cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
426
Views
6
Helpful
18
Replies

Access lost to ROMMON on ASA 5506

Youreateapot418
Level 1
Level 1

I have an ASA 5506 that I had ROMMON access to....

I was doing a password recovery, so was surveying the menu settings.... 

I'm pretty certain now I selected yes to: disable "display break prompt"? 

Now I am in a position where the break key doesn't load into ROMMON anymore and just boots the image up.

But, as I don't have the password, I cannot get into any settings now.... any ideas? 

Terminal program (Terraterm) is fine, esc key works with other firewalls and can get into the FW to see boot up and exec mode. 

1 Accepted Solution

Accepted Solutions

From Overview (5506 basic overview doc)

Youreateapot418_0-1737458603154.png

Will give it a go later on and report back!

View solution in original post

18 Replies 18

you dont show the boot up screen , but when you disable password recovery.

you should see something like this:

INFO: PASSWORD RECOVERY functionality is disabled.
WARNING: Password recovery and ROMMON command line access has been
disabled by your security policy. Answering YES below will cause ALL
configurations, passwords, images in 'disk0:' to be erased.
ROMMON command line access will be re-enabled, and a new image must be
downloaded via ROMMON.

Permanently erase 'disk0:'? no

 

The only way if you say "yes" to erase and then it will wipe everything including images, certs, configs etc.. if you have a backup you can recover, otherwise you are out of luck unless you can remember the password ?

have you forgotten the password ? do you have a backup ?

 

**Please rate helpful posts **

I didn't disable password recovery.

I disabled "display break prompt"... it's an option within the confreg settings.

As a result, the firewall just boots normally.... the break function doesn't work to access ROMMON.

I don't have the enable password, so cannot fix this in privileged exec mode either.

Please share the screen you are referring to for review.

I can't share the issue anymore, as I cannot access ROMMON.... the firewall just boots normally, and doesn't respond to the break function....

Piecing together from another post, this is pretty much what happened when I got into ROMMON previously..

Configuration Register: 0x00000001
Configuration Summary
 [ 0 ] ignore system configuration
 [ 1 ] auto-boot image in disks
 [ 2 ] console baud: 9600
 
do you wish to change the configuration? y/n  [n]:  y
disable "password recovery"? y/n  [n]:  n
disable "display break prompt"? y/n  [n]:  y
enable "ignore system configuration"? y/n  [n]:  n
enable "auto-boot image in disks"? y/n  [n]:  n
change console baud rate? y/n  [n]:  n
select specific image in disks to boot? y/n  [n]:  n

I rebooted and now I'm in the situation I'm in....

I will send you PM tonight 

MHM

Disabling the display break prompt won't disable sending the break signal and process it. What is happening could only be caused by a delay or maybe not sending the break signal at the right time. What I would personallly try to do is to reboot the firewall and straightaway hitting the break signal continously until hopefully the device boots into ROMMON again. If that doesn't work please try with a different emulator software.

I have tried this... 

Holding ESC key

Continuously tapping ESC key

Waiting until the first bit for the first bit of text on the screen, then hitting ESC....

Terminal software is fine... works fine with other FW's and routers, breaking into ROMMON

It's just the firewall, and has only happened since I changed this setting...

Could it be a case the time to enter the break prompt is now so quick, I'm not catching it?

You don't have to hold the escape key, rather pressing it continuously. I agree, it seems that you are not catching the prompt at the right time. Not sure if @Rob Ingram or @Marvin Rhoads has any other thought on this.

I've tried every combination numerous times now

Holding

tapping

waiting then tapping

pushing once when text appears

 

Marvin Rhoads
Hall of Fame
Hall of Fame

I've not seen this issue ...but then it has been quite some time since I had the occasion to watch an ASA boot from console. The BREAK or ESC key should always interrupt the boot sequence. The choice to disable display of the key choices should not affect the function of pressing the key(s).

it's looking more likely that it does.... or it happens so fast now that the break function doesn't make it to the ASA in time.

i had a 5506 lying around and i did a quick test and it did not go to ROMMON after disabling break prompt..

Will look again when i get a chance..

So I'm not going crazy  

I've tried it with Putty, SecureCRT, Terraterm.... all work with other FW's and routers...

Won't do it with this one.... will post screenshots later for update... 

Is my 5506 essentially bricked now?

If you can't manage to get into the ROMMON and you have to reset the firewall to its factory default I think the 5506 does have a reset button on the back, but I'm not a 100% sure as it's been a while since I touched a 5506.

Review Cisco Networking for a $25 gift card