Scribd Logo
Upload

Welcome to Scribd!

  • Troubleshooting Management Interface With Classic ASA CLI

    Uploaded by

    AfghanTechGuru
    2 views3 pages

    Original Title

    Troubleshooting Management Interface with Classic ASA CLI

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    2 views3 pages

    Troubleshooting Management Interface With Classic ASA CLI

    Uploaded by

    AfghanTechGuru

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 3

    Getting it up – Fixing a down’d mgmt

    interface on FTD
    Standard

    I had to convert a Cisco ASA 5506 to FTD the other day and baffled because no matter what I
    did the management interface was admin down / down. This is a problem in FTD since you can’t
    simply type a no shut and you can’t join it to a FMC without the management interface.

    It looked like this from the CLI, if you haven’t seen system support diagnostic-cli before, it
    gives you the classic ASA CLI back for operational commands.

    > system support diagnostic-cli


    Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
    Type help or '?' for a list of available commands.

    firepower>
    firepower> en
    Password:
    firepower#
    firepower# sh int ip br
    Interface IP-Address OK? Method Status Protocol
    Virtual0 127.1.0.1 YES unset up up
    GigabitEthernet1/1 unassigned YES unset administratively down down
    GigabitEthernet1/2 unassigned YES unset administratively down down
    GigabitEthernet1/3 unassigned YES unset administratively down down
    GigabitEthernet1/4 unassigned YES unset administratively down down
    GigabitEthernet1/5 unassigned YES unset administratively down down
    GigabitEthernet1/6 unassigned YES unset administratively down down
    GigabitEthernet1/7 unassigned YES unset administratively down down
    GigabitEthernet1/8 unassigned YES unset administratively down down
    Internal-Control1/1 127.0.1.1 YES unset up up
    Internal-Data1/1 unassigned YES unset down up
    Internal-Data1/2 unassigned YES unset down down
    Internal-Data1/3 unassigned YES unset up up
    Internal-Data1/4 169.254.1.1 YES unset up up
    Management1/1 unassigned YES unset administratively down up

    How did I fix it? Voodoo? Smash a PIX in front of it so the misbehaving ASA knows my power?
    Actually the issue is the config-register has been modified on this box and FTD doesn’t like it.

    We can fix it by booting into rommon, then we need to use confreg to make sure it is set to
    0x00000001, apparently at some point “ignore system configuration” was enabled in my case.

    > reboot
    This command will reboot the system. Continue?
    Please enter 'YES' or 'NO': yes

    Broadcast messagStopping Cisco ASA5506-X Threat Defense......ok


    Shutting down sfifd... [ OK ]
    Clearing static routes
    Unconfiguring default route [ OK ]
    Unconfiguring address on br1 [ OK ]
    Unconfiguring IPv6 [ OK ]
    Downing interface [ OK ]
    Stopping xinetd:
    Stopping nscd... [ OK ]
    Stopping system log daemon... [ OK ]
    Stopping Threat Defense ...
    Stopping system message bus: dbus. [ OK ]
    Un-mounting disk partitions ...
    mdadm: stopped /dev/md0
    Stopping OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 3988)
    .
    Stopping Advanced Configuration and Power Interface daemon: stopped
    /usr/sbin/acpid (pid 3992)
    acpid: exiting

    acpid.
    Stopping system message bus: dbus.
    Deconfiguring network interfaces... ifdown: interface br1 not configured
    done.
    Sending all processes the TERM signal...
    Sending all processes the KILL signal...
    Deactivating swap...
    Unmounting local filesystems...
    Rebooting...
    Rom image verified correctly

    Cisco Systems ROMMON, Version 1.1.8, RELEASE SOFTWARE


    Copyright (c) 1994-2015 by Cisco Systems, Inc.
    Compiled Thu 06/18/2015 12:15:56.43 by builders

    Current image running: Boot ROM0


    Last reset cause: PowerCycleRequest
    DIMM Slot 0 : Present

    Platform ASA5506 with 4096 Mbytes of main memory


    MAC Address: 38:0e:4d:3d:97:a9

    Use BREAK or ESC to interrupt boot.


    Use SPACE to begin boot immediately.
    Boot interrupted.

    rommon 1 > confreg

    Configuration Register: 0x00000041


    Configuration Summary
    [ 0 ] password recovery
    [ 1 ] display break prompt
    [ 2 ] ignore system configuration
    [ 3 ] auto-boot image in disks
    [ 4 ] console baud: 9600
    boot: ...... auto-boot index 1 image in disks
    do you wish to change the configuration? y/n [n]: y
    disable "password recovery"? y/n [n]: y
    disable "display break prompt"? y/n [n]:
    disable "ignore system configuration"? y/n [y]:
    disable "auto-boot image in disks"? y/n [n]:
    change console baud rate? y/n [n]:
    select specific image in disks to boot? y/n [n]:

    Configuration Register: 0x00000001


    Configuration Summary
    [ 0 ] password recovery
    [ 1 ] display break prompt
    [ 2 ] auto-boot image in disks
    [ 3 ] console baud: 9600
    boot: ...... auto-boot index 1 image in disks

    do you wish to change the configuration? y/n [n]:

    You must reset or power cycle for new config to take effect
    rommon 2 > reset

    Resetting .......

    Once the FTD came back up the management interface was happy.

    You might also like