目录
简介
本文描述一个高性能的(HA)对的升级程序可适应在火力硬件设备(ASA)安装的安全工具。
先决条件
要求
Cisco 建议您了解以下主题:
- ASA管理
- ASA故障切换
使用的组件
本文档中的信息基于以下软件和硬件版本:
- 2个x FP4150运行代码2.0.1-86
- ASA 9.6.2.1 (升级对9.6.2.3)
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络实际,请保证您了解所有命令潜在影响。
背景信息
在Firepower设备安装的ASA模块的升级程序(FPR4100, FPR9300等),当HA配置时(活动/等待或主动/主动)在Firepower可扩展操作系统的(FXO)配置指南描述。这是相关部分:
本文目标是提供有点升级进程的更多详细概要在HA环境的。
配置
网络图
ASA1,当在Firepower机箱管理器(FCM) UI被看到:
ASA2 :
任务1.下载从Cisco软件下载页的ASA镜像
导航对下载霍姆>产品> Security >防火墙>下一代防火墙(NGFW)并且选择HW平台(即4100, 9000个等)如镜像所显示。
任务2.加载对Firepower机箱管理器的ASA镜像
上载ASA镜像到Firepower机箱。这可以从Firepower机箱管理器(FCM) UI或FXO命令行界面(CLI)执行。
ASA从FCM UI制作镜像的方法1.加载。
导航对系统>更新。选择加载镜像,指定文件名并且选择加载:
ASA从FXO CLI制作镜像的方法2.加载。
您能上载从FTP、SCP、SFTP或者TFTP server的镜像。为了验证机箱管理接口和远程服务器之间的连接请执行如显示:
FPR4100# connect local-mgmt FPR4100(local-mgmt)# ping 10.48.40.70
PING 10.48.40.70 (10.48.40.70) from 10.62.148.88 eth0: 56(84) bytes of data.
64 bytes from 10.48.40.70: icmp_seq=1 ttl=61 time=34.4 ms
64 bytes from 10.48.40.70: icmp_seq=2 ttl=61 time=34.3 ms
64 bytes from 10.48.40.70: icmp_seq=3 ttl=61 time=34.3 ms
为了转换ASA镜像请导航对此范围并且运行下载镜像命令:
FPR4100# scope ssa FPR4100 /ssa # scope app-software FPR4100 /ssa/app-software # download image ftp://ftp_username@ 10.48.40.70/cisco-asa.9.6.2.3.SPA.csp
Password:
为了监控图像传送进度请运行detail命令显示的下载任务:
FPR4100 /ssa/app-software # show download-task detail
Downloads for Application Software:
File Name: cisco-asa.9.6.2.3.SPA.csp
Protocol: Ftp
Server: 10.48.40.70
Port: 0
Userid: anonymous
Path:
Downloaded Image Size (KB): 94214
Time stamp: 2016-12-08T10:21:56.775
State: Downloading
Transfer Rate (KB/s): 450.784698
Current Task: downloading image cisco-asa.9.6.2.3.SPA.csp from 10.48.40.70(FSM-STAGE:sam:dme:ApplicationDownloaderDownload:Local)
您能也使用此命令验证成功的转移:
FPR4100 /ssa/app-software # show download-task
Downloads for Application Software:
File Name Protocol Server Port Userid State
------------------------------ ---------- --------------- --------- ------------ -----
cisco-asa.9.6.2.2.SPA.csp Ftp 10.48.40.70 0 anonymous Downloaded
关于其他详细信息:
FPR4100 /ssa/app-software # show download-task fsm status expand
File Name: cisco-asa.9.6.2.3.SPA.csp
FSM Status:
Affected Object: sys/app-catalogue/dnld-cisco-asa.9.6.2.3.SPA.csp/fsm
Current FSM: Download
Status: Success
Completion Time: 2016-12-08T10:26:52.142
Progress (%): 100
FSM Stage:
Order Stage Name Status Try
------ ---------------------------------------- ------------ ---
1 DownloadLocal Success 1
2 DownloadUnpackLocal Success 1
ASA镜像在机箱信息库显示:
FPR4100 /ssa/app-software # exit
FPR4100 /ssa # show app
Application:
Name Version Description Author Deploy Type CSP Type Is Default App
---------- ---------- ----------- ---------- ----------- ----------- --------------
asa 9.6.2.1 N/A cisco Native Application No
asa 9.6.2.3 N/A cisco Native Application No
任务3.升级第一个ASA单元
如镜像所显示,升级首先待机ASA单元:
指定新的镜像和挑选OK在orderto开始升级:
验证
从FCM GUI的ASA升级进度:
在1-2分钟之后FCM UI显示:
ASA模块重新加载:
从Firepower机箱CLI的ASA升级进程。
CLI显示逻辑设备(ASA)重新启动。从模块引导CLI的整个升级进程在此输出中:
asa/sec/stby(config)#
[screen is terminating]
Disconnected from asa console!
Firepower-module1>
INIT: SwitchingStopping OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 5738)
.
Stopping Advanced Configuration and Power Interface daemon: stopped /usr/sbin/acpid (pid 5742)
acpid: exiting
acpid.
Stopping system message bus: dbus.
Stopping ntpd: stopped process in pidfile '/var/run/ntp.pid' (pid 6186)
done
Stopping crond: OK
Deconfiguring network interfaces... done.
Sending all processes the TERM signal...
SIGKILL_ALL will be delayed for 1 + 5 secs
Sending all processes the KILL signal...
Deactivating swap...
Unmounting local filesystems...
Rebooting... [ 1679.605561] Restarting system.
Cisco Systems, Inc.
Configuring and testing memory..
Cisco Systems, Inc.
Configuring and testing memory..
Configuring platform hardware...
Bios Version : FXOSSM1.1.2.1.3.031420161207
Platform ID : FXOSSM1
Processor(s) Intel(R) Xeon(R) CPU E5-2699 v4 @ 2.20GHz
Total Memory = 256 GB Effective Memory = 256 GB
Memory Operating Speed 2400 Mh
Please wait, preparing to boot.. .........................................................................................................
UEFI Interactive Shell v2.0. UEFI v2.40 (American Megatrends, 0x0005000B). Revision 1.02
Mapping table
fs0: Alias(s):HD17a65535a1:;blk1:
PciRoot(0x0)/Pci(0x1F,0x2)/Sata(0x0,0xFFFF,0x0)/HD(1,MBR,0x000EC692,0x800,0xEE6800)
blk0: Alias(s):
PciRoot(0x0)/Pci(0x1F,0x2)/Sata(0x0,0xFFFF,0x0)
blk2: Alias(s):
PciRoot(0x0)/Pci(0x1F,0x2)/Sata(0x0,0xFFFF,0x0)/HD(2,MBR,0x000EC692,0xEE7000,0x3BA000)
blk3: Alias(s):
PciRoot(0x0)/Pci(0x1F,0x2)/Sata(0x0,0xFFFF,0x0)/HD(3,MBR,0x000EC692,0x12A1000,0x950000)
blk4: Alias(s):
PciRoot(0x0)/Pci(0x1F,0x2)/Sata(0x0,0xFFFF,0x0)/HD(4,MBR,0x000EC692,0x1BF1000,0x2CD20800)
blk5: Alias(s):
PciRoot(0x0)/Pci(0x1F,0x2)/Sata(0x0,0xFFFF,0x0)/HD(4,MBR,0x000EC692,0x1BF1000,0x2CD20800)/HD(1,MBR,0x00000000,0x1BF1800,0x5D22000)
blk6: Alias(s):
PciRoot(0x0)/Pci(0x1F,0x2)/Sata(0x0,0xFFFF,0x0)/HD(4,MBR,0x000EC692,0x1BF1000,0x2CD20800)/HD(2,MBR,0x00000000,0x7914000,0x26FFD800)
To launch ROMMON.
CpuFrequency = 2200002 KHz
Cisco FXOSSM1 Blade Rommon 1.2.1.3, Mar 14 2016 12:11:29
Platform: SSPXRU
INFO: enic_identify: Enabling Cruz driver...
INFO: enic_identify: Cruz driver enabled.
INFO: init_spi_interface: HSFS_BERASE_4K.
INFO: enic_init: bar[0].vaddr 0xc6e00000.
INFO: enic_init: bar[2].vaddr 0xc6e10000.
INFO: enic_init: eNic port MTU is 1500.
INFO: enic_init: eNic bsize 1500 ring size 512.
INFO: enic_init: Waiting for Cruz link...
INFO: enic_init: Cruz link detected.
INFO: nb_eth_app_init: MAC address for interface 0: 00 15 a5 01 01 00
INFO: nb_eth_app_init: IP address 127.128.1.254
Start communicating with MIO in blade slot 1...
INFO: Allocated 1000 bytes of memory for cmd at 0x78a7d018.
INFO: Allocated 1000 bytes of memory for status at 0x76d34918.
INFO: Allocated 196608 bytes of memory for key file at 0x76d03018.
INFO: Status code 1: 'rommon initialize is completed'.
INFO: tftp_open: '/rommon/status_1.txt'@127.128.254.1 via 127.128.254.1
!
INFO: nb_tftp_upload: 31 bytes sent.
tftpget 0x78a7d018 1000
INFO: tftp_open: '/rommon/command_1.txt'@127.128.254.1 via 127.128.254.1
Received 154 bytes
WARNING: retrieve_mio_cmd_info: Invalid checksum 0x0.
tftpget 0x76d03018 196608
INFO: tftp_open: 'rommon/key_1.bin'@127.128.254.1 via 127.128.254.1
!
Received 131072 bytes
INFO: Status code 8: 'rommon succeeds to retrieve key file'.
INFO: tftp_open: '/rommon/status_1.txt'@127.128.254.1 via 127.128.254.1
!
INFO: nb_tftp_upload: 31 bytes sent.
INFO: Primary keys in flash are up-to-date.
INFO: Backup keys in flash are up-to-date.
continue check local image
the image file path: installables/chassis/fxos-lfbff-k8.9.6.2.2.SPA
the image file name only: fxos-lfbff-k8.9.6.2.2.SPA
local_image_file: fs0:fxos-lfbff-k8.9.6.2.2.SPA
INFO: File 'fs0:fxos-lfbff-k8.9.6.2.2.SPA' has 104831328 bytes.
local_image_file_size 104831328
Found image fs0:fxos-lfbff-k8.9.6.2.2.SPA in local storage, boot local image.
set pboot_image fxos-lfbff-k8.9.6.2.2.SPA
INFO: File 'fs0:fxos-lfbff-k8.9.6.2.2.SPA' has 104831328 bytes.
INFO: 'fs0:fxos-lfbff-k8.9.6.2.2.SPA' has 104831328 bytes
INFO: Booting LFBFF image...
INFO: Status code 7: 'rommon about to verify image signature from local disk'.
INFO: tftp_open: '/rommon/status_1.txt'@127.128.254.1 via 127.128.254.1
!
INFO: nb_tftp_upload: 31 bytes sent.
INIT: version 2.88 booting
Starting udev
Configuring network interfaces... done.
Populating dev cache
rw console=ttyS0,38400 loglevel=2 auto kstack=128 reboot=force panic=1 ide_generic.probe_mask=0x1 ide1=noprobe pci=nocrs processor.max_cstate=1 iommu=pt platform=sspxru boot_img=disk0:/fxos-lfbff-k8.9.6.2.2.SPA ciscodmasz=786432 cisconrsvsz=2359296 hugepagesz=1g hugepages=24 ssp_mode=0
No Partitions for HDD2.. Creating partition..
mount: special device /dev/sdb1 does not exist
rw console=ttyS0,38400 loglevel=2 auto kstack=128 reboot=force panic=1 ide_generic.probe_mask=0x1 ide1=noprobe pci=nocrs processor.max_cstate=1 iommu=pt platform=sspxru boot_img=disk0:/fxos-lfbff-k8.9.6.2.2.SPA ciscodmasz=786432 cisconrsvsz=2359296 hugepagesz=1g hugepages=24 ssp_mode=0
Create libvirt group
Start libvirtd Service
* Starting virtualization library daemon: libvirtd
no /usr/bin/dnsmasq found; none killed
2016-12-07 12:47:24.090+0000: 4373: info : libvirt version: 1.1.2
2016-12-07 12:47:24.090+0000: 4373: warning : virGetHostname:625 : getadd[ ok ]failed for 'ciscoasa': Name or service not known
Disable the default virtual networks
Network default destroyed
Done with libvirt initialization
rw console=ttyS0,38400 loglevel=2 auto kstack=128 reboot=force panic=1 ide_generic.probe_mask=0x1 ide1=noprobe pci=nocrs processor.max_cstate=1 iommu=pt platform=sspxru boot_img=disk0:/fxos-lfbff-k8.9.6.2.2.SPA ciscodmasz=786432 cisconrsvsz=2359296 hugepagesz=1g hugepages=24 ssp_mode=0
+++++++++++++++ BOOT CLI FILES COPIED +++++++++++++++++++++++++++
rw console=ttyS0,38400 loglevel=2 auto kstack=128 reboot=force panic=1 ide_generic.probe_mask=0x1 ide1=noprobe pci=nocrs processor.max_cstate=1 iommu=pt platform=sspxru boot_img=disk0:/fxos-lfbff-k8.9.6.2.2.SPA ciscodmasz=786432 cisconrsvsz=2359296 hugepagesz=1g hugepages=24 ssp_mode=0
Turbo Boost is UNSUPPORTED on this platform.
Configuration Xml found is /opt/cisco/csp/applications/configs/cspCfg_cisco-asa.9.6.2.3__asa_001_JAD201200C64A93395.xml
INIT: Entering runlevel: 3
rw console=ttyS0,38400 loglevel=2 auto kstack=128 reboot=force panic=1 ide_generic.probe_mask=0x1 ide1=noprobe pci=nocrs processor.max_cstate=1 iommu=pt platform=sspxru boot_img=disk0:/fxos-lfbff-k8.9.6.2.2.SPA ciscodmasz=786432 cisconrsvsz=2359296 hugepagesz=1g hugepages=24 ssp_mode=0
Starting system message bus: dbus.
Starting OpenBSD Secure Shell server: sshd
generating ssh RSA key...
generating ssh ECDSA key...
generating ssh DSA key...
done.
Starting Advanced Configuration and Power Interface daemon: acpid.
acpid: starting up
acpid: 1 rule loaded
acpid: waiting for events: event logging is off
Starting ntpd: done
Starting crond: OK
Cisco Security Services Platform
Type ? for list of commands
Firepower-module1>
Firepower-module1>show services status
Services currently running:
Feature | Instance ID | State | Up Since
-----------------------------------------------------------
asa | 001_JAD201200C64A93395 | RUNNING | :00:00:20
Firepower-module1>
整个程序花费大约5分钟。
您能也使用从机箱CLI的显示APP实例命令验证ASA应用程序有来的联机:
FPR4100# scope ssa FPR4100 /ssa # show app-instance Application Name Slot ID Admin State Operational State Running Version Startup Version Cluster Oper State -------------------- ---------- --------------- ------------------ --------------- --------------- ------------------ asa 1 Enabled Online 9.6.2.3 9.6.2.3 Not Applicabl
ASA模块互相发现:
asa/sec/actNoFailover>
************WARNING****WARNING****WARNING******************************** Mate version 9.6(2)1 is not identical with ours 9.6(2)3 ************WARNING****WARNING****WARNING********************************
.
Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.
asa/sec/stby>
验证
FPR4100# connect module 1 console
Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.
CISCO Serial Over LAN:
Close Network Connection to Exit
Firepower-module1> connect asa
asa> enable
Password:
asa/sec/stby# show failover Failover On Failover unit Secondary Failover LAN Interface: fover Ethernet1/8 (up) Reconnect timeout 0:00:00 Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 2 of 1041 maximum MAC Address Move Notification Interval not set Version: Ours 9.6(2)3, Mate 9.6(2)1 Serial Number: Ours FLM2006EQFW, Mate FLM2006EN9U Last Failover at: 12:48:23 UTC Dec 7 2016 This host: Secondary - Standby Ready Active time: 0 (sec) slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.6(2)3) status (Up Sys) Interface INSIDE (192.168.0.2): Normal (Not-Monitored) Interface OUTSIDE (192.168.1.2): Normal (Monitored) Interface management (0.0.0.0): Normal (Waiting) Other host: Primary - Active Active time: 10320 (sec) slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.6(2)1) status (Up Sys) Interface INSIDE (192.168.0.1): Normal (Not-Monitored) Interface OUTSIDE (192.168.1.1): Normal (Monitored) Interface management (10.0.0.50): Normal (Waiting)
...
要确认在ASA单元之间的适当的故障切换操作请运行这些命令:
- show conn count
- show xlate计数
- show crypto ipsec sa
任务4.升级第二个ASA单元
交换故障切换对等体并且升级主要的ASA :
asa/sec/stby# failover active
Switching to Active
asa/sec/act#
指定新的镜像并且开始升级:
在5分钟之后,升级完成。
验证
从机箱CLI请验证ASA应用程序有来的联机:
FPR4100# scope ssa FPR4100 /ssa # show app-instance Application Name Slot ID Admin State Operational State Running Version Startup Version Cluster Oper State -------------------- ---------- --------------- ------------------ --------------- --------------- ------------------ asa 1 Enabled Online 9.6.2.3 9.6.2.3 Not Applicable
从ASA模块请验证故障切换操作:
asa/pri/stby# show failover
Failover On
Failover unit Primary
Failover LAN Interface: fover Ethernet1/8 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 1041 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.6(2)3, Mate 9.6(2)3
Serial Number: Ours FLM2006EN9U, Mate FLM2006EQFW
Last Failover at: 14:35:37 UTC Dec 7 2016
This host: Primary - Standby Ready
Active time: 0 (sec)
slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.6(2)3) status (Up Sys)
Interface INSIDE (192.168.0.2): Normal (Not-Monitored)
Interface OUTSIDE (192.168.1.2): Normal (Waiting)
Interface management (0.0.0.0): Normal (Waiting)
Other host: Secondary - Active
Active time: 656 (sec)
slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.6(2)3) status (Up Sys)
Interface INSIDE (192.168.0.1): Failed (Not-Monitored)
Interface OUTSIDE (192.168.1.1): Normal (Waiting)
Interface management (10.0.0.50): Normal (Waiting)
Stateful Failover Logical Update Statistics
Link : fover Ethernet1/8 (up)
Stateful Obj xmit xerr rcv rerr
General 7 0 8 0
...
交换上一步故障切换有主要的/激活,第二/待机:
asa/pri/stby# failover active
Switching to Active
asa/pri/act#
故障排除
目前没有针对此配置的故障排除信息。