Troubleshooting ASA FirePOWER modules
ASA1 case:
debug commands:
#debug sfr error
#debug sfr events
#debug sfr messages
#debug cmdr 255
#debug cplane
ELEKTRA1(config)# show module ?
exec mode commands/options:
Available module ID(s):
0 Module ID
all show all module information for all slots
cxsc Module ID
ips Module ID
sfr Module ID
ELEKTRA1(config)# show module all
ELEKTRA1(config)# sw-module module sfr reset noconfirm
ELEKTRA1(config)# sw-module module sfr reload noconfirm
ELEKTRA1(config)# show module sfr details
Getting details from the Service Module, please wait…
Card Type: Adaptive Security Appliance Software Module
Model: ASA5545
Hardware version: N/A
Serial Number: Fxxxxxxx
Firmware version: N/A
Software version: 5.3.1-86
MAC Address Range: c464.1339.1b8c to c464.1339.1b8c
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 5.3.1-86
Data Plane Status: Up
Status: Up
DC addr: 10.2.115.150
Mgmt IP addr: 10.2.115.161
Mgmt Network mask: 255.255.252.0
Mgmt Gateway: 10.2.112.1
Mgmt web ports: 443
Mgmt TLS enabled: true
ELEKTRA1(config)# sw-module module sfr shutdown noconfirm
Shutdown issued for module sfr.
ELEKTRA1(config)# show module sfr details
Getting details from the Service Module, please wait…
Unable to read details from module sfr
Card Type: Adaptive Security Appliance Software Module
Model: ASA5545
Hardware version: N/A
Serial Number: Fxxxxxxx
Firmware version: N/A
Software version: 5.3.1-86
MAC Address Range: c464.1339.1b8c to c464.1339.1b8c
App. name: ASA FirePOWER
App. Status: Not Applicable
App. Status Desc: Not Applicable
App. version: 5.3.1-86
Data Plane Status: Not Applicable
Status: Down
ELEKTRA1(config)# sw-module module sfr shutdown noconfirm
ELEKTRA1(config)# show module sfr details
Getting details from the Service Module, please wait…
##### Steps to shut down an bring up module:
sw-module module sfr shutdown
sw-module module sfr reset
sw-module module sfr reload
logging list test message 434001
logging console test
ELEKTRA1(config)#
message 434001 logged when sfr was shut down.
%ASA-3-434001: SFR card not up and fail-close mode used, dropping TCP packet from inside:10.2.115.87/1746 to outside:66.96.147.113/80
%ASA-3-434001: SFR card not up and fail-close mode used, dropping TCP packet from inside:10.2.115.87/1747 to outside:66.96.147.113/80
%ASA-3-434001: SFR card not up and fail-close mode used, dropping TCP packet from inside:10.2.115.87/1747 to outside:66.96.147.113/80
class-map ELEKTRA-global-class1
match port tcp range www isakmp
policy-map ELEKTRA-Global-Policy
class ELEKTRA-global-class1
sfr fail-open
policy-map global_policy
class ELEKTRA-global-class1
ELEKTRA1(config)# sh service-policy sfr
Global policy:
Service-policy: ELEKTRA-Global-Policy
Class-map: ELEKTRA-global-class1
SFR: card status Up, mode fail-open
packet input 196, packet output 196, drop 0, reset-drop 0
ELEKTRA1(config)#
#capture test interface asa_dataplane real-time
1297239801 162551>
22: 20:25:57.817310 66.96.147.113.80 > 10.2.115.87.1780: F 969711134:969711134(0) ack 4220192396 win 4281 <nop,nop,timestamp 1297239801 162551>
23: 20:25:57.817767 10.2.115.87.1780 > 66.96.147.113.80: . ack 969711135 win 32723 <nop,nop,timestamp 162849 1297239801>
24: 20:25:57.817889 10.2.115.87.1780 > 66.96.147.113.80: . ack 969711135 win 32723 <nop,nop,timestamp 162849 1297239801>
25: 20:26:23.462042 74.125.129.125.5222 > 10.2.115.87.1172: P 4018929927:4018929953(26) ack 2909110477 win 1237 <nop,nop,timestamp 3844190899 160079>
26: 20:26:23.462225 74.125.129.125.5222 > 10.2.115.87.1172: P 4018929927:4018929953(26) ack 2909110477 win 1237 <nop,nop,timestamp 3844190899 160079>
27: 20:26:23.593353 10.2.115.87.1172 > 74.125.129.125.5222: . ack 4018929953 win 32378 <nop,nop,timestamp 163107 3844190899>
28: 20:26:23.593520 10.2.115.87.1172 > 74.125.129.125.5222: . ack 4018929953 win 32378 <nop,nop,timestamp 163107 3844190899>
CCIE Security Blog 