02-19-2008 04:46 PM - edited 03-10-2019 04:00 AM
Hi,
I have ASA 5520 running ver 8.0(2) and AIP-SSM-20 version 5.1(6)E1. I lost the password and in the process to recover I tried loading the image on AIP-SSM-20. The image I am trying to load is IPS-SSM-K9-sys-1[1].1-a-6.0-3-E1.img but the status on ASA still shows Recover. I am using the following configuration.
=============
AUFWMEL01# sh module 1 recover
Module 1 recover parameters...
Boot Recovery Image: Yes
Image URL: tftp://andrewl-IP/IPS-SSM-K9-sys-1[1].1-a-6.0-3-E1.img
Port IP Address: 10.10.0.250
Gateway IP Address: H-10.10.0.254
VLAN ID: 0
==================
Under Port IP Address I have given the IP address of IPS (I was not sure what this means). Status "Recover" did not change for a day and then I stopped it. Tried again and the status is still the same.
What could be the issue and what is the solution to this problem. The document does not mention the time it will take to recoever and there is no way to monitor the progress. Any help / pointers in the right direction appreciated.
Regards
Manoj
02-19-2008 05:05 PM
which password have you lost SSM or ASA ?
02-19-2008 05:56 PM
Execute "debug module-boot".
The SSM runs a ROMMON similar to the ASA.
However, the user does not have direct access to the SSM Rommon.
The "debug module-boot" allows users to see the SSM ROMMON messages from the ASA console.
Watch the SSM ROMMON output and you maybe able to see what error is happening. More than likely something is misconfigured in your recovery configuration. If ROMMON is not able to download the file, the SSM reboots and ROMMON tries again. It continues to repeat this cycle until you stop it or fix the recover configuration.
My best guess in looking at your output from the post is that your filename may be incorrect.
Your filename listed is:
/IPS-SSM-K9-sys-1[1].1-a-6.0-3-E1.img
But it should likely be:
/IPS-SSM-K9-sys-1.1-a-6.0-3-E1.img
without the "[1]" in the name.
In addition you need to use an IP Address for the tftp server. It looks like you may have used a machine name instead of an IP.
You are correct that the port IP is the same IP you used for the SSM management IP.
Other usual problems are using the wrong directory location on the tftp server.
02-20-2008 03:40 PM
Hi,
Your post was really helpful in identifying whats happening in the backend. But I keep getting this error. I have tried with different versions of the image. I am using tftpd32 (recommended by Cisco).
==============
AUFWMEL01# sh debug
debug module-boot enabled at level 1
AUFWMEL01# Slot-1 9> Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan 26 10:43:08 PST 2006
Slot-1 10> Platform ASA-SSM-20
Slot-1 11> GigabitEthernet0/0
Slot-1 12> Link is UP
Slot-1 13> MAC Address: 001b.d588.865b
Slot-1 14> ROMMON Variable Settings:
Slot-1 15> ADDRESS=10.10.0.250
Slot-1 16> SERVER=10.10.0.28
Slot-1 17> GATEWAY=10.10.0.254
Slot-1 18> PORT=GigabitEthernet0/0
Slot-1 19> VLAN=untagged
Slot-1 20> IMAGE=IPS-SSM-K9-6-0-3-E1.img
Slot-1 21> CONFIG=
Slot-1 22> LINKTIMEOUT=20
Slot-1 23> PKTTIMEOUT=4
Slot-1 24> RETRY=20
Slot-1 25> tftp IPS-SSM-K9-6-0-3-E1.img@10.10.0.28 via 10.10.0.254
Slot-1 26> TFTP failure: Packet verify failed after 20 retries
Slot-1 27> Rebooting due to Autoboot error ...
Slot-1 28> Rebooting....
===========
Thanks for your help.
Regards
Manoj
02-20-2008 06:18 PM
For the benefit of others I am giving below the resolution of this problem.
In the setup, IPS and ASA inside network were the same and ASA inside IP was the default gateway. So when I configured the "hw-module module 1 recover config" I gave the ASA inside IP address as the default gateway (which was not wrong). Because my tftp was also on the same subnet there was no need of a default gateway. So if you give the IP address of TFTP server as your default gateway the problem will be resolved.
Important please ensure the Network cable is connected to the AIP-SSM module and can reach the tftp server.
Regards
Manoj
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: