12-01-2020 12:12 PM - edited 12-01-2020 12:12 PM
Anyone have any ideas why I can't get into ROMMON ?
Cisco Systems ROMMON, Version 1.1.13, RELEASE SOFTWARE
Copyright (c) 1994-2017 by Cisco Systems, Inc.
Compiled Mon 10/16/2017 17:54:58.29 by wchen64
Current image running: Boot ROM0
Last reset cause: PowerOn
DIMM Slot 0 : Present
DIMM Slot 1 : Present
Platform ASA5516 with 8192 Mbytes of main memory
MAC Address: XXXXX
INFO: PASSWORD RECOVERY functionality is disabled.
Located '.boot_string' @ cluster 294360.
#
Attempt autoboot: "boot disk0:/os.img"
Located 'os.img' @ cluster 268224.
##################
LFBFF signature verified.
INIT: version 2.88 booting
Starting udev
Configuring network interfaces... done.
Populating dev cache
Detected PID ASA5516.
Found device serial number XXXX
Solved! Go to Solution.
12-02-2020 06:53 AM
I was not able to break into ROMMON on the 5516-X like I was able to do so on the 5512-X. Tried different terminals, cable, laptop etc... Nothing would allow access to the 5516-X.
Fixed issue using this method:
1) Upgrade ROMMON - Didn't fix the issue but worthwhile upgrading.
2) Delete "os.img" from disk0: and force ASA to boot into ROMMON.
INFO: PASSWORD RECOVERY functionality is disabled.
File system not supported
Attempt autoboot: "boot disk0:"
File system not supported
boot: cannot determine first file name on device "disk0:"
autoboot: All boot attempts have failed.
autoboot: Allow the user to break into the ROMMON CLI to manage the boot process.
autoboot: Restarting the system.
INFO: PASSWORD RECOVERY functionality is disabled.
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.
WARNING: Password recovery and ROMMON command line access has been
disabled by your security policy. Answering YES below will cause ALL
configurations, passwords, images in 'disk0:' to be erased.
ROMMON command line access will be re-enabled, and a new image must be
downloaded via ROMMON.
Permanently erase 'disk0:'? yes
Password recovery: Erasing 7038 MBytes ......................................
12-01-2020 06:23 PM
INFO: PASSWORD RECOVERY functionality is disabled.
because of this you not able to get in to ROMMON, do you have access to kit with SSH or you do not have access to kit ? at all ?
if you have access to kit try below options :
https://community.cisco.com/t5/security-documents/asa-password-recovery/ta-p/3126046
12-01-2020 06:47 PM - edited 12-01-2020 06:48 PM
Thanks for your response.
That's not correct. Even if you disable password recovery. It should not prevent you from entering ROMMON mode.
I've tried it in a lab by setting confreg to 0x10001 and rebooting. Although on a 5512-X rather than a 5516-X, Shouldn't be any different in theory.
Do you wish to change this configuration? y/n [n]: y
enable boot to ROMMON prompt? y/n [n]: n
enable TFTP netboot? y/n [n]: n
enable Flash boot? y/n [n]: y
select specific Flash image index? y/n [n]: n
disable system configuration? y/n [n]: n
go to ROMMON prompt if netboot fails? y/n [n]: n
enable passing NVRAM file specs in auto-boot mode? y/n [n]: n
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]: y
Current Configuration Register: 0x00010001
Configuration Summary:
boot default image from Flash
display of BREAK or ESC key prompt during auto-boot disabled
Update Config Register (0x10001) in NVRAM...
This is what the bootup looks like (no ROMMON break prompt):
Booting from ROMMON
Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/asa984-17-smp-k8.bin... Booting...
Platform ASA5512
Loading...
IO memory blocks requested from bigphys 32bit: 41217
Then I disabled password recovery to see whether I could still get into ROMMON and works if I hit "ESC" key a few dozen times.
Booting from ROMMON
Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
Boot interrupted.
Management0/0
Link is UP
MAC Address: XXXXX
WARNING: Password recovery and ROMMON command line access has been
disabled by your security policy. Choosing YES below will cause ALL
configurations, passwords, images, and files systems to be erased.
ROMMON command line access will be re-enabled, and a new image must be
downloaded via ROMMON.
Erase all file systems? y/n [n]: n
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/asa984-17-smp-k8.bin...
I might have found my own solution but will try on affected firewall later.
12-02-2020 12:37 AM
@balaji.bandi is correct here. The no service password-recovery command prevents you from entering ROMMON unless you erase the contents of the flash drive.
On the ASA, the no service password-recovery command prevents you from entering ROMMON mode with the configuration intact. When you enter ROMMON mode, the ASA prompts you to erase all Flash file systems. You cannot enter ROMMON mode without first performing this erasure. If you choose not to erase the Flash file system, the ASA reloads. Because password recovery depends on using ROMMON mode and maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to restore the system to an operating state, load a new image and a backup configuration file, if available.
12-02-2020 06:53 AM
I was not able to break into ROMMON on the 5516-X like I was able to do so on the 5512-X. Tried different terminals, cable, laptop etc... Nothing would allow access to the 5516-X.
Fixed issue using this method:
1) Upgrade ROMMON - Didn't fix the issue but worthwhile upgrading.
2) Delete "os.img" from disk0: and force ASA to boot into ROMMON.
INFO: PASSWORD RECOVERY functionality is disabled.
File system not supported
Attempt autoboot: "boot disk0:"
File system not supported
boot: cannot determine first file name on device "disk0:"
autoboot: All boot attempts have failed.
autoboot: Allow the user to break into the ROMMON CLI to manage the boot process.
autoboot: Restarting the system.
INFO: PASSWORD RECOVERY functionality is disabled.
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.
WARNING: Password recovery and ROMMON command line access has been
disabled by your security policy. Answering YES below will cause ALL
configurations, passwords, images in 'disk0:' to be erased.
ROMMON command line access will be re-enabled, and a new image must be
downloaded via ROMMON.
Permanently erase 'disk0:'? yes
Password recovery: Erasing 7038 MBytes ......................................
01-24-2023 01:35 PM
Outside of this conversation for rommon recovery is anyone able to guide me in regards to obtaining / downloading Rommon upgrade 2.1.9.8 as mentioned in this thread? ASA 5500X download section does not have this available vs the 5516X series. I have 2 5555X units 1 with 2.1.9.5 which does have some issues with the sensors which 2.1.9.8 Rommon corrects.
Rebooting... Cisco BIOS Version:9B2C109A
Build Date:05/15/2013 16:34:44 2.1.9.8 Rommon
Rebooting... Cisco BIOS Version:9B2C105A
Build Date:06/07/2011 08:31:32 2.1.9.5 Rommon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide