In attempts to fix bug CSCvd78303 (ARP functions fail after 213 days of uptime) I’ve ended up running into another daunting situation. Since there are several ASA versions to upgrade I did the latest one 9.7(1.4) and ended up with the following
ASA# sh module sfr det
Getting details from the Service Module, please wait…
Card Type: FirePOWER Services Software Module
Model: ASA5506
Hardware version: N/A
<snip>
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.1.0-330
Data Plane Status: Down
Console session: Ready
Status: Up
Now, I did about 10+ 5500-X FirePOWER upgrades to version 9.7(1)4 and they all went just fine which threw me for a loop thinking it was a hardware related issue. But not this time. Bug CSCvd53884 provides basic details on the this issue. I’ve ended going to 9.7(1)8 (even so it is an interim release) to resolve this issue.
ASA# sh module
Mod Card Type Model Serial No.
—- ——————————————– —————— ———–
1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC ASA5506
sfr FirePOWER Services Software Module ASA5506
Mod MAC Address Range Hw Version Fw Version Sw Version
—- ——————————— ———— ———— —————
1 a0e0.af56.b625 to a0e0.af56.b62e 1.1 1.1.8 9.7(1)8
sfr a0e0.af56.b624 to a0e0.af56.b624 N/A N/A 6.1.0-330
Mod SSM Application Name Status SSM Application Version
—- —————————— —————- ————————–
sfr ASA FirePOWER Up 6.1.0-330
Mod Status Data Plane Status Compatibility
—- —————— ——————— ————-
1 Up Sys Not Applicable
sfr Up Up
Last few month were very rough for Cisco ASA with hardware clock issue, arp failure bug, critical security vulnerabilities so chasing the right version wasn’t easy. Let’s see how this one holds up.
UPD: Another reason for Data Plane being down may be snort process stuck in the waiting state due to file permission issue on the Sensor and the device not receiving complete config. In this case continue with joining Sensor to FMC and perform Policy push from FMC to the Sensor. Once policy received status will change to UP.