Solved: Re: Can't reload ASA 5505 after flash and memory upgrade

randall.potvin · ‎03-02-2013

Hi folks,

I recently upgraded the flash and the RAM on one of my ASA 5505 lab machines. The flash was upgraded from 128 to 512MB and the RAM was also upgraded from 256 to 512MB. I am using asa845-k8.bin. The firewall boots and runs file until you issue the reload command. The system shuts down but never reloads. If I power cycle it, it boots ok. I have searched Google and the Cisco web site for this problem and haven’t found anything. Has anyone else experienced this? And if so, what the fix is?

Regards,

Randy

jim.sparks · ‎03-11-2013

From my experences, the problem is your RAM. What is your hardware version? If you pull the power cord, then let the unit cool off and add power you may notice the LEDs on the back of the ASA will flash for x amount of times then may go solid green and the ASA will boot. If you count the number of flashes, they are not 100% consistant. Once the ASA 5505 boots you are good until you reboot. I keep the lid off and it seems to help on some reboots. You can put back in the orginal ASA memory (if you had 256 Mb) and the ASA 5505 should boot which should prove your problem is RAM. I'm running the latest firmware on 256 Mb RAM on a lab 5505.

I bought 5 or 6 differeft versions of 1G sticks and it is hit or miss. Even if you find the thread (not on Cisco) where everyone detailed what they were using on the different hardware versions, it is still hit or miss. I tried CU and AL heat sinks with thermal pastes with no luck. I can always reboot my ASA by turning off for a few minutes then powering on. If your RAM isn't compatable (even Cisco RAM doesn't work on the earlier ASA 5505 versions) the LEDs will always blink and the unit never will boot.

BTW, I run 1G CF on my ASAs. If you use a 2G, you will only see 1G of it. If I find my notes on this, I will provide more details.

View solution in original post

jocamare · ‎03-02-2013

The system shuts down but never reloads

Does it mean that it stays down after you issue the command? I don't think that's what you mean by that, but a clarification would be useful.

Now, i have never heard of something like this, but this is what i would try:

1-Connect to the console port and check the outputs after issuing the "reload" command

2-Check the uptime of the unit right after i run the command

3-Issue a "reload nonconfirm" command, shouldn't make a difference, but i'd give it a shot.

randall.potvin · ‎03-04-2013

Yes, it says Rebooting..... and never reboots. I've left it for 6 hours just to see what would happen.

I replaced the flash and RAM with Cisco flash and RAM.

asa845# sho ver

Cisco Adaptive Security Appliance Software Version 8.4(5)
Device Manager Version 6.4(5)106

Compiled on Mon 29-Oct-12 10:13 by builders
System image file is "disk0:/asa845-k8.bin"
Config file at boot was "startup-config"

asa845 up 1 day 21 hours

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 512MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
                             Number of accelerators: 1

0: Int: Internal-Data0/0    : address is 001b.5446.d349, irq 11
1: Ext: Ethernet0/0         : address is 001b.5446.d341, irq 255
2: Ext: Ethernet0/1         : address is 001b.5446.d342, irq 255
3: Ext: Ethernet0/2         : address is 001b.5446.d343, irq 255
4: Ext: Ethernet0/3         : address is 001b.5446.d344, irq 255
<--- More --->

5: Ext: Ethernet0/4         : address is 001b.5446.d345, irq 255
6: Ext: Ethernet0/5         : address is 001b.5446.d346, irq 255
7: Ext: Ethernet0/6         : address is 001b.5446.d347, irq 255
8: Ext: Ethernet0/7         : address is 001b.5446.d348, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 10             perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
<--- More --->

Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has a Base license.

Serial Number: JMX1116Z1FK
Running Permanent Activation Key: "Yes, there is a real key here. Not a cracked one."
Configuration register is 0x1
Configuration last modified by enable_15 at 20:30:37.339 UTC Sat Mar 2 2013

asa845# dir   sho flash: all
--#-- --length-- -----date/time------ path
   96 260         Feb 27 2013 18:20:12 upgrade_startup_errors_201302271820.log
   10 8192        Feb 23 2013 12:42:24 coredumpinfo
   11 59          Feb 23 2013 12:42:24 coredumpinfo/coredump.cfg
    5 8192        Apr 02 2008 06:17:30 crypto_archive
    2 8192        Apr 02 2008 06:15:54 log
   98 25159680    Dec 21 2011 10:07:56 asa842-k8.bin
   99 16872500    Dec 21 2011 10:07:10 asdm-645-106.bin
100 0           Feb 23 2013 12:42:24 nat_ident_migrate
101 1868412     Apr 19 2007 06:38:00 securedesktop-asa-3.1.1.29-k9.pkg
102 398305      Apr 19 2007 06:38:16 sslclient-win-1.1.0.154.pkg
103 260         Feb 23 2013 12:42:24 upgrade_startup_errors_201302231242.log
104 260         Mar 01 2013 20:07:02 upgrade_startup_errors_201303012007.log
105 200         Mar 01 2013 20:14:02 upgrade_startup_errors_201303012014.log
106 25196544    Mar 01 2013 20:21:28 asa845-k8.bin
107 17790720    Mar 01 2013 20:22:40 asdm-711-52.bin

521494528 bytes total (433651712 bytes free)

******** Flash Card Geometry/Format Info ********

COMPACT FLASH CARD GEOMETRY
   Number of Heads:           16
   Number of Cylinders      1014
   Sectors per Cylinder       63
<--- More --->

   Sector Size               512
   Total Sectors          1022112

Flash Model: UNIGEN FLASH

asa845# reload noconfirm

asa845#

***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down File system

***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting..... <- this is where it stops.

From the looks of the error messages, it may have something to do with migrating from a pre-8.3 version to 8.4.5.

INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201303012014.log'

Reading from flash...

Flash read failed

ERROR: MIGRATION - Could not get the startup configuration.

If I power cycle the ASA 5505, it will boot fine.

Most perplexing.

I copied the contents of the old flash to my laptop, making sure I got the .private directory. Then I copied the contents of the folder on my laptop to the new flash. Put the flash in the ASA 5505 and booted it.

I only had a problem when I tried to reload the system.

jocamare · ‎03-04-2013

Try this command:

fsck flash:

And reload again.

randall.potvin · ‎03-05-2013

Same as before.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.03.05 21:22:22 =~=~=~=~=~=~=~=~=~=~=~=
en
Password:

asa845# fsck flash:
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
/dev/hda1: 54 files, 10723/63659 clusters

fsck of flash: complete

asa845# sho startup-config
: Saved
: Written by enable_15 at 20:30:44.379 UTC Sat Mar 2 2013
!
ASA Version 8.4(5)
!
hostname asa845
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
<--- More --->

shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.200 255.255.255.0
!
boot system disk0:/asa845-k8.bin
ftp mode passive
pager lines 24
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- More --->

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
<--- More --->

parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
<--- More --->

call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:8c988f81109aef2c9e8648d2818a8416

asa845# reload
Proceed with reload? [confirm]

asa845#

***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down File system

***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting..... <- it hangs here and needs to be power cycled

I'm going to put the old CF back in tomorrow and see if the problem goes away.

Thanks for your interest.

jocamare · ‎03-05-2013

It looks like a software bug, but the version you are running is pretty common and multiple instances of the same issue should have been reported by now.

The configuration is not the root cause.

Can you do a write mem on the ASA?

Please share the output of the "show reload" command before and after running these commands: "reload no" "reload quick"

randall.potvin · ‎03-06-2013

Yes, I can do a wri mem successfully.

I'll try the suggested commands tonight and post the results.

Thanks

randall.potvin · ‎03-06-2013

I powered on the system and issued the recommended reload commands. The system hung on both reload attempts. I powered the system down and swapped the flash cards and powered the system up. It booted normally but failed to read to old flash. and when I issued the reload command the system hung with the old CF card. The only constant is the 8.4.5 code.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.03.06 21:28:23 =~=~=~=~=~=~=~=~=~=~=~=
show reload
No reload is scheduled.

asa845# reload no

asa845#

***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down File system

***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting.....
<--------------System hangs

***power cycled***

CISCO SYSTEMS
Embedded BIOS Version 1.0(12)6 08/21/06 17:26:53.43

Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 01 00   1022   2080 Host Bridge
00 01 02   1022   2082 Chipset En/Decrypt 11
00 0C 00   1148   4320 Ethernet           11
00 0D 00   177D   0003 Network En/Decrypt 10
00 0F 00   1022   2090 ISA Bridge
00 0F 02   1022   2092 IDE Controller
00 0F 03   1022   2093 Audio              10
00 0F 04   1022   2094 Serial Bus         9
00 0F 05   1022   2095 Serial Bus         9

Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)6) #0: Mon Aug 21 19:34:06 PDT 2006

Platform ASA5505

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.

Boot in 10 seconds. 9 seconds. 8 seconds. 7 seconds. 6 seconds.

Launching BootLoader...
Boot configuration file contains 1 entry.

Loading disk0:/asa845-k8.bin... Booting...
Platform ASA5505

Loading...
IO memory blocks requested from bigphys 32bit: 9672
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 108 files, 10723/63659 clusters
dosfsck(/dev/hda1) returned 0
Processor memory 352321536, Reserved memory: 62914560

Total SSMs found: 0

Total NICs found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: 001b.5446.d348
88E6095 rev 2 Ethernet @ index 07 MAC: 001b.5446.d347
88E6095 rev 2 Ethernet @ index 06 MAC: 001b.5446.d346
88E6095 rev 2 Ethernet @ index 05 MAC: 001b.5446.d345
88E6095 rev 2 Ethernet @ index 04 MAC: 001b.5446.d344
88E6095 rev 2 Ethernet @ index 03 MAC: 001b.5446.d343
88E6095 rev 2 Ethernet @ index 02 MAC: 001b.5446.d342
88E6095 rev 2 Ethernet @ index 01 MAC: 001b.5446.d341
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 001b.5446.d349
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0x3232706a 0x704e76fa 0xc4f03d14 0x822ce8b4 0x89293096

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 10             perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has a Base license.

Cisco Adaptive Security Appliance Software Version 8.4(5)

******************************
*banner deleted to save space*
******************************

Reading from flash... <-----------no problem reading from flash
!.
Cryptochecksum (unchanged): 8c988f81 109aef2c 9e8648d2 818a8416
Type help or '?' for a list of available commands.

asa845> en
Password:

asa845# show reload
No reload is scheduled.

asa845# reload quick
Proceed with reload? [confirm]

***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting.....
<- system just hangs

***system power cycled***

******************************
*banner deleted to save space*
******************************

Loading...
IO memory blocks requested from bigphys 32bit: 9672
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 100 files, 10904/31033 clusters
dosfsck(/dev/hda1) returned 0
Processor memory 348127232, Reserved memory: 62914560

******************************
*banner deleted to save space*
******************************

Reading from flash...
Flash read failed <--------------------------this time error reading from flash
ERROR: MIGRATION - Could not get the startup configuration.
Configuration has non-ASCII characters and will be ignored.

Cryptochecksum (changed): d41d8cd9 8f00b204 e9800998 ecf8427e

INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201303061950.log'

Pre-configure Firewall now through interactive prompts [yes]? n

***powered down and changed flash back to old 128MB CF***

CISCO SYSTEMS
Embedded BIOS Version 1.0(12)6 08/21/06 17:26:53.43

******************************
*banner deleted to save space*
******************************

Loading...
IO memory blocks requested from bigphys 32bit: 9672
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 102 files, 10905/31033 clusters
dosfsck(/dev/hda1) returned 0
Processor memory 348127232, Reserved memory: 62914560

******************************
*banner deleted to save space*
******************************

Reading from flash...
Flash read failed <--------------------reading from the old 128MB flash failed
ERROR: MIGRATION - Could not get the startup configuration.
Configuration has non-ASCII characters and will be ignored.

Cryptochecksum (changed): d41d8cd9 8f00b204 e9800998 ecf8427e

INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201303061954.log'

Pre-configure Firewall now through interactive prompts [yes]? n

Type help or '?' for a list of available commands.

ciscoasa> en
Password:

ciscoasa# reload
Proceed with reload? [confirm]

ciscoasa#

***
*** --- START GRACEFUTDOWN ---
Shutting down isakmp
Shutting down File system

***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting..... <--------------system failed to reload with old 128MB cf

Tomorrow I'll put an 8.2 image on both the 128MB and 512MG CF's and see what happens. If there is no change, there is probably something failing elsewhere in the box.

I also swapped power supplies and got the same failure to reload.

Thanks for your interest and suggestions.

anildeypillala · ‎03-05-2013

hi..

1) to my knowledge version 8.4 needs 1gb ram for upgrade.

2) if possible erase flash ( assuming you have backedup old config files)

3) go thru the boot strap process on you ASA

4) after it loads, copy ASA image form tftp to flash

5) config-reg 0x2101 ( check your show verison ) and copy run start

hoping this would of help.

Julio Carvajal · ‎03-05-2013

Hello Anildey,

The ASA 5505 needs 512 MB in RAM to run 8.3 versions a higher so the memory amount is not the problem,

My opinion would be that it does not sound like a bug as this did not happen while using the previous memory, it may be an issue with this particular RAM or flash card.

Try to put back the old CF and then we will be sure it's a card issue

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

randall.potvin · ‎03-06-2013

I am also thinking it may be the CF card. I'm going to put the old one back in tonight and I have ordered a new 512MB Cisco CF card. As soon as I receive it, I will try the new one.

Thanks

jim.sparks · ‎03-11-2013

From my experences, the problem is your RAM. What is your hardware version? If you pull the power cord, then let the unit cool off and add power you may notice the LEDs on the back of the ASA will flash for x amount of times then may go solid green and the ASA will boot. If you count the number of flashes, they are not 100% consistant. Once the ASA 5505 boots you are good until you reboot. I keep the lid off and it seems to help on some reboots. You can put back in the orginal ASA memory (if you had 256 Mb) and the ASA 5505 should boot which should prove your problem is RAM. I'm running the latest firmware on 256 Mb RAM on a lab 5505.

I bought 5 or 6 differeft versions of 1G sticks and it is hit or miss. Even if you find the thread (not on Cisco) where everyone detailed what they were using on the different hardware versions, it is still hit or miss. I tried CU and AL heat sinks with thermal pastes with no luck. I can always reboot my ASA by turning off for a few minutes then powering on. If your RAM isn't compatable (even Cisco RAM doesn't work on the earlier ASA 5505 versions) the LEDs will always blink and the unit never will boot.

BTW, I run 1G CF on my ASAs. If you use a 2G, you will only see 1G of it. If I find my notes on this, I will provide more details.

dennylester · ‎01-10-2014

I know this thread is nearly a year old, so I am hoping you get an email from the forum and will reply, but I'm curious. I see you marked Jim's response as the correct answer. Does this mean you found a compatible stick of RAM that fixed the issue for you?

Did you by any chance see if other versions would load? I have a similar issue with an ASA5505 I got off of eBay. This unit will flawlessly load 7.2.5, but has only loaded 8.4 one time and now it hangs every time after.

I've seen this issue reported in numerous forums and it seems finding the right stick of RAM fixed their issue, but no one ever mentioned trying a version as old as 7.2.5.

Denny

jhilehoffer · ‎02-20-2014

IF using 8.4 make sure you have 512 mb memory as 256 memory only supports up to 8.2

c.flavell · ‎01-23-2015

I upgraded my ASA5505 to genuine Cisco 512MB memory and I found that reboot randomly worked where as pulling out the power lead and counting to 60 worked each time. This was true with 8.2 8.4 9.0 and 9.3. I noticed above that somebody commented that Cisco memory does not work with older ASA5505 which mine is but it is difficult to understand why reboot is so inconsistent even with the lid off.