Reimage/downgrade Firepower FTD 1100/2100

I had some problems while downgrading so here are my steps.

Documentation is not really clear about this, so here are the steps.

  1. from fxos, reformat system
    firepower-2110# connect local-mgmt
    firepower-2110(local-mgmt)# format everything
    All configuration and bootable images will be lost.
    Do you still want to format? (yes/no):yes
  2. enter rommon and boot via tftp
    rommon 1 > address
    rommon 2 > netmask
    rommon 3 > server
    rommon 4 > gateway
    rommon 5 > file cisco-asa-fp2k.9.8.2.SPA
    rommon 6 > set
    rommon 7 > sync
    rommon 8 > tftp -b
  3. everything is erased so you have to reconfigure your mgmt interface
    firepower-2110# scope fabric-interconnect a
    firepower /fabric-interconnect* # set out-of-band static ip netmask gw
    firepower /fabric-interconnect* # commit-buffer
  4. download image (could not get USB to mount so I used ftp)
    firepower # scope firmware
    firepower /firmware # download image ftp://user@
    check status:
    firepower /firmware # show download-task
  5. install image
    look at version you want to install:
    firepower /firmware # show package
    firepower /firmware # scope auto-install
    firepower /firmware/auto-install # install security-pack version
    check status (wait for Update Software Pack Completed):
    firepower /firmware # show
  6. configure ftd/initial configuration
    firepower /firmware # connect ftd

Upload files to your Cisco ASA via pscp – no password prompt

– make sure you have defined user on ASA with privilege 15
– make sure you have ssh scopy enable configured
– on your linux host enter pscp -pw <password> <filename> <username>@<ASA IP>:<location/filename>

something like: pscp -pw THISisp4ssw0rdf anyconnectfile.pkg adminusername@

if you want to use scp with password prompt use: scp anyconnectfile.pkg adminusername@

BGP cannot connect

Simple configuration in GNS3 won’t work. All I get from debug is:

went from nsf_not_active to nsf_not_active

The solution is quite simple: under BGP process and neighbor statement add “disable-connected-check