSP Operating System Version 2.10(1.207)
Device Manager Version 7.18(1)152
Compiled on Wed 03-Aug-22 05:26 GMT by builders
System image file is "disk0:/mnt/boot/installables/switch/fxos-k8-fp2k-npu.2.10.1.207.SPA"
Config file at boot was "startup-config"
ciscoasa up 4 mins 8 secs
Hardware: FPR-2120, 6588 MB RAM, CPU MIPS 1200 MHz, 1 CPU (8 cores)
1: Int: Internal-Data0/1 : address is 000f.b748.4801, irq 0
3: Ext: Management1/1 : address is acbc.d990.bd01, irq 0
4: Int: Internal-Data1/1 : address is 0000.0100.0001, irq 0
License mode: Smart Licensing
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 3500
AnyConnect Essentials : Disabled
Other VPN Peers : 3500
Total VPN Peers : 3500
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 8000
Cluster : Disabled
Serial Number: JAD26091234
Configuration has not been modified since last system restart.
ciscoasa# show interface ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/1 unassigned YES unset up up
Ethernet1/1 unassigned YES unset up up
Ethernet1/2 unassigned YES unset up up
Ethernet1/3 unassigned YES unset up up
Ethernet1/4 unassigned YES unset admin down down
Ethernet1/5 unassigned YES unset admin down down
Ethernet1/6 unassigned YES unset admin down down
Ethernet1/7 unassigned YES unset admin down down
Ethernet1/8 unassigned YES unset admin down down
Ethernet1/9 unassigned YES unset admin down down
Ethernet1/10 unassigned YES unset admin down down
Ethernet1/11 unassigned YES unset admin down down
Ethernet1/12 unassigned YES unset down down
Ethernet1/13 unassigned YES unset admin down down
Ethernet1/14 unassigned YES unset admin down down
Ethernet1/15 unassigned YES unset admin down down
Ethernet1/16 unassigned YES unset down down
Internal-Data1/1 169.254.1.1 YES unset up up
Management1/1 unassigned YES unset up up
The FXOS mode is still in Platform mode even after the upgrade. You can manually change the FXOS mode using the fxos mode appliance, save config and reload the appliance.
ciscoasa# show fxos mode
Mode is currently set to platform
ciscoasa# configure terminal
ciscoasa(config)# fxos ?
configure mode commands/options:
https Configure FXOS HTTPS options
mode Configure FXOS mode
snmp Configure FXOS SNMP options
ssh Configure FXOS SSH options
ciscoasa(config)# fxos mode ?
configure mode commands/options:
appliance Configure FXOS mode appliance
ciscoasa(config)# fxos mode appliance // ASA 9.13 AND ABOVE CODE UPGRADE DOESN'T CHANGE FXOS MODE FROM PLATFORM TO APPLIANCE MODE BY DEFAULT
Mode set to appliance mode
WARNING: The running-config must be saved and the system must
be rebooted for this command to take effect. Upon reboot, the current
configuration will be erased, and the default configuration for
appliance mode will be applied.
ciscoasa(config)# end
ciscoasa# write memory
Building configuration...
Cryptochecksum: 9af5fb7a a7f691ab 1574a29d 9dd5e558
11660 bytes copied in 0.910 secs
WARNING: Mode change detected. Upon reboot,
current configuration will be cleared and the default
configuration for appliance mode will be applied.
[OK]
ciscoasa# reload // THE ASA STARTUP-CONFIG WILL BE CLEARED AND CONFIGURED WITH A SYSTEM DEFAULT CONFIG
WARNING: Mode change detected. Upon reboot,
current configuration will be cleared and the default
configuration for appliance mode will be applied.
Proceed with reload? [confirm]
ciscoasa#
***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down Application Agent
Shutting down isakmp
Shutting down sw-module
Shutting down License Controller
Shutting down File system
***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting... (status 0x9)
..
lina_monitor pro2022 Sep 14 02:16:03 PMLOG: PM IPC UTILITY: Shutting down all ports
<OUTPUT TRUNCATED>
The reload took 5 mins to finish.
ciscoasa> enable
The enable password is not set. Please set it now.
Enter Password: ********
Repeat Password: ********
Note: Save your configuration so that the password can be used for FXOS failsafe access and persists across reboots
("write memory" or "copy running-config startup-config").
ciscoasa# show fxos mode
Mode is currently set to appliance
ciscoasa# connect fxos
Configuring session.
.
Connecting to FXOS.
...
Connected to FXOS. Escape character sequence is 'CTRL-^X'.
NOTICE: You have connected to the FXOS CLI with read-only privileges.
For admin level privileges connect using 'connect fxos admin'.
Config commands and commit-buffer are not supported in appliance mode.
d used and distributed under
license.
Certain components of this software are licensed under the "GNU General Public
License, version 3" provided with ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, Version 3", available here:
http://www.gnu.org/licenses/gpl.html. See User Manual (''Licensing'') for
details.
Certain components of this software are licensed under the "GNU General Public
License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html. See User Manual
(''Licensing'') for details.
Certain components of this software are licensed under the "GNU LESSER GENERAL
PUBLIC LICENSE, version 3" provided with ABSOLUTELY NO WARRANTY under the terms
of "GNU LESSER GENERAL PUBLIC LICENSE" Version 3", available here:
http://www.gnu.org/licenses/lgpl.html. See User Manual (''Licensing'') for
details.
Certain components of this software are licensed under the "GNU Lesser General
Public License, version 2.1" provided with ABSOLUTELY NO WARRANTY under the
terms of "GNU Lesser General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html. See User Manual
(''Licensing'') for details.
Certain components of this software are licensed under the "GNU Library General
Public License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms
of "GNU Library General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html. See User Manual
(''Licensing'') for details.
firepower-2120# connect asa
Connection with FXOS terminated.
Type help or '?' for a list of available commands.
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.16(3)19
SSP Operating System Version 2.10(1.207)
Device Manager Version 7.18(1)152
Compiled on Wed 03-Aug-22 05:26 GMT by builders
System image file is "disk0:/mnt/boot/installables/switch/fxos-k8-fp2k-npu.2.10.1.207.SPA"
Config file at boot was "startup-config"
ciscoasa up 1 min 24 secs
Hardware: FPR-2120, 6588 MB RAM, CPU MIPS 1200 MHz, 1 CPU (8 cores)
1: Int: Internal-Data0/1 : address is 000f.b748.4801, irq 0
3: Int: Not licensed : irq 0
4: Ext: Management1/1 : address is acbc.d990.bd01, irq 0
5: Int: Internal-Data1/1 : address is 0000.0100.0001, irq 0
License mode: Smart Licensing
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 3500
AnyConnect Essentials : Disabled
Other VPN Peers : 3500
Total VPN Peers : 3500
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 8000
Cluster : Disabled
Serial Number: JAD26091234
Configuration register is 0x1
Configuration last modified by enable_1 at 02:23:02.449 UTC Wed Sep 14 2022
Below are the default ASA configuration.
ciscoasa# show run
: Saved
:
: Serial Number: JAD26091234
: Hardware: FPR-2120, 6588 MB RAM, CPU MIPS 1200 MHz, 1 CPU (8 cores)
:
ASA Version 9.16(3)19
!
hostname ciscoasa
enable password ***** pbkdf2
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto
!
interface Ethernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/9
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/10
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/11
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/12
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/13
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/14
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/15
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/16
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 100
ip address dhcp setroute
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.220.220
name-server 208.67.222.222
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
no failover wait-disable
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 32768
!
object network obj_any
nat (any,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA2
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 0a0142800000014523c844b500000002
30820560 30820348 a0030201 0202100a 01428000 00014523 c844b500 00000230
0d06092a 864886f7 0d01010b 0500304a 310b3009 06035504 06130255 53311230
<OUTPUT TRUNCATED>
6b3c1083 c6addea8 cd168e8d f0073771 9ff2abfc 41f5c18b ec00375d 09e54e80
effab15c 3806a51b 4ae1dc38 2d3cdcab 1f901ad5 4a9ceed1 706cccee f457f818
ba841234
quit
crypto ca certificate chain _SmartCallHome_ServerCA2
certificate ca 0509
308205b7 3082039f a0030201 02020205 09300d06 092a8648 86f70d01 01050500
3045310b 30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164
<OUTPUT TRUNCATED>
b478a53a 874c8d8a a5d54697 f22c10b9 bc5422c0 01506943 9ef4b2ef 6df8ecda
f1e3b1ef df918f54 2a0b25c1 2619c452 100565d5 8210eac2 31abcd
quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.20-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
!
service-policy global_policy global
prompt hostname context
call-home
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a8aab95450b804cadd17ffdeeb4d06d2
: end
Note FPR2100 uses Smart License.
ciscoasa# show license summary
Smart Licensing is ENABLED
Registration:
Status: REGISTERED
Smart Account: MY-ACCOUNT
Virtual Account: Default
Export-Controlled Functionality: ALLOWED
Last Renewal Attempt: None
Next Renewal Attempt: Mar 11 2023 14:02:18 UTC
License Authorization:
Status: AUTHORIZED
Last Communication Attempt: FAILED
Next Communication Attempt: Sep 14 2022 02:26:15 UTC
ciscoasa# show license status
Smart Licensing is ENABLED
Utility:
Status: DISABLED
Data Privacy:
Sending Hostname: yes
Callhome hostname privacy: DISABLED
Smart Licensing hostname privacy: DISABLED
Version privacy: DISABLED
Transport:
Type: Callhome
Registration:
Status: REGISTERED
Smart Account: MY-ACCOUNT
Virtual Account: Default
Export-Controlled Functionality: ALLOWED
Initial Registration: SUCCEEDED on Sep 12 2022 14:02:18 UTC
Last Renewal Attempt: None
Next Renewal Attempt: Mar 11 2023 14:02:17 UTC
Registration Expires: Sep 12 2023 14:00:15 UTC
License Authorization:
Status: AUTHORIZED on Sep 14 2022 02:25:46 UTC
Last Communication Attempt: FAILED on Sep 14 2022 02:25:46 UTC
Failure reason: Communication message send error
Next Communication Attempt: Sep 14 2022 02:26:15 UTC
Communication Deadline: Dec 11 2022 13:59:27 UTC
Export Authorization Key:
Features Authorized:
<none>
Miscellaneus:
Custom Id: <empty>
You can now directly enable/disable interfaces in Appliance mode versus in Platform mode where you perform in FXOS CLI.
Interface IP-Address OK? Method Status Protocol
Internal-Data0/1 unassigned YES unset up up
Ethernet1/1 unassigned YES DHCP up up
Ethernet1/2 192.168.1.1 YES CONFIG up up
Ethernet1/3 unassigned YES unset admin down down
Ethernet1/4 unassigned YES unset admin down down
Ethernet1/5 unassigned YES unset admin down down
Ethernet1/6 unassigned YES unset admin down down
Ethernet1/7 unassigned YES unset admin down down
Ethernet1/8 unassigned YES unset admin down down
Ethernet1/9 unassigned YES unset admin down down
Ethernet1/10 unassigned YES unset admin down down
Ethernet1/11 unassigned YES unset admin down down
Ethernet1/12 unassigned YES unset admin down down
Ethernet1/13 unassigned YES unset admin down down
Ethernet1/14 unassigned YES unset admin down down
Ethernet1/15 unassigned YES unset admin down down
Ethernet1/16 unassigned YES unset admin down down
Internal-Data1/1 169.254.1.1 YES unset up up
Management1/1 10.10.4.2 YES manual up up
ciscoasa(config)# interface e1/3
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface e1/12
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# end
ciscoasa# show interface ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/1 unassigned YES unset up up
Ethernet1/1 unassigned YES DHCP up up
Ethernet1/2 192.168.1.1 YES CONFIG up up
Ethernet1/3 unassigned YES unset up up
Ethernet1/4 unassigned YES unset admin down down
Ethernet1/5 unassigned YES unset admin down down
Ethernet1/6 unassigned YES unset admin down down
Ethernet1/7 unassigned YES unset admin down down
Ethernet1/8 unassigned YES unset admin down down
Ethernet1/9 unassigned YES unset admin down down
Ethernet1/10 unassigned YES unset admin down down
Ethernet1/11 unassigned YES unset admin down down
Ethernet1/12 unassigned YES unset up up
Ethernet1/13 unassigned YES unset admin down down
Ethernet1/14 unassigned YES unset admin down down
Ethernet1/15 unassigned YES unset admin down down
Ethernet1/16 unassigned YES unset admin down down
Internal-Data1/1 169.254.1.1 YES unset up up
Management1/1 10.10.4.2 YES manual up up
