3 Replies Latest reply on Jun 7, 2017 12:20 PM by rschroeder

    NCM 7.6 ASA Firmware update?

    Jenya

      Hello,

       

      We are trying to get the Firmware upgrade feature to work with Cisco ASA devices. The problem we are running into is having to specify the source interface for the TFTP or SCP copy operation to get the bin file copied to the firewall.

       

      Has anybody gotten an ASA firmware upgrade to work? Is there a way to do a show command and save a part of it into a variable to be used later in the firmware upgrade process?

       

      Thanks in advance!

        • Re: NCM 7.6 ASA Firmware update?
          rschroeder

          You can see the complete and unencrypted configuration by issuing this command on an ASA:

           

          more system:running-config

           

          With this information you could do a complete restore, or migrate the configuration to a different ASA.  You should also be able to identify all the source interfaces for transfers/copies.

           

          I Beta-tested NCM 7.6 and was able to successfully use its upgrade features on Cisco 2960's, 3650's, 3850's, and 4510's.  I'm sorry to report I didn't try it on ASA's, but I think ASA's are remarkably easy to upgrade--no need for an automated process.

           

          Upgrade the ASA  - Cisco

           

          From CLI:

           

          Copy the ASA software to flash memory:

          Copy the ASDM image to flash memory

          configure terminal

          show running-config boot system

          Remove any existing boot image configurations so that you can enter the new boot image as your first choice:     

          no boot system diskn:/[path/]asa_image_name

          Set the ASA image to boot (the one you just uploaded):     

            boot system diskn:/[path/]asa_image_name

          Set the ASDM image to use (the one you just uploaded):     

          asdm image diskn:/[path/]asdm_image_name

          write memory

          reload

           

           

          Or do it via ASDM:

           

          Hopefully you have a consistent deployment/configuration of interfaces, and that your source/destination interfaces on all ASA's are the same.  That will make scripting and automating the process that much easier, and you won't need to do a discovery on each one to see which Interface is the right one to use as a source/destination for copying, logging, TACACS/RADIUS, NTP, etc.

           

           

            • Re: NCM 7.6 ASA Firmware update?
              Jenya

              I know upgrading an ASA is rather easy... but I thought the point of the Firmware Upgrade feature was automation. We don't have a consistent configuration of interfaces for ASAs since some are used for remote site VPN and some are local. Basically what we need is a way to script getting the correct interface into the copy command. The funny part is that SolarWinds has the correct interface to be used (the one that is being monitored), but I can't find a way to get that information from NPM/NCM into the Firmware upgrade process.

                • Re: NCM 7.6 ASA Firmware update?
                  rschroeder

                  I understand your goal, and the challenge.  I don't have an answer for it, but you can always hope someone else will read your discussion and offer advice.  Or you can call Solarwinds Support for assistance.

                   

                  For me, I'd think more out of the box to deal with the cause of the problem, instead of trying to kluge Orion products to work with the problem.  And in this case, the problem seems like it might be inconsistent naming of interfaces.  I'd either use NCM or a manual process to remotely access the ASA's and rename their interfaces appropriately for an enterprise management solution.  It may be a lot of work up front to discover and rename them, but once completed, the NCM upgrade solution should work intuitively and easily.

                   

                  The added benefit is you'll be able to  use NCM to push out "source" commands for consistent protocol access for every device, like:

                   

                  ip tacacs source-interface Vlanxxx

                  ip ssh source-interface  Vlanxxx

                  logging source-interface  Vlanxxx

                  snmp-server trap-source  Vlanxxx

                  snmp-server source-interface informs  Vlanxxx

                  ntp source  Vlanxxx

                   

                  And then you can create a Compliance Policy that ensures the above features are correctly implemented on every device, and it can alert you if it finds a configuration that's different, or that's missing something.

                   

                  Good luck in this endeavor!  Please post what you end up using for a solution so we can all learn with you.

                   

                  Yours,

                   

                  Rick Schroeder