Zero Downtime ASA Upgrade (CLI)

So you have stateful failover configured on your pair of Cisco ASAs and need to upgrade ASDM or the os? Maybe a critical security vulnerability was discovered with the software and you need to upgrade them ASAP. With stateful failover, we can perform a zero downtime upgrade on our ASAs to minimize end user disruption. Below are the steps I used to upgrade a pair of ASA 5525-X’s using the command line interface. You can find Cisco’s documentation for upgrading an Active/Standby Failover Configuration here.

  • First, back up your current configuration!

  • Download your updated ASDM and ASA software from Cisco.com
  • Copy new ASA operating system to active and standby units.

  • Copy new ASDM software to active and standby units.

  • Verify the current boot images, making note of the boot order. Remove the current image and set the config to boot from the newly uploaded image followed by the old image as a back up.

  • Configure the ASA to use the new ASDM image

  • Save your configuration and reload the secondary standby unit.

  • Verify the standby unit is back up and running the new software version.

  • Make the active primary unit the new standy unit

  • You may need to re-establish your SSH connection. Log back into the ASA and verify that the secondary unit is now the active unit. Reload the primary/standby unit, wait a few minutes and verify that both units are now running identical code.

 

And there you have it. If you’d like, after monitoring and verification, you can remove the old ASA and ASDM images from the boot order commands as well as the disk to keep things clean.

 

Configuring Stateful Failover on a Cisco ASA HA Pair

The ASA, Cisco’s Adaptive Security Appliance, has been around for over 15 years and has since become an ubiquitous network security solution, securing networks the world over.

Because it is such a critical device in our networks, it has become best practice to deploy these security appliances in a resilient and highly available configuration.

Currently, Cisco supports Active/Active as well as Active/Standby failover. This article contains a simple example of how to configure Active/Standby stateful high availability on a pair of Cisco ASAs, where one unit acts as the primary ASA and a standby unit becomes active once a failover has occurred. When stateful failover is enabled, connection states are continuously passed between the active and standby units keeping session information available to the new active unit. Please note that both ASAs must be running identical hardware and software versions.

Detailed instructions from Cisco on how to configure Failover can be found here: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_failover.html

  • Each interface on the primary ASA will need an additional “standby” IP address, for example:

  • Specify failover interface on the primary ASA
  • Configure failover link IP address

  • Configure shared failover key

  • Configure ASA as primary

  • Enable stateful failover

  • Enable failover

  • On the secondary ASA we’ll need to do some similar configuration:

If everything is configured properly you should see some console output regarding configuration replication.

Now verify the status of failover with a show failover:

Installing a CA Signed Certificate in Cisco Prime Infrastructure 2.2

After following the Prime Infrastructure upgrade path to 2.2 you’ll need to re-issue CA signed certificates. Unfortunately, this can’t be accomplished from the Web GUI and will need to be done via the CLI.

Here’s Cisco’s documentation for installing CA-Signed Certificates and the steps I used to import a new certificate from our Active Directory Certificate Services server.

  • First you’ll want to SSH to your Prime Infrastructure server as well as create a FTP server on your workstation. See my previous blog post for instructions how to do so.
  • Generate a new CSR file and answer the information prompts
    • PIServer/admin# ncs key genkey -newdn -csr CSRFile .csr repository defaultRepo
    • The NCS server is running. Changes will take affect on the next server restart
      Enter the domain name of the server: (the fqdn you'll use to access prime from e.g., prime.company.org)
      Enter the name of your organizational unit:
      Enter the name of your organization:
      Enter the name of your city or locality:
      Enter the name of your state or province:
      Enter the two letter code for your country:
      Generating RSA key
  • Copy the CSR to your FTP server
    • PIServer/admin# copy disk: /defaultRepo/ CSRFile.csr ftp://your.ftp.server
  • Open your CSR in a text editor, copying the text to your clipboard

pi-cert01

  • Navigate to your internal CA and click Request a certificate

pi-cert02

  • Click Submit an advanced certificate request

pi-cert03

  • Under “Saved Request,”paste your certificate request output from earlier and select the Web Server certificate template. Click Submit

pi-cert04

  • Download your certificate and copy it to your FTP server directory

pi-cert05

  • Copy the certificate from the FTP server to the default repository
    • PIServer/admin# copy ftp://your.ftp.server/CertFile.cer disk:defaultRepo
  • Import the certificate into the Prime Infrastructure server
    • PIServer/admin# ncs key importsignedcert CertFile.cer repository defaultRepo
  • Restart Prime Infrastructure
    • ncs stop
    • ncs start
  • When the server comes back up, reload the web page and you should notice that the site is now trusted!

pi-cert07

Upgrading Cisco Prime Infrastructure 2.1 to 2.2

At the moment we’re running Cisco Prime Infrastructure 2.1 on a Gen1 physical appliance. We’re looking to take the upgrade path from 2.1 all the way up to 3.1 (currently only 3.0.2 is supported on the Gen1 appliance).

First stop, 2.2.

The Gen1 appliance upgrade path isn’t a fun one. It requires that we back up our current application database, wipe our appliance, do a bare-metal install of 2.2, and then restore our application database. Cisco’s documentation for application backup and restore can be found here: http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-2/administrator/guide/PIAdminBook/backup_restore.html#72460


Step one

Back up the PI application database to an FTP repository (I recommend FileZilla Server for hosting a light-weight FTP server on your workstation).

  • Create a ftp repository on your Prime Infrastructure server via CLI
    • SSH to PI
    • conf t
    • repository NAME
    • url ftp://x.x.x.x
    • user username password plain password
  • Verify your repository configuration
    • show repository NAME

pi2-1

  • Backup your Prime Infrastructure application
    • backup backup-name repository repository-name application NCS


Step two

Install Prime Infrastructure 2.2

Reboot your appliance from the PI 2.2 installation media and follow the on-screen configuration prompts. For more information follow Cisco’s Installation Guide

pi2-5


Step three

Restore your application database

  • SSH to the Prime Infrastructure server and setup your ftp repository again
    • conf t
    • repository NAME
    • url ftp://x.x.x.x
    • user username password plain password
  • Verify your repository configuration, and check that your backup is there
    • show repository NAME

pi2-1pi2-3

  • Run the restore command, taking note of the scary warnings
    • restore BACKUP_NAME.tar.gpg repository REPOSITORY_NAME application NCS

pi2-6

pi2-7

 

 

 

Usernames No Longer Appear in Firepower Management Center After Upgrading to 6.0

After upgrading our Firepower Management Center to 6.0, we noticed that usernames were no longer populating in our dashboards. Instead of showing users, all we could see was “No Authentication Required.”

sf-usernames01After opening a support case, TAC pointed me to the following bug: cscux39125 (cisco login required).

To resolve the issue we need to set the active directory domain to our domain’s NetBIOS short name in Firepower’s realm configuration.

To change your realm configuration go to System -> Integration -> Realms

Click Edit

sf-usernames02Go to Realm Configuration and edit the AD Primary Domain field to your domain’s NetBIOS short name.

sf-usernames03For more information see the following support forums post: https://supportforums.cisco.com/discussion/12879381/sourcefire-60-firesight-mc-60-users-not-populating