ASA 5506-X rommon sofware recovery problem

Greg Chlopowiec · ‎08-30-2016

I'm having problem loading an image for the ASA 5506-X using rommon

As per instructions I have done the following:

rommon #1> interface gigabitethernet0/0
rommon #2> address 10.86.118.4
rommon #3> server 10.86.118.21
rommon #4> gateway 10.86.118.21
rommon #5> file asa961-smp-k8.bin

ASA connected to network through Management 1/1 interface

rommon #6> set
ROMMON Variable Settings:
  ADDRESS=10.86.118.3
  SERVER=10.86.118.21
  GATEWAY=10.86.118.21
  PORT=GigabitEthernet0/0
  VLAN=untagged
  IMAGE=asa961-smp-k8.bin
  CONFIG=
  LINKTIMEOUT=20
  PKTTIMEOUT=4
  RETRY=20

I can ping my tftp server (no problem)

However, when trying to download the image through tftpdnld, I'm getting the folloing:

IP: Detected unsupported IP packet fragmentation. Try reducing TFTP_BLKSIZE.
IP: Retrying with a TFTP block size of 512.
Receiving asa961-smp-k8.bin from 10.86.118.21
Overall timeout.

TFTP: Operation terminated.

Lost few hours on this trying to figure it our. Can anyone help?

Marvin Rhoads · ‎08-30-2016

What is the current version of ASA software on the 5506?

Greg Chlopowiec · ‎08-30-2016

None. It was asa961-lfbff-k8.SPA before the tech tried to upgrade the software to asa962-lfbff-k8.SPA. After the software update to asa962-lfbff-k8.SPA the ASA wouldn't take it (meaning: asa was not able to read the asa962-lfbff-k8.SPA file so ASA took asdm-762.bin file as the startup software and for obvious reasons the startup failed. Next the tech erased the flash because he wanted to start everything from beginning. So now we are in rommon with "detected unsupported IP packet fragmentation" problem.

Marvin Rhoads · ‎08-30-2016

OK.

Reading the original post more closely, I do notice you are specifying the wrong image.

The Kenton series (5506, 5508 and 5516) require use of the digitally signed images. (asa ...SPA)

I'm not sure that will give the obscure failure you are seeing; but a 5506 will definitely not load the regular SMP image - that's for the Saleen platform only (5512, 5515, 5525 etc.).

The only other possible issue I see is that you are using "set" as the rommon command prior to the tftpdnld. The guide I am looking at (link below) says to use "sync". You should also do a fresh "erase disk0:" to be on the safe side.

http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html#pgfId-128744

Greg Chlopowiec · ‎08-30-2016

erase disk0: is done (just did it again)

image=asa961-lfbff-k8.SPA is done (tried them both with the same result)

"set" in rommon is used to view the settings

"sync" in rommon is used for saving the configuration in rommon for future use.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/admin-swconfig.html#task_90917D0EBAC2427487F6F51D21ABC235

but the my problem still persists and not sure what to do.

Marvin Rhoads · ‎08-30-2016

OK, your commands should all be good then.

The only other thing that comes to mind is potentially your tftp server. Those images are 80+ MB and some tftp servers have a problem with that large of a file.

I coincidentally re-imaged an ASA 5506 from rommon just yesterday (to FTD 6.1) and used tftpd32 with no problem to copy over the 96 MB FTD boot image.

Greg Chlopowiec · ‎08-30-2016

Thanks Marvin for all your help and suggestions. It looks like I was finally able to fix the problem.

The issue with the tftp was no so much packet fragmentation as "overall timeout" so what I have done is the following in rommon:

Increased Retry and Pkt timeout to some arbitrary number:

RETRY=1200

PKTTIMEOUT=1000

and it finally worked.

Thank you again for all your help.