Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
0
Helpful
1
Replies

Upgrading ASA 5506-x

dbabcock
Level 1
Level 1

‎12-16-2025 11:29 AM

Hello,

Having a problem while trying to upgrade an asa 5506-x.

This is a factory reset device currently running 9.5.1 and trying to get to 9.16.4.25.

I can get there, but after a reboot the boot image is gone and I have to manually add it and wr mem.

went from 9.5>9.12>9.16

first time after getting to 9.16 I rebooted and it reverted back to 9.5.

Updated rommon to 1.1.18, went through the process again and same thing.

after every version, I check sh run boot and it's empty.

I have to run the command, boot sys flash:/asa9-16-4-85-lfbff-k8.SPA

Also after every reboot the enable pword is not set to so I have to set that.

What am I missing???

 

 

 

Here is the boot process after initial upgrade to 9.16:

ciscoasa> en
The enable password is not set. Please set it now.
Enter Password: ******
Repeat Password: ******
Note: Save your configuration so that the password persists across reboots
("write memory" or "copy running-config startup-config").

ciscoasa#

ciscoasa#

ciscoasa# sh boot

BOOT variable = disk0:/asa9-16-4-85-lfbff-k8.SPA
Current BOOT variable =
CONFIG_FILE variable =
Current CONFIG_FILE variable =

ciscoasa# sh run boot
ciscoasa#
ciscoasa# config t
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve

the product? [Y]es, [N]o, [A]sk later: N

In the future, if you would like to enable this feature,
issue the command "call-home reporting anonymous".

Please remember to save your configuration.


ciscoasa(config)# boot sys flas

ciscoasa(config)# boot sys flash:?

configure mode commands/options:
flash:/asa-cmd-server.log flash:/asa5500-firmware-1115.SPA
flash:/asa5500-firmware-1118.SPA flash:/asa9-12-4-lfbff-k8.SPA
flash:/asa9-16-4-85-lfbff-k8.SPA flash:/asa951-lfbff-k8.SPA
flash:/asdm-751.bin flash:/coredumpinfo
flash:/crypto_archive flash:/log
flash:/snortpacketinfo.conf

ciscoasa(config)# boot sys flash:/asa9-16-4-85-lfbff-k8.SPA
INFO: Converting flash:/asa9-16-4-85-lfbff-k8.SPA to disk0:/asa9-16-4-85-lfbff-k8.SPA

ciscoasa(config)#

ciscoasa(config)#

ciscoasa(config)# sh run boot
boot system disk0:/asa9-16-4-85-lfbff-k8.SPA

ciscoasa(config)# sh boot

BOOT variable = disk0:/asa9-16-4-85-lfbff-k8.SPA
Current BOOT variable = disk0:/asa9-16-4-85-lfbff-k8.SPA
CONFIG_FILE variable =
Current CONFIG_FILE variable =

ciscoasa(config)#

ciscoasa(config)#

ciscoasa(config)# wr mem
Building configuration...
Cryptochecksum: 09d7fb06 001538de 40c772f0 6a538205

3048 bytes copied in 0.370 secs
[OK]

ciscoasa(config)# reload
Proceed with reload? [confirm]

ciscoasa(config)#


***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down sw-module
Shutting down License Controller
Shutting down File system

 

***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting... (status 0x9)
..

INIT:
INIT: Sending processes the TERM signal

Stopping Advanced Configuration and Power Interface daemon: no /usr/sbin/acpid found; none killed
acpid.
Stopping random number generator daemon.
Deconfiguring network interfaces... done.
Sending all processes the TERM signal...
Sending all processes the KILL signal...
Deactivating swap...
Unmounting local filesystems...
Rebooting...

Rom image verified correctly

 

Cisco Systems ROMMON, Version 1.1.18, RELEASE SOFTWARE
Copyright (c) 1994-2020 by Cisco Systems, Inc.
Compiled Tue 09/15/2020 20:35:13.52 by wchen64

 

Current image running: Boot ROM1

Last reset cause: PowerCycleRequest

DIMM Slot 0 : Present


Platform ASA5506 with 4096 Mbytes of main memory

MAC Address: 00:3a:7d:fb:c3:3d

 

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.

Boot in 10 seconds. Boot in 9 seconds. Boot in 8 seconds. Boot in 7 seconds. Boot in 6 seconds. Boot in 5 seconds. Boot in 4 seconds. Boot in 3 seconds. Boot in 2 seconds. Boot in 1 second. 


Located '.boot_string' @ cluster 892167.


#

Attempt autoboot: "boot disk0:/asa9-16-4-85-lfbff-k8.SPA"

Located 'asa9-16-4-85-lfbff-k8.SPA' @ cluster 847893.


############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################

LFBFF signature verified.


Linux version: 4.18.45-yocto-standard (oe-user@oe-host) #1 SMP Wed Jul 30 19:40:24 UTC 2025

kernel_image = 0x743f4ec8, kernel_size=0x4c72a0

Image validated


INIT: version 2.88 booting

Starting udev
Configuring network interfaces... done.
Starting random number generator daemon.
fsck.fat 4.1 (2017-01-24)
Starting check/repair pass.
Starting verification pass.
/dev/sdb1: 62 files, 877954/1937204 clusters
dosfsck(/dev/sdb1) returned 0
Mounting /dev/sdb1
mkdir: cannot create directory '/dev/cgroups/memory/nlp': File exists
Starting random number generator daemon.
Configuring packages on first boot....
(This may take several minutes. Please do not power off the machine.)
Running postinst /etc/rpm-postinsts/100-sysvinit-inittab...
Running postinst /etc/rpm-postinsts/101-dpdk...
update-rc.d: /etc/init.d/run-postinsts exists dulina_init_env: memif is not enabled.
System Cores 4 Nodes 1 Max Cores 32
IO Memory Nodes: 1
IO Memory Per Node: 205520896 bytes num_pages = 50176 page_size = 4096

Global Reserve Memory Per Node: 314572800 bytes Nodes=1

LCMB: got DMA 205520896 bytes on numa-id=0, phys=0x0000000103000000, virt=0x00007fb18b400000
LCMB: HEAP-CACHE POOL got 306184192 bytes on numa-id=0, virt=0x00007fb178e00000

total_reserved_mem = 205520896

total_heapcache_mem = 306184192
total mem 2284316884 system 3965792256 kernel 33152122 image 99967000
new 3487581062 old 2883252862 reserve 205520896 priv new 3315212288 priv old 2609121280
Processor memory: 2284316884
M_MMAP_THRESHOLD 65536, M_MMAP_MAX 34855
POST started...
POST finished, result is 0 (hint: 1 means it failed)

Cisco Adaptive Security Appliance Software Version 9.16(4)85

Compiled on Thu 28-Aug-25 04:43 GMT by builders

WARNING: The FirePOWER module is no longer supported on this model; related ASA configuration was removed.

Total NICs found: 14
i354 rev03 Gigabit Ethernet @ irq255 dev 20 index 08 MAC: 003a.7dfb.c33d
ivshmem rev03 Backplane Data Interface @ index 09 MAC: 0000.0001.0002
en_vtun rev00 Backplane Control Interface @ index 10 MAC: 0000.0001.0001
en_vtun rev00 Backplane Int-Mgmt Interface @ index 11 MAC: 0000.0001.0003
en_vtun rev00 Backplane Ext-Mgmt Interface @ index 12 MAC: 0000.0000.0000
en_vtun rev00 Backplane Tap Interface @ index 13 MAC: 0000.0100.0001
WARNING: Attribute already exists in the dictionary.
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0x5701ed49 0x7ce0bdd4 0xb0a141f4 0x91e8d8d0 0x411a268a
The Running Activation Key feature: 2 security contexts exceed the limit on the platform, reduced to 0 security contexts.

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 5 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual

This platform has a Base license.

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)

Cisco Adaptive Security Appliance Software Version 9.16(4)85

****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.

A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************
Cisco Adaptive Security Appliance Software, version 9.16
Copyright (c) 1996-2025 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please visit
http://www.cisco.com/go/asa-opensource

Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

Ignoring startup configuration as instructed by configuration register.

INFO: Power-On Self-Test in process.
........................................................................
INFO: Power-On Self-Test complete.

INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.

INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
User enable_1 logged in to ciscoasa
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.

ciscoasa> en
The enable password is not set. Please set it now.
Enter Password: ******
Repeat Password: ******
Note: Save your configuration so that the password persists across reboots
("write memory" or "copy running-config startup-config").

ciscoasa#

ciscoasa#

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 9.16(4)85
SSP Operating System Version 2.10(1.3000)
Device Manager Version 7.5(1)

Compiled on Thu 28-Aug-25 04:43 GMT by builders
System image file is "disk0:/asa9-16-4-85-lfbff-k8.SPA"
Config file at boot was "startup-config"

ciscoasa up 26 secs

Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Number of accelerators: 1

1: Ext: GigabitEthernet1/1 : address is 003a.7dfb.c33e, irq 255
2: Ext: GigabitEthernet1/2 : address is 003a.7dfb.c33f, irq 255
3: Ext: GigabitEthernet1/3 : address is 003a.7dfb.c340, irq 255
4: Ext: GigabitEthernet1/4 : address is 003a.7dfb.c341, irq 255
5: Ext: GigabitEthernet1/5 : address is 003a.7dfb.c342, irq 255
6: Ext: GigabitEthernet1/6 : address is 003a.7dfb.c343, irq 255
7: Ext: GigabitEthernet1/7 : address is 003a.7dfb.c344, irq 255
<--- More --->

ciscoasa# sh boot

BOOT variable = disk0:/asa9-16-4-85-lfbff-k8.SPA
Current BOOT variable =
CONFIG_FILE variable =
Current CONFIG_FILE variable =

ciscoasa#

ciscoasa#

ciscoasa# sh run boot

ciscoasa#

 

Thanks,


D

0 Helpful
1 Reply 1

nspasov
Cisco Employee
Cisco Employee

‎12-16-2025 07:01 PM

That is strange. I was going to ask if your confreg is modified but it does not appear so based on the output you provided. But just to be sure, can you:

  • Issue no config-register from the global configuration prompt
  • update your boot var
  • Issue copy running-config startup-config
  • Reload

If that does not work, my next suggestion is to try to upgrade first to the main 16.x train (9.16.4 - asa9-16-4-lfbff-k8.SPA). If that works, then you can proceed with upgrading to the interim (asa9-16-4-85-lfbff-k8.SPA) version. 

If neither of these resolve the issue, the next step will be to engage Cisco TAC.

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card