Solved: ASA IOS upgrade "Signature not valid for file" error - 9.8(4)20 and above.

DavidParker35087 · ‎05-05-2021

It appears the ASA IOS train for versions 9.8(4)20 and higher have a bug that prevents copying any ASA image to flash. The result is always a "Signature not valid for file" error. Even when specifying /noverify on the copy operation. I first noticed this on an ASA 5506-X system, but since have verified it is an issue on the ASA 5525-X platform as well. On one ASA 5506-X platform I was able to downgrade to the original shipping version as it was a recent RMA and still had the file on disk. Then I was able to copy version 9.8(4)35 to flash. It booted successfully. But even on version 9.8(4)35, the copy bug still exists. Has anyone else encountered this issue?

CORE-ASA# copy /nov tftp://192.168.1.11/asa/images/asa984-35-lfbff-k8.SPA$

Address or name of remote host [192.168.1.11]?

Source filename [asa/images/asa984-35-lfbff-k8.SPA]?

Destination filename [asa984-35-lfbff-k8.SPA]?

Accessing tftp://192.168.1.11/asa/images/asa984-35-lfbff-k8.SPA...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/asa984-35-lfbff-k8.SPA...
%ERROR: Signature not valid for file disk0:/asa984-35-lfbff-k8.SPA

DavidParker35087 · ‎07-29-2021

So yes, I finally figured it out. I ended up having to shutdown the sfr module prior to copying the image. After the transfer you can re-enable the sfr module. This has worked every time so far. I reported my findings and I tried getting Cisco TAC to file a bug report knowing other customers would encounter this issue. I really don't know if they did. I didn't get any notification if they did. TAC seemed happier to close the case. It was open for about a month. This was probably the most disappointing TAC case I've ever opened. In my experience, normally ASA TAC cases are very well handled.

View solution in original post

Marvin Rhoads · ‎05-05-2021

Another member posted a similar issues a few weeks ago. We were not able to resolve it here, but it looks like a bug. Recommend you open a TAC case for confirmation.

DavidParker35087 · ‎05-05-2021

Yeah I have a TAC case open. Going on day 3 and it's been pretty mum so far. I did quite a few searches but couldn't find anything relevant. Its got to be a bug. I'm just surprised it's survived this long. The MD5 checksums are valid. I knew the image was good when I could boot off tftp load. I really don't want to upgrade multiple ASAs and be stuck back with an image that can't be directly upgraded.

DavidParker35087 · ‎05-12-2021

Still no real progress other than that TAC confirmed other customers are experiencing the same issue. The report was they are having difficulty obtaining an ASA 5506-X to test with. Doesn't appear to be a good sign going forward. I know the platform is on EOL roadmap and it should be supported for a few more years, but it seems Cisco is already moving on.

DavidParker35087 · ‎07-29-2021

So yes, I finally figured it out. I ended up having to shutdown the sfr module prior to copying the image. After the transfer you can re-enable the sfr module. This has worked every time so far. I reported my findings and I tried getting Cisco TAC to file a bug report knowing other customers would encounter this issue. I really don't know if they did. I didn't get any notification if they did. TAC seemed happier to close the case. It was open for about a month. This was probably the most disappointing TAC case I've ever opened. In my experience, normally ASA TAC cases are very well handled.

DavidParker35087 · ‎05-07-2021

Worked with TAC yesterday. Was able to demonstrate the issue with multiple images in the 9.8(4)x train. The engineer indicated they would test this in their labs and get back to me.

sp7291009 · ‎07-29-2021

DavidParker35087 any update? I'm having same issue with only 1 of my many 5506. I assumed the flash was bad until I saw this post.