Validate ASA image checksum/integrity after copied to flash

lcaruso — Tue, 12 Mar 2019 00:44:03 GMT

Hi,

I've had occasional issues with 5505 upgrades going south when the boot hangs on the image load due to a corrupt image. I need a way to validate the checksum of the new image after it is copied to flash. Remote upgrades become a real pain when you have to go onside just to delete an image, copy it into flash again, and boot.

I thought ASDM did that when you used the file transfer tool, but I guess not.

Is there a way to do this?

Thanks.

Re: Validate ASA image checksum/integrity after copied to flash

Jouni Forss — Mon, 07 Jan 2013 15:10:05 GMT

Hi,

Theres atleast this command (quote from Command Reference)

verify

To verify the checksum of a file, use the verify command in privileged EXEC mode.

verify path

verify /[md5 path [md5-value] | sha-512] signature

Syntax Description


/md5	(Optional) Calculates and displays the MD5 value for the specified software image. Compare this value with the value available on Cisco.com for this image.
md5-value	(Optional) The known MD5 value for the specified image. When an MD5 value is specified in the command, the system will calculate the MD5 value for the specified image and display a message verifying that the MD5 values match or that there is a mismatch.
path	•disk0:/[path/]filename This option is only available for the ASA, and indicates the internal Flash memory. You can also use flash instead of disk0; they are aliased. •disk1:/[path/]filename This option is only available for the ASA, and indicates the external Flash memory card. •flash:/[path/]filename This option indicates the internal Flash card. For the ASA, flash is an alias for disk0. •ftp://[user[:password]@]server[:port]/[path/]filename[;type=xx] The type can be one of the following keywords: –ap—ASCII passive mode –an—ASCII normal mode –ip—(Default) Binary passive mode –in—Binary normal mode •http[s]://[user[:password]@]server[:port]/[path/]filename •tftp://[user[:password]@]server[:port]/[path/]filename[;int=interface_name] Specify the interface name if you want to override the route to the server address. The pathname cannot include spaces. If a pathname has spaces, set the path in the tftp-server command instead of in the verify command.
/sha-512	(Optional) Calculates and displays the SHA-512 value for the specified software image. Compare this value with the value available on Cisco.com for this image.
signature	Specifies an optional hexadecimal string. If specified, the signature embedded in the image is compared to the signature provided.

Defaults

The current flash device is the default file system.

Note When you specify the /md5 option, you can use a network file, such as ftp, http and tftp as the source. The verify command without the /md5 option only lets you verify local images in Flash.

Command Modes

The following table shows the modes in which you can enter the command:


Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
	Routed	Transparent	Single	Context	System
Privileged EXEC	•	•	•	—	•

Command History


Release	Modification
7.2(1)	This command was introduced.
8.4(4.1)	The /sha-256 option was added.

Usage Guidelines

Use the verify command to verify the checksum of a file before using it.

Each software image that is distributed on disk uses a single checksum for the entire image. This checksum is displayed only when the image is copied into Flash memory; it is not displayed when the image file is copied from one disk to another.

Before loading or duplicating a new image, record the checksum and MD5 information for the image so that you can verify the checksum when you copy the image into Flash memory or onto a server. A variety of image information is available on Cisco.com.

To display the contents of Flash memory, use the show flash command. The Flash contents listing does not include the checksum of individual files. To recompute and verify the image checksum after the image has been copied into Flash memory, use the verify command. Note, however, that the verify command only performs a check on the integrity of the file after it has been saved in the file system. It is possible for a corrupt image to be transferred to the security appliance and saved in the file system without detection. If a corrupt image is transferred successfully to the security appliance, the software will be unable to tell that the image is corrupted and the file will verify successfully.

To use the message-digest5 (MD5) hash algorithm to ensure file validation, use the verify command with the /md5 option. MD5 is an algorithm (defined in RFC 1321) that is used to verify data integrity through the creation of a unique 128-bit message digest. The /md5 option of the verify command allows you to check the integrity of the security appliance software image by comparing its MD5 checksum value against a known MD5 checksum value for the image. MD5 values are now made available on Cisco.com for all security appliance software images for comparison against local system image values.

To perform the MD5 integrity check, issue the verify command using the /md5 keyword. For example, issuing the verify /md5 flash:cdisk.bin command will calculate and display the MD5 value for the software image. Compare this value with the value available on Cisco.com for this image.

Alternatively, you can get the MD5 value from Cisco.com first, then specify this value in the command syntax. For example, issuing the verify /md5 flash:cdisk.bin 8b5f3062c4cacdbae72571440e962233 command will display a message verifying that the MD5 values match or that there is a mismatch. A mismatch in MD5 values means that either the image is corrupt or the wrong MD5 value was entered.

If neither MD5 nor SHA-512 is specified, a SHA-512 based integrity check is performed on Version 8.4(4.1) images and later, and an MD5-based integrity check is performed on Version 8.4(3) images and earlier.

Examples

The following example shows the verify command used on an image file called cdisk.bin. Some of the text was removed for clarity:

hostname# verify cdisk.bin

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Done!

Embedded Hash MD5: af5a155f3d5c128a271282c33277069b

Computed Hash MD5: af5a155f3d5c128a271282c33277069b

CCO Hash      MD5: b569fff8bbf8087f355aaf22ef46b782

Signature Verified

Verified disk0:/cdisk.bin

hostname#

- Jouni

Validate ASA image checksum/integrity after copied to flash

vsoukhavong — Mon, 16 Dec 2013 00:37:39 GMT

I've see the same problem on ASA 5505s (and PIX515). It verifies correctly and matches the CCO Hash MD5 as per image info from Cisco.com. But hangs on the image that I had uploaded to it whether by tftp or pscp or asdm (and directly connected to it). Doesn't matter if its an upgrade or downgrade. It hangs on the image loading part. "Loading disk0:/asa842-k8.bin..." and will not and will not try the 2nd image. However, I am not always able to reproduce the problem.

The problem is not the image as if you re-up the same image, it will work. Its a bit of luck sometimes... had jumped into ROMMON and boot up on something else, say the 8.4.6 image and it worked. Other times I've upgraded with no problems... I can't pin point it, but just wanted to warn others that the verify does not guarantee your 5505 will boot up.

Seen this problem again twice this week.

topic Re: Validate ASA image checksum/integrity after copied to flash in Network Security

Validate ASA image checksum/integrity after copied to flash

Re: Validate ASA image checksum/integrity after copied to flash

verify

Syntax Description

Defaults

Command Modes

Command History

Usage Guidelines

Examples

Validate ASA image checksum/integrity after copied to flash