Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3449
Views
2
Helpful
24
Replies

Unable to copy firmware image to ASA

UZaman3
Level 1
Level 1

‎04-29-2024 06:00 AM

I am trying to upgrade the firmware on ASA's we have at multiple sites but for some reason copying over the firmware fails. We are currently running FP2140's in ASA mode and whenever I copy the files over from a windows machine, it fails. I am using scp to transfer the file over and the file begins to transfer. On the windows machine I see the progress of the transfer and on the ASA I see a temp file name of scp_1 which indicates the file is being transferred over. It takes 10 minutes or so for the transfer to say 100% on the windows box and then it fails with the error "Error: Signature not valid for file disk0:/cisco-asa-fp2k.9.18.4.22.spa. I was able to successfully transfer this image to our Nexus and even tried to scp it from the Nexus to the ASA but still no luck. Does anyone know how I can get this file up to the ASA so I can upgrade them?

1 person had this problem
0 Helpful
24 Replies 24

Marius Gunnerud
VIP
VIP
In response to UZaman3

‎05-01-2024 01:00 AM - edited ‎05-01-2024 01:02 AM

FXOS package should be included in the update you are trying to install.  It is just the 4100 and 9100 series that require a separate FXOS upgrade.

I suggest trying to upload random .cfg file you create to the ASA to verify that upload actually works. if that works, try uploading 9.20 to the device.  Just be clear that you are not upgrading to 9.20 unless you want to, we just need to verify that copying files to the device is not the issue and that the issue is with that specific software.

If those do not copy to the ASA then there is an issue that you will need TAC to assist with.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

UZaman3
Level 1
Level 1
In response to Marius Gunnerud

‎05-01-2024 06:16 AM

So I was able to successfully copy over asdm-7191-95.bin to the 2140 and set it as the new asdm image so copying files over definitely works. But for whatever reason, whenever I try to copy the ASA image over, it fails with the same error every time: "%Error: Signature not valid for file disk0:/asa_file_name"

These are the ASA images I have tried to copy over and they have all failed with that error:

cisco-asa-fp2k.9.20.2.10.SPA

cisco-asa-fp2k.9.17.1.SPA

cisco-asa-fp2k.9.16.3.14.SPA

cisco-asa-fp2k.9.14.3.1.SPA

 

0 Helpful

Dustin Anderson
VIP
VIP

‎05-01-2024 11:13 AM

Not sure if this is applicable to yours, but there was a similar copy bug on the 5500 series it looks like that they had to disable the SFR module to get the copy to succeed.

 

https://community.cisco.com/t5/network-security/asa-ios-upgrade-quot-signature-not-valid-for-file-quot-error-9-8/td-p/4398459

0 Helpful

UZaman3
Level 1
Level 1

‎05-01-2024 11:53 AM

Thank you for sharing and yeah, I saw that as well. Does the 2140 chassis have the SFR module? I don't believe it does since it's natively a Firepower chassis and not an ASA chassis with a FirePower Module like the 5500 series was. I could be wrong though

0 Helpful

Dustin Anderson
VIP
VIP

‎05-01-2024 12:39 PM - edited ‎05-01-2024 12:40 PM

Yeah, I know the 5500 series had a show module command, but on our 2140 I don't see anything, but we also have it as a FTD, not ASA.

It really seems like some bug, and you may need to open a TAC to see if they have a workaround.

 

On a side note, do you have physical access to it that you could try copying from a USB drive?

0 Helpful

Marius Gunnerud
VIP
VIP

‎05-01-2024 11:31 PM

One thing you might try if you haven't already done this, is to reload the ASA.  There could be some stuck processes that are causing this issue.

If that does not solve the issue then this likely a case for TAC as there could be some issue with the databases.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

firat-yng
Level 1
Level 1

‎05-09-2024 10:22 PM

You can check fxos mode. If it set to platform mode you need to do upgrade on chasis.

connect fxos

show fxos mode or show fxos detail.

it-admin-pac
Level 1
Level 1

‎07-17-2024 01:11 PM - edited ‎07-17-2024 01:18 PM

Have you ever figured this issue out? I'm running into the same exact thing. 

Edit: I'm trying through the FMC now and its looking promising actually. Will update the thread.

0 Helpful

it-admin-pac
Level 1
Level 1
In response to it-admin-pac

‎07-17-2024 02:47 PM

Here is how I had to do it because following the Cisco documentation yielded me about 20 hours of pain. FTP, SCP, and USB did not work on the ASA.

Here is how I had to do it:

1. I went to FMC and uploaded the image.

2. I started the upgrade in FMC after validating it.

3. This only upgraded one ASA for me, I am running a Active/Passive HA Pair. 

4. You start to see messages like this: 

************WARNING****WARNING****WARNING********************************
Mate version 9.12(3)12 is not identical with ours 9.18(4)29
************WARNING****WARNING****WARNING********************************

5. I sshed into the FTD on the secondary ASA and plugged in a USB with the install into the unit.

 5A. scope firmware

 5B. download image usbA:/cisco-asa-fp2k.9.18.4.29.SPA

 5C. show download-task (Make sure its downloaded)

Download task:
File Name Protocol Server Port Userid State
--------- -------- --------------- ---------- --------------- -----
cisco-asa-fp2k.9.18.4.29.SPA.                    Usb A 0              Downloaded

6. scope auto-install

7. install security-pack version 9.18.4.29

8. This will Install the firmware on the secondary unit.

Thats what I followed and so far it's working good now. 

 

 

 

UZaman3
Level 1
Level 1
In response to it-admin-pac

‎07-17-2024 05:36 PM

So what we had to do since our customer doesn't have FMC was pretty janky but it worked:

1. We copied the running-config to a text file (used scp to copy it to our server)

2. Changed the firepower from ASA mode to platform mode (config gets wiped)

3. Do the normal upgrade steps via CLI in platform mode

   - this required putting an IP on the management interface and re-establishing an SSH session. This is due to the config being wiped when you changed the mode

4. Upgrade completed successfully, changed the appliance back to ASA mode

5. Add management IP again and SCP the running config back onto the ASA

Don't know why only on the 2100 series we had to move it back to platform mode to do the install. Pretty annoying honestly but it is what it is. Our client paid for Cisco Professional Services and we had a TAC case open and they were legitimately no help. We asked them multiple times if they could replicate this on any of their appliances and they never tried anything in ASA mode. They just kept telling us "it works in platform mode". If this is the process for upgrading a firepower that is running in ASA mode, it's pretty dumb that you have to copy the configuration back. Seems like something that should be fixed to do a standard ASA upgrade.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card