Solved: ASA 5506 Will Not Boot

PAUL REEVES · ‎03-31-2017

Hi,

I was trying to upgrade the software on my device and when it finished transferring it failed to boot. I have spent two days reading forums and these boards with no resolution. I have posted the output I get below. Any help or advice would be greatly received.

Thanks

Paul

*** Output from config line 19, " policy static sgt disa..."

bridge-group 1
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 24, " bridge-group 1"

propagate sgt preserve-untag
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 27, " propagate sgt preserve..."

policy static sgt disabled trusted
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 28, " policy static sgt disa..."

bridge-group 1
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 32, " bridge-group 1"

propagate sgt preserve-untag
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 35, " propagate sgt preserve..."

policy static sgt disabled trusted
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 36, " policy static sgt disa..."

bridge-group 1
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 40, " bridge-group 1"

propagate sgt preserve-untag
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 43, " propagate sgt preserve..."

policy static sgt disabled trusted
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 44, " policy static sgt disa..."

bridge-group 1
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 48, " bridge-group 1"

propagate sgt preserve-untag
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 51, " propagate sgt preserve..."

policy static sgt disabled trusted
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 52, " policy static sgt disa..."

bridge-group 1
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 56, " bridge-group 1"

propagate sgt preserve-untag
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 59, " propagate sgt preserve..."

policy static sgt disabled trusted
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 60, " policy static sgt disa..."

bridge-group 1
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 64, " bridge-group 1"

propagate sgt preserve-untag
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 67, " propagate sgt preserve..."

policy static sgt disabled trusted
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 68, " policy static sgt disa..."

bridge-group 1
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 72, " bridge-group 1"

propagate sgt preserve-untag
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 75, " propagate sgt preserve..."

policy static sgt disabled trusted
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 76, " policy static sgt disa..."

propagate sgt preserve-untag
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 83, " propagate sgt preserve..."

policy static sgt disabled trusted
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 84, " policy static sgt disa..."

interface BVI1
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 88, "interface BVI1"

nameif inside
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 89, " nameif inside"

security-level 0
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 90, " security-level 0"

ip address 192.168.1.1 255.255.255.0
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 91, " ip address 192.168.1.1 ..."

ngips conn-match vlan-id
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 94, "ngips conn-match vlan-id"
.ERROR: Command requires failover license
*** Output from config line 106, "no failover"
ERROR: % Ambiguous command: "no monitor-interface inside"
*** Output from config line 107, "no monitor-interface ins..."

timeout igp stale-route 0:01:10
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 123, "timeout igp stale-route ..."

ip-client outside
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 140, "ip-client outside"

ip-client outside ipv6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 141, "ip-client outside ipv6"

ip-client inside1_2
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 142, "ip-client inside1_2"

ip-client inside1_2 ipv6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 143, "ip-client inside1_2 ipv6"

ip-client inside1_3
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 144, "ip-client inside1_3"

ip-client inside1_3 ipv6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 145, "ip-client inside1_3 ipv6"

ip-client inside1_4
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 146, "ip-client inside1_4"

ip-client inside1_4 ipv6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 147, "ip-client inside1_4 ipv6"

ip-client inside1_5
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 148, "ip-client inside1_5"

ip-client inside1_5 ipv6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 149, "ip-client inside1_5 ipv6"

ip-client inside1_6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 150, "ip-client inside1_6"

ip-client inside1_6 ipv6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 151, "ip-client inside1_6 ipv6"

ip-client inside1_7
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 152, "ip-client inside1_7"

ip-client inside1_7 ipv6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 153, "ip-client inside1_7 ipv6"

ip-client inside1_8
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 154, "ip-client inside1_8"

ip-client inside1_8 ipv6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 155, "ip-client inside1_8 ipv6"

ip-client diagnostic
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 156, "ip-client diagnostic"

ip-client diagnostic ipv6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 157, "ip-client diagnostic ipv..."
ERROR: % Ambiguous command: "dhcpd address 192.168.1.5-192.168.1.254 inside"
*** Output from config line 168, "dhcpd address 192.168.1...."
ERROR: % Ambiguous command: "dhcpd enable inside"
*** Output from config line 169, "dhcpd enable inside"
.
Cryptochecksum (unchanged): 85ac01f7 d609fd9a 9e7a0361 ea0b96fb
Real IP migration logs:
No ACL was changed as part of Real-ip migration

INFO: Power-On Self-Test in process.
.......................
INFO: Power-On Self-Test complete.

INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.

INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.

INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201703311213.log'
Type help or '?' for a list of available commands.

Marvin Rhoads · ‎03-31-2017

The last line in your output shows the

firepower>

...prompt.

This leads me to believe that the ASA was imaged with the FirePOWER Threat Defense software prior to this upgrade attempt. When that is the case, that image must first be erased prior to loading the new ASA image. Otherwise, the result will be that ASA tries to "load an incorrect configuration file, which causes numerous errors".

If that is the case, please see the following for detailed instrucitons on re-imaging:

http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html#pgfId-134210

View solution in original post

Marvin Rhoads · ‎03-31-2017

Can you please tell us the exact image name you used for the upgrade?

Can you capture the output of the inmitial boot attempt? The output above appears to be truncated.

PAUL REEVES · ‎03-31-2017

Hi,

The image was this asa971-lfbff-k8.SPA

and output below.

Thanks for your assistance.

Boot interrupted.

rommon 1 > set
    ADDRESS=192.168.101.2
    NETMASK=255.255.255.0
    GATEWAY=192.168.101.1
    SERVER=192.168.101.100
    IMAGE=asa971-lfbff-k8.SPA
    CONFIG=
    PS1="rommon ! > "

rommon 2 > sync
rommon 3 > tftp
             ADDRESS: 192.168.101.2
             NETMASK: 255.255.255.0
             GATEWAY: 192.168.101.1
              SERVER: 192.168.101.100
               IMAGE: asa971-lfbff-k8.SPA
             MACADDR: 00:f6:63:47:90:33
           VERBOSITY: Progress
               RETRY: 40
          PKTTIMEOUT: 7200
             BLKSIZE: 1460
            CHECKSUM: Yes
                PORT: GbE/1
             PHYMODE: Auto Detect

Receiving asa971-lfbff-k8.SPA from 192.168.101.100!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
File reception completed.
Boot buffer bigbuf=348bd018
Boot image size = 111322352 (0x6a2a4f0) bytes
[image size] 111322352
[MD5 signaure] 9573b686e6367e331e352b6bc24281d7
LFBFF signature verified.
INIT: version 2.88 booting
Starting udev
Configuring network interfaces... done.
Populating dev cache
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
There are differences between boot sector and its backup.
Differences: (offset:original/backup)
65:01/00
Not automatically fixing this.
Starting check/repair pass.
Starting verification pass.
/dev/sdb1: 114 files, 26396/1919063 clusters
dosfsck(/dev/sdb1) returned 0
Mounting /dev/sdb1
IO Memory Nodes: 1
IO Memory Per Node: 205520896 bytes

Global Reserve Memory Per Node: 314572800 bytes Nodes=1

LCMB: got 205520896 bytes on numa-id=0, phys=0x107800000, virt=0x2aaaab000000
LCMB: HEAP-CACHE POOL got 314572800 bytes on numa-id=0, virt=0x7f79d4400000
Processor memory: 1500026104

Compiled on Mon 16-Jan-17 09:00 PST by builders

Total NICs found: 14
i354 rev03 Gigabit Ethernet @ irq255 dev 20 index 08 MAC: 00f6.6347.9033
ivshmem rev03 Backplane Data Interface     @ index 09 MAC: 0000.0001.0002
en_vtun rev00 Backplane Control Interface @ index 10 MAC: 0000.0001.0001
en_vtun rev00 Backplane Int-Mgmt Interface     @ index 11 MAC: 0000.0001.0003
en_vtun rev00 Backplane Ext-Mgmt Interface     @ index 12 MAC: 0000.0000.0000
en_vtun rev00 Backplane Tap Interface     @ index 13 MAC: 0000.0100.0001
Verify the activation-key, it might take a while...
Failed to retrieve permanent activation key.
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
The Running Activation Key is not valid, using default settings:

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 5              perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Disabled       perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has a Base license.

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)

Cisco Adaptive Security Appliance Software Version 9.7(1)

****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.

A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************
Cisco Adaptive Security Appliance Software, version 9.7
Copyright (c) 1996-2017 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please visit
http://www.cisco.com/go/asa-opensource

Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

Reading from flash...
!
REAL IP MIGRATION: WARNING
In this version access-lists used in 'access-group', 'class-map',
'dynamic-filter classify-list', 'aaa match' will be migrated from
using IP address/ports as seen on interface, to their real values.
If an access-list used by these features is shared with per-user ACL
then the original access-list has to be recreated.
INFO: Note that identical IP addresses or overlapping IP ranges on
different interfaces are not detectable by automated Real IP migration.
If your deployment contains such scenarios, please verify your migrated
configuration is appropriate for those overlapping addresses/ranges.
Please also refer to the ASA 8.3 migration guide for a complete
explanation of the automated migration process.

INFO: MIGRATION - Saving the startup configuration to file

INFO: MIGRATION - Startup configuration saved to file 'flash:6_2_0_0_startup_cfg.sav'
*** Output from config line 8, "NGFW Version 6.2.0 "

propagate sgt preserve-untag
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 18, " propagate sgt preserve..."

policy static sgt disabled trusted
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 19, " policy static sgt disa..."