cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3451
Views
2
Helpful
24
Replies

Unable to copy firmware image to ASA

UZaman3
Level 1
Level 1

I am trying to upgrade the firmware on ASA's we have at multiple sites but for some reason copying over the firmware fails. We are currently running FP2140's in ASA mode and whenever I copy the files over from a windows machine, it fails. I am using scp to transfer the file over and the file begins to transfer. On the windows machine I see the progress of the transfer and on the ASA I see a temp file name of scp_1 which indicates the file is being transferred over. It takes 10 minutes or so for the transfer to say 100% on the windows box and then it fails with the error "Error: Signature not valid for file disk0:/cisco-asa-fp2k.9.18.4.22.spa. I was able to successfully transfer this image to our Nexus and even tried to scp it from the Nexus to the ASA but still no luck. Does anyone know how I can get this file up to the ASA so I can upgrade them?

24 Replies 24

FXOS package should be included in the update you are trying to install.  It is just the 4100 and 9100 series that require a separate FXOS upgrade.

I suggest trying to upload random .cfg file you create to the ASA to verify that upload actually works. if that works, try uploading 9.20 to the device.  Just be clear that you are not upgrading to 9.20 unless you want to, we just need to verify that copying files to the device is not the issue and that the issue is with that specific software.

If those do not copy to the ASA then there is an issue that you will need TAC to assist with.

--
Please remember to select a correct answer and rate helpful posts

So I was able to successfully copy over asdm-7191-95.bin to the 2140 and set it as the new asdm image so copying files over definitely works. But for whatever reason, whenever I try to copy the ASA image over, it fails with the same error every time: "%Error: Signature not valid for file disk0:/asa_file_name"

These are the ASA images I have tried to copy over and they have all failed with that error:

cisco-asa-fp2k.9.20.2.10.SPA

cisco-asa-fp2k.9.17.1.SPA

cisco-asa-fp2k.9.16.3.14.SPA

cisco-asa-fp2k.9.14.3.1.SPA

 

Not sure if this is applicable to yours, but there was a similar copy bug on the 5500 series it looks like that they had to disable the SFR module to get the copy to succeed.

 

https://community.cisco.com/t5/network-security/asa-ios-upgrade-quot-signature-not-valid-for-file-quot-error-9-8/td-p/4398459

UZaman3
Level 1
Level 1

Thank you for sharing and yeah, I saw that as well. Does the 2140 chassis have the SFR module? I don't believe it does since it's natively a Firepower chassis and not an ASA chassis with a FirePower Module like the 5500 series was. I could be wrong though

Yeah, I know the 5500 series had a show module command, but on our 2140 I don't see anything, but we also have it as a FTD, not ASA.

It really seems like some bug, and you may need to open a TAC to see if they have a workaround.

 

On a side note, do you have physical access to it that you could try copying from a USB drive?

One thing you might try if you haven't already done this, is to reload the ASA.  There could be some stuck processes that are causing this issue.

If that does not solve the issue then this likely a case for TAC as there could be some issue with the databases.

--
Please remember to select a correct answer and rate helpful posts

firat-yng
Level 1
Level 1

You can check fxos mode. If it set to platform mode you need to do upgrade on chasis.

connect fxos

show fxos mode or show fxos detail.

it-admin-pac
Level 1
Level 1

Have you ever figured this issue out? I'm running into the same exact thing. 

Edit: I'm trying through the FMC now and its looking promising actually. Will update the thread.

Here is how I had to do it because following the Cisco documentation yielded me about 20 hours of pain. FTP, SCP, and USB did not work on the ASA.

Here is how I had to do it:

1. I went to FMC and uploaded the image.

2. I started the upgrade in FMC after validating it.

3. This only upgraded one ASA for me, I am running a Active/Passive HA Pair. 

4. You start to see messages like this: 

************WARNING****WARNING****WARNING********************************
Mate version 9.12(3)12 is not identical with ours 9.18(4)29
************WARNING****WARNING****WARNING********************************

5. I sshed into the FTD on the secondary ASA and plugged in a USB with the install into the unit.

 5A. scope firmware

 5B. download image usbA:/cisco-asa-fp2k.9.18.4.29.SPA

 5C. show download-task (Make sure its downloaded)

Download task:
File Name Protocol Server Port Userid State
--------- -------- --------------- ---------- --------------- -----
cisco-asa-fp2k.9.18.4.29.SPA.                    Usb A 0              Downloaded

6. scope auto-install

7. install security-pack version 9.18.4.29

8. This will Install the firmware on the secondary unit.

Thats what I followed and so far it's working good now. 

 

 

 

So what we had to do since our customer doesn't have FMC was pretty janky but it worked:

1. We copied the running-config to a text file (used scp to copy it to our server)

2. Changed the firepower from ASA mode to platform mode (config gets wiped)

3. Do the normal upgrade steps via CLI in platform mode

   - this required putting an IP on the management interface and re-establishing an SSH session. This is due to the config being wiped when you changed the mode

4. Upgrade completed successfully, changed the appliance back to ASA mode

5. Add management IP again and SCP the running config back onto the ASA

Don't know why only on the 2100 series we had to move it back to platform mode to do the install. Pretty annoying honestly but it is what it is. Our client paid for Cisco Professional Services and we had a TAC case open and they were legitimately no help. We asked them multiple times if they could replicate this on any of their appliances and they never tried anything in ASA mode. They just kept telling us "it works in platform mode". If this is the process for upgrading a firepower that is running in ASA mode, it's pretty dumb that you have to copy the configuration back. Seems like something that should be fixed to do a standard ASA upgrade.

 

Review Cisco Networking for a $25 gift card