cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4052
Views
0
Helpful
5
Replies

ROMMON ASA 5516-X

nehmaan123
Level 1
Level 1

Anyone have any ideas why I can't get into ROMMON ?

 

Cisco Systems ROMMON, Version 1.1.13, RELEASE SOFTWARE
Copyright (c) 1994-2017 by Cisco Systems, Inc.
Compiled Mon 10/16/2017 17:54:58.29 by wchen64


Current image running: Boot ROM0
Last reset cause: PowerOn
DIMM Slot 0 : Present
DIMM Slot 1 : Present

Platform ASA5516 with 8192 Mbytes of main memory
MAC Address: XXXXX


INFO: PASSWORD RECOVERY functionality is disabled.
Located '.boot_string' @ cluster 294360.

#
Attempt autoboot: "boot disk0:/os.img"
Located 'os.img' @ cluster 268224.

##################
LFBFF signature verified.
INIT: version 2.88 booting
Starting udev
Configuring network interfaces... done.
Populating dev cache
Detected PID ASA5516.
Found device serial number XXXX

1 Accepted Solution

Accepted Solutions

I was not able to break into ROMMON on the 5516-X like I was able to do so on the 5512-X. Tried different terminals, cable, laptop etc... Nothing would allow access to the 5516-X.

 

Fixed issue using this method:

1) Upgrade ROMMON - Didn't fix the issue but worthwhile upgrading.

2) Delete "os.img" from disk0: and force ASA to boot into ROMMON.

 

INFO: PASSWORD RECOVERY functionality is disabled.
File system not supported
Attempt autoboot: "boot disk0:"
File system not supported
boot: cannot determine first file name on device "disk0:"
autoboot: All boot attempts have failed.
autoboot: Allow the user to break into the ROMMON CLI to manage the boot process.
autoboot: Restarting the system.

 

INFO: PASSWORD RECOVERY functionality is disabled.
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.

WARNING: Password recovery and ROMMON command line access has been
disabled by your security policy. Answering YES below will cause ALL
configurations, passwords, images in 'disk0:' to be erased.
ROMMON command line access will be re-enabled, and a new image must be
downloaded via ROMMON.

Permanently erase 'disk0:'? yes
Password recovery: Erasing 7038 MBytes ......................................

View solution in original post

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

INFO: PASSWORD RECOVERY functionality is disabled.

 

because of this you not able to get in to ROMMON, do you have access to kit with SSH  or you do not have access to kit ? at all ?

 

if you have access to kit try below options :

 

https://community.cisco.com/t5/security-documents/asa-password-recovery/ta-p/3126046

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks for your response. 

That's not correct. Even if you disable password recovery. It should not prevent you from entering ROMMON mode.

I've tried it in a lab by setting confreg to 0x10001 and rebooting. Although on a 5512-X rather than a 5516-X, Shouldn't be any different in theory. 

 

Do you wish to change this configuration? y/n [n]: y
enable boot to ROMMON prompt? y/n [n]: n
enable TFTP netboot? y/n [n]: n
enable Flash boot? y/n [n]: y
select specific Flash image index? y/n [n]: n
disable system configuration? y/n [n]: n
go to ROMMON prompt if netboot fails? y/n [n]: n
enable passing NVRAM file specs in auto-boot mode? y/n [n]: n
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]: y

Current Configuration Register: 0x00010001
Configuration Summary:
boot default image from Flash
display of BREAK or ESC key prompt during auto-boot disabled

Update Config Register (0x10001) in NVRAM...


This is what the bootup looks like (no ROMMON break prompt):

 

Booting from ROMMON

Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011

Launching BootLoader...
Boot configuration file contains 1 entry.

Loading disk0:/asa984-17-smp-k8.bin... Booting...
Platform ASA5512

Loading...
IO memory blocks requested from bigphys 32bit: 41217

 

Then I disabled password recovery to see whether I could still get into ROMMON and works if I hit "ESC" key a few dozen times.

 

Booting from ROMMON

Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011

 

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
Boot interrupted.

Management0/0
Link is UP
MAC Address: XXXXX

WARNING: Password recovery and ROMMON command line access has been
disabled by your security policy. Choosing YES below will cause ALL
configurations, passwords, images, and files systems to be erased.
ROMMON command line access will be re-enabled, and a new image must be
downloaded via ROMMON.

Erase all file systems? y/n [n]: n
Launching BootLoader...
Boot configuration file contains 1 entry.


Loading disk0:/asa984-17-smp-k8.bin...

 

I might have found my own solution but will try on affected firewall later.

@balaji.bandi is correct here.  The no service password-recovery command prevents you from entering ROMMON unless you erase the contents of the flash drive.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/configuration/general/asa-913-general-config/admin-trouble.html#ID-2130-000001a4

On the ASA, the no service password-recovery command prevents you from entering ROMMON mode with the configuration intact. When you enter ROMMON mode, the ASA prompts you to erase all Flash file systems. You cannot enter ROMMON mode without first performing this erasure. If you choose not to erase the Flash file system, the ASA reloads. Because password recovery depends on using ROMMON mode and maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to restore the system to an operating state, load a new image and a backup configuration file, if available.

--
Please remember to select a correct answer and rate helpful posts

I was not able to break into ROMMON on the 5516-X like I was able to do so on the 5512-X. Tried different terminals, cable, laptop etc... Nothing would allow access to the 5516-X.

 

Fixed issue using this method:

1) Upgrade ROMMON - Didn't fix the issue but worthwhile upgrading.

2) Delete "os.img" from disk0: and force ASA to boot into ROMMON.

 

INFO: PASSWORD RECOVERY functionality is disabled.
File system not supported
Attempt autoboot: "boot disk0:"
File system not supported
boot: cannot determine first file name on device "disk0:"
autoboot: All boot attempts have failed.
autoboot: Allow the user to break into the ROMMON CLI to manage the boot process.
autoboot: Restarting the system.

 

INFO: PASSWORD RECOVERY functionality is disabled.
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.

WARNING: Password recovery and ROMMON command line access has been
disabled by your security policy. Answering YES below will cause ALL
configurations, passwords, images in 'disk0:' to be erased.
ROMMON command line access will be re-enabled, and a new image must be
downloaded via ROMMON.

Permanently erase 'disk0:'? yes
Password recovery: Erasing 7038 MBytes ......................................

Outside of this conversation for rommon recovery is anyone able to guide me in regards to obtaining / downloading Rommon upgrade 2.1.9.8 as mentioned in this thread?   ASA 5500X download section does not have this available vs the 5516X series.   I have 2 5555X units 1 with 2.1.9.5 which does have some issues with the sensors which 2.1.9.8 Rommon corrects.    

Rebooting... Cisco BIOS Version:9B2C109A
Build Date:05/15/2013 16:34:44       2.1.9.8 Rommon  

Rebooting... Cisco BIOS Version:9B2C105A
Build Date:06/07/2011 08:31:32      2.1.9.5 Rommon

Review Cisco Networking for a $25 gift card