01-09-2018 07:37 AM - edited 03-05-2019 09:44 AM
Hi, I am trying to configure an unused firewall ASA 5550. For it, I am trying to load a new image through tftp server. Its getting booted up via rommon, but I am not able to copy it to flash or disk. I am not much familiar as to how to do this in firewall. Also, what changes needs to be made in config register (as we do in router upgrade). I am posting some of the output from the firewall after copying the new ios. Please help me in finding a way to delete all the existing ios images and boot with a new ios.
SHOW VERSION - This command shows that it has booted with the new ios
ciscoasa# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(1)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "tftp://192.168.1.1/asa821-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 12 mins 50 secs
Hardware: ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
SHOW FLASH - This command doesnt display my new ios. How should I copy the new IOS to flash or disk. I am confused where to copy - flash or disk. Please help me out with this.
ciscoasa# sh flash:
--#-- --length-- -----date/time------ path
34 85129 Jun 07 2015 10:36:32 config_7Jun_ios82.cfg
3 4096 Jan 01 2003 00:04:04 log
10 4096 Jan 01 2003 00:04:18 crypto_archive
11 4096 Jan 01 2003 00:05:02 coredumpinfo
12 43 Jan 09 2018 13:42:54 coredumpinfo/coredump.cfg
36 135168 Jan 01 1980 00:00:00 FSCK0000.REC
37 12998641 Jul 02 2011 20:16:08 csd_3.5.2008-k9.pkg
38 4096 Jul 02 2011 20:16:08 sdesktop
117 1462 Jul 02 2011 20:16:08 sdesktop/data.xml
39 6487517 Jul 02 2011 20:16:10 anyconnect-macosx-i386-2.5.2014-k9.pkg
40 6689498 Jul 02 2011 20:16:14 anyconnect-linux-2.5.2014-k9.pkg
41 4678691 Jul 02 2011 20:16:16 anyconnect-win-2.5.2014-k9.pkg
42 85117 Jun 07 2015 10:20:18 8_2_5_55_startup_cfg.sav
43 4096 Apr 14 2012 12:40:24 tmp
44 25819140 Mar 28 2016 13:49:44 asdm-761.bin
45 4096 Jan 01 1980 00:00:00 FSCK0001.REC
46 25088760 Aug 29 2014 07:19:36 asdm-731.bin
47 12275 Jun 07 2015 10:20:32 upgrade_startup_errors_201506071020.log
48 26353488 Jun 07 2015 13:38:12 asdm-742.bin
49 59115 Mar 12 2015 05:47:06 oldconfig_2015Mar12_0641.cfg
50 25629676 Feb 12 2016 13:25:46 asdm-752-153.bin
51 100 Jan 09 2018 12:58:30 upgrade_startup_errors_201801091258.log
PING TO TFTP - not working (not sure how it copied the ios from tftp if route is not there)
ciscoasa(config)# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
No route to host 192.168.1.1
I would really be thankful if someone could help me out in a detailed way as to what might be the issue.
Thanks a ton in advance..!! :)
Solved! Go to Solution.
01-10-2018 09:36 AM
Hi Richard,
Thanks for all your help.
I went through some more documents and Cisco forum discussions and was able to resolve this issue.
The mistake which I was making was that once the ASA is rebooting, the Management0/0 interface is getting the 192.168.1.1 IP which I configured during ROMMON mode.
What I did now is, I removed the IP from Management0/0 and assigned to Gi0/1 on which TFTP sever is connected to. So now, I have a route to my tftp server and so it is pinging and then, I was able to copy ios into flash using this command: copy tftp: flash:
After this I ran this command in config mode: boot system <file name> to make this ios as default boot file.
The only thing I would like to know from you now is, do I need to copy the asdm file in a similar way?
01-09-2018 07:57 AM
Part of your question is easy to answer. You ask about flash or disk. Functionally they are the same (flash resides on the disk). So the usual thing is to copy the new image to flash.
It seems a bit odd that the ASA did boot from the TFTP server but is now not able to ping it. You mention that the ASA booted from rommon. Can you tell us all the steps that you did in rommon to get the ASA to boot? Perhaps one of those steps was to set a route or an address that was active in rommon but is not active while the ASA is running?
HTH
Rick
01-09-2018 10:01 PM
Hi Richard,
Below are the steps that we performed on the ASA 5550 in rommon mode.
rommon #1> ADDRESS=192.168.1.2
rommon #2> SERVER=192.168.1.1
rommon #3> GATEWAY=192.168.1.1
rommon #4> IMAGE=asa821-k8.bin
rommon #5> PORT=GigabitEthernet0/1
rommon #6> tftp
After performing these steps it got booted up.
01-10-2018 05:55 AM
Hi All.
I am also facing the same issue while trying to load the ios image. Can anyone please help. Any help would be greatly appreciated.
Thanks in advance,
Nobin Varghese
01-10-2018 06:14 AM
I am able to ping in ROMMON mode:
rommon #6> ping 192.168.1.1
Sending 20, 100-byte ICMP Echoes to 192.168.1.1, timeout is 4 seconds:
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (20/20)
rommon #7> tftp
ROMMON Variable Settings:
ADDRESS=192.168.1.2
SERVER=192.168.1.1
GATEWAY=192.168.1.1
PORT=GigabitEthernet0/1
VLAN=untagged
IMAGE=asa903-k8.bin
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20
but once it gets booted, its not pinging -
ciscoasa# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
No route to host 192.168.1.1
Success rate is 0 percent (0/1)
01-10-2018 06:25 AM
Thank you for the additional information. This does clarify that you set and IP address on an interface and defined a default gateway while in rommon. My guess is that once it has booted and is running from its running configuration that it does not have the same IP address and default gateway configured. Can you share from the running config at least the interface configurations and any route statements in the config?
HTH
Rick
01-10-2018 06:39 AM
Hi Richard,
Here is the configurations :
ROUTE INFORMATION
ciscoasa# sh route ?
Current available interface(s):
management Name of interface Management0/0
| Output modifiers
<cr>
ciscoasa# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
INTERFACE SETTINGS: while in ROMMON, I assigned IPs as described in my previous comments. Now I see the server IP has been assigned to Management0/0 and the Gi0/1 IP (192.168.1.2) is not set.
ciscoasa# sh run
: Saved
:
ASA Version 9.0(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
01-10-2018 06:29 AM
Nobin
You tell us that you face the same issue but it is not clear whether you have really had to boot an ASA from rommon and are now having problems in getting the image to the ASA. If that is the case then I hope that the suggestions made so far will help you to resolve your issue. If that is not the case then you need to share more information about your situation.
HTH
Rick
01-10-2018 09:36 AM
Hi Richard,
Thanks for all your help.
I went through some more documents and Cisco forum discussions and was able to resolve this issue.
The mistake which I was making was that once the ASA is rebooting, the Management0/0 interface is getting the 192.168.1.1 IP which I configured during ROMMON mode.
What I did now is, I removed the IP from Management0/0 and assigned to Gi0/1 on which TFTP sever is connected to. So now, I have a route to my tftp server and so it is pinging and then, I was able to copy ios into flash using this command: copy tftp: flash:
After this I ran this command in config mode: boot system <file name> to make this ios as default boot file.
The only thing I would like to know from you now is, do I need to copy the asdm file in a similar way?
01-10-2018 03:22 PM
In your original post it shows that this file for ASDM is in flash
44 25819140 Mar 28 2016 13:49:44 asdm-761.bin
If you want to use that version of ASDM with the version of ASA code that you loaded then there is no need to copy the ASDM code. If you want to use a different ASDM then you would need to copy that file from the TFTP server to the ASA flash.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide