03-31-2017 05:41 AM - edited 03-12-2019 02:09 AM
Hi,
I was trying to upgrade the software on my device and when it finished transferring it failed to boot. I have spent two days reading forums and these boards with no resolution. I have posted the output I get below. Any help or advice would be greatly received.
Thanks
Paul
*** Output from config line 19, " policy static sgt disa..."
bridge-group 1
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 24, " bridge-group 1"
propagate sgt preserve-untag
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 27, " propagate sgt preserve..."
policy static sgt disabled trusted
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 28, " policy static sgt disa..."
bridge-group 1
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 32, " bridge-group 1"
propagate sgt preserve-untag
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 35, " propagate sgt preserve..."
policy static sgt disabled trusted
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 36, " policy static sgt disa..."
bridge-group 1
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 40, " bridge-group 1"
propagate sgt preserve-untag
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 43, " propagate sgt preserve..."
policy static sgt disabled trusted
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 44, " policy static sgt disa..."
bridge-group 1
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 48, " bridge-group 1"
propagate sgt preserve-untag
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 51, " propagate sgt preserve..."
policy static sgt disabled trusted
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 52, " policy static sgt disa..."
bridge-group 1
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 56, " bridge-group 1"
propagate sgt preserve-untag
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 59, " propagate sgt preserve..."
policy static sgt disabled trusted
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 60, " policy static sgt disa..."
bridge-group 1
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 64, " bridge-group 1"
propagate sgt preserve-untag
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 67, " propagate sgt preserve..."
policy static sgt disabled trusted
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 68, " policy static sgt disa..."
bridge-group 1
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 72, " bridge-group 1"
propagate sgt preserve-untag
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 75, " propagate sgt preserve..."
policy static sgt disabled trusted
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 76, " policy static sgt disa..."
propagate sgt preserve-untag
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 83, " propagate sgt preserve..."
policy static sgt disabled trusted
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 84, " policy static sgt disa..."
interface BVI1
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 88, "interface BVI1"
nameif inside
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 89, " nameif inside"
security-level 0
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 90, " security-level 0"
ip address 192.168.1.1 255.255.255.0
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 91, " ip address 192.168.1.1 ..."
ngips conn-match vlan-id
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 94, "ngips conn-match vlan-id"
.ERROR: Command requires failover license
*** Output from config line 106, "no failover"
ERROR: % Ambiguous command: "no monitor-interface inside"
*** Output from config line 107, "no monitor-interface ins..."
timeout igp stale-route 0:01:10
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 123, "timeout igp stale-route ..."
ip-client outside
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 140, "ip-client outside"
ip-client outside ipv6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 141, "ip-client outside ipv6"
ip-client inside1_2
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 142, "ip-client inside1_2"
ip-client inside1_2 ipv6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 143, "ip-client inside1_2 ipv6"
ip-client inside1_3
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 144, "ip-client inside1_3"
ip-client inside1_3 ipv6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 145, "ip-client inside1_3 ipv6"
ip-client inside1_4
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 146, "ip-client inside1_4"
ip-client inside1_4 ipv6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 147, "ip-client inside1_4 ipv6"
ip-client inside1_5
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 148, "ip-client inside1_5"
ip-client inside1_5 ipv6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 149, "ip-client inside1_5 ipv6"
ip-client inside1_6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 150, "ip-client inside1_6"
ip-client inside1_6 ipv6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 151, "ip-client inside1_6 ipv6"
ip-client inside1_7
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 152, "ip-client inside1_7"
ip-client inside1_7 ipv6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 153, "ip-client inside1_7 ipv6"
ip-client inside1_8
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 154, "ip-client inside1_8"
ip-client inside1_8 ipv6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 155, "ip-client inside1_8 ipv6"
ip-client diagnostic
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 156, "ip-client diagnostic"
ip-client diagnostic ipv6
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 157, "ip-client diagnostic ipv..."
ERROR: % Ambiguous command: "dhcpd address 192.168.1.5-192.168.1.254 inside"
*** Output from config line 168, "dhcpd address 192.168.1...."
ERROR: % Ambiguous command: "dhcpd enable inside"
*** Output from config line 169, "dhcpd enable inside"
.
Cryptochecksum (unchanged): 85ac01f7 d609fd9a 9e7a0361 ea0b96fb
Real IP migration logs:
No ACL was changed as part of Real-ip migration
INFO: Power-On Self-Test in process.
.......................
INFO: Power-On Self-Test complete.
INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.
INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201703311213.log'
Type help or '?' for a list of available commands.
Solved! Go to Solution.
03-31-2017 08:41 AM
The last line in your output shows the
firepower>
...prompt.
This leads me to believe that the ASA was imaged with the FirePOWER Threat Defense software prior to this upgrade attempt. When that is the case, that image must first be erased prior to loading the new ASA image. Otherwise, the result will be that ASA tries to "load an incorrect configuration file, which causes numerous errors".
If that is the case, please see the following for detailed instrucitons on re-imaging:
http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html#pgfId-134210
03-31-2017 07:14 AM
Can you please tell us the exact image name you used for the upgrade?
Can you capture the output of the inmitial boot attempt? The output above appears to be truncated.
03-31-2017 07:43 AM
Hi,
The image was this asa971-lfbff-k8.SPA
and output below.
Thanks for your assistance.
03-31-2017 08:41 AM
The last line in your output shows the
firepower>
...prompt.
This leads me to believe that the ASA was imaged with the FirePOWER Threat Defense software prior to this upgrade attempt. When that is the case, that image must first be erased prior to loading the new ASA image. Otherwise, the result will be that ASA tries to "load an incorrect configuration file, which causes numerous errors".
If that is the case, please see the following for detailed instrucitons on re-imaging:
http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html#pgfId-134210
03-31-2017 10:10 AM
Thanks Marvin,
All now back up and running.
03-31-2017 08:06 PM
You're welcome. Thanks for rating.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide