cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1127
Views
15
Helpful
9
Replies

Facing difficulty in loading ios image in firewall through tftp

ankit.chhawsaria
Beginner
Beginner

Hi, I am trying to configure an unused firewall ASA 5550. For it, I am trying to load a new image through tftp server. Its getting booted up via rommon, but I am not able to copy it to flash or disk. I am not much familiar as to how to do this in firewall. Also, what changes needs to be made in config register (as we do in router upgrade). I am posting some of the output from the firewall after copying the new ios. Please help me in finding a way to delete all the existing ios images and boot with a new ios.

 

SHOW VERSION - This command shows that it has booted with the new ios

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(1)

Compiled on Tue 05-May-09 22:45 by builders
System image file is "tftp://192.168.1.1/asa821-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 12 mins 50 secs

Hardware:   ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

 

SHOW FLASH - This command doesnt display my new ios. How should I copy the new IOS to flash or disk. I am confused where to copy - flash or disk. Please help me out with this.

 

ciscoasa# sh flash:
--#--  --length--  -----date/time------  path
   34  85129       Jun 07 2015 10:36:32  config_7Jun_ios82.cfg
    3  4096        Jan 01 2003 00:04:04  log
   10  4096        Jan 01 2003 00:04:18  crypto_archive
   11  4096        Jan 01 2003 00:05:02  coredumpinfo
   12  43          Jan 09 2018 13:42:54  coredumpinfo/coredump.cfg
   36  135168      Jan 01 1980 00:00:00  FSCK0000.REC
   37  12998641    Jul 02 2011 20:16:08  csd_3.5.2008-k9.pkg
   38  4096        Jul 02 2011 20:16:08  sdesktop
  117  1462        Jul 02 2011 20:16:08  sdesktop/data.xml
   39  6487517     Jul 02 2011 20:16:10  anyconnect-macosx-i386-2.5.2014-k9.pkg
   40  6689498     Jul 02 2011 20:16:14  anyconnect-linux-2.5.2014-k9.pkg
   41  4678691     Jul 02 2011 20:16:16  anyconnect-win-2.5.2014-k9.pkg
   42  85117       Jun 07 2015 10:20:18  8_2_5_55_startup_cfg.sav
   43  4096        Apr 14 2012 12:40:24  tmp
   44  25819140    Mar 28 2016 13:49:44  asdm-761.bin
   45  4096        Jan 01 1980 00:00:00  FSCK0001.REC
   46  25088760    Aug 29 2014 07:19:36  asdm-731.bin
   47  12275       Jun 07 2015 10:20:32  upgrade_startup_errors_201506071020.log
   48  26353488    Jun 07 2015 13:38:12  asdm-742.bin
   49  59115       Mar 12 2015 05:47:06  oldconfig_2015Mar12_0641.cfg
   50  25629676    Feb 12 2016 13:25:46  asdm-752-153.bin
   51  100         Jan 09 2018 12:58:30  upgrade_startup_errors_201801091258.log

 

 

 

 

PING TO TFTP - not working (not sure how it copied the ios from tftp if route is not there)

ciscoasa(config)# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
No route to host 192.168.1.1

 

 

I would really be thankful if someone could help me out in a detailed way as to what might be the issue.

 

 

Thanks a ton in advance..!! :)

 

1 Accepted Solution

Accepted Solutions

ankit.chhawsaria
Beginner
Beginner

Hi Richard,

Thanks for all your help.

I went through some more documents and Cisco forum discussions and was able to resolve this issue.

The mistake which I was making was that once the ASA is rebooting, the Management0/0 interface is getting the 192.168.1.1 IP which I configured during ROMMON mode.

 

What I did now is, I removed the IP from Management0/0 and assigned to Gi0/1 on which TFTP sever is connected to. So now, I have a route to my tftp server and so it is pinging and then, I was able to copy ios into flash using this command: copy tftp: flash:

 

After this I ran this command in config mode: boot system <file name> to make this ios as default boot file.

 

The only thing I would like to know from you now is, do I need to copy the asdm file in a similar way?

 

View solution in original post

9 Replies 9

Richard Burts
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

Part of your question is easy to answer. You ask about flash or disk. Functionally they are the same (flash resides on the disk). So the usual thing is to copy the new image to flash.

 

It seems a bit odd that the ASA did boot from the TFTP server but is now not able to ping it. You mention that the ASA booted from rommon. Can you tell us all the steps that you did in rommon to get the ASA to boot? Perhaps one of those steps was to set a route or an address that was active in rommon but is not active while the ASA is running?

 

HTH

 

Rick 

HTH

Rick

Hi Richard,

Below are the steps that we performed on the ASA 5550 in rommon mode.

 

rommon #1> ADDRESS=192.168.1.2

rommon #2> SERVER=192.168.1.1

rommon #3> GATEWAY=192.168.1.1

rommon #4> IMAGE=asa821-k8.bin

rommon #5> PORT=GigabitEthernet0/1

rommon #6> tftp

 

After performing these steps it got booted up.

Nobin.Varghese
Beginner
Beginner

Hi All.

I am also facing the same issue while trying to load the ios image. Can anyone please help. Any help would be greatly appreciated.

Thanks in advance,

Nobin Varghese

I am able to ping in ROMMON mode:

rommon #6> ping 192.168.1.1
Sending 20, 100-byte ICMP Echoes to 192.168.1.1, timeout is 4 seconds:
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (20/20)
rommon #7> tftp
ROMMON Variable Settings:
  ADDRESS=192.168.1.2
  SERVER=192.168.1.1
  GATEWAY=192.168.1.1
  PORT=GigabitEthernet0/1
  VLAN=untagged
  IMAGE=asa903-k8.bin
  CONFIG=
  LINKTIMEOUT=20
  PKTTIMEOUT=4
  RETRY=20

 

 

but once it gets booted, its not pinging -

ciscoasa# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
No route to host 192.168.1.1

Success rate is 0 percent (0/1)

Thank you for the additional information. This does clarify that you set and IP address on an interface and defined a default gateway while in rommon. My guess is that once it has booted and is running from its running configuration that it does not have the same IP address and default gateway configured. Can you share from the running config at least the interface configurations and any route statements in the config?

 

HTH

 

Rick

HTH

Rick

Hi Richard,

Here is the configurations :

 

 

ROUTE INFORMATION

ciscoasa# sh route ?

Current available interface(s):
  management  Name of interface Management0/0
  |           Output modifiers
  <cr>
ciscoasa# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

 

 

INTERFACE SETTINGS: while in ROMMON, I assigned IPs as described in my previous comments. Now I see the server IP has been assigned to Management0/0 and the Gi0/1 IP (192.168.1.2) is not set.

ciscoasa# sh run
: Saved
:
ASA Version 9.0(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable

Nobin

 

You tell us that you face the same issue but it is not clear whether you have really had to boot an ASA from rommon and are now having problems in getting the image to the ASA. If that is the case then I hope that the suggestions made so far will help you to resolve your issue. If that is not the case then you need to share more information about your situation.

 

HTH

 

Rick

HTH

Rick

ankit.chhawsaria
Beginner
Beginner

Hi Richard,

Thanks for all your help.

I went through some more documents and Cisco forum discussions and was able to resolve this issue.

The mistake which I was making was that once the ASA is rebooting, the Management0/0 interface is getting the 192.168.1.1 IP which I configured during ROMMON mode.

 

What I did now is, I removed the IP from Management0/0 and assigned to Gi0/1 on which TFTP sever is connected to. So now, I have a route to my tftp server and so it is pinging and then, I was able to copy ios into flash using this command: copy tftp: flash:

 

After this I ran this command in config mode: boot system <file name> to make this ios as default boot file.

 

The only thing I would like to know from you now is, do I need to copy the asdm file in a similar way?

 

In your original post it shows that this file for ASDM is in flash

 44  25819140    Mar 28 2016 13:49:44  asdm-761.bin

If you want to use that version of ASDM with the version of ASA code that you loaded then there is no need to copy the ASDM code. If you want to use a different ASDM then you would need to copy that file from the TFTP server to the ASA flash.

 

HTH

 

Rick

 

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers