cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASA-x ROMMON upgrade for FTD/Sensors

1422
Views
15
Helpful
0
Comments

Symptoms

Hardware based devices have, from time to time, BIOS, UEFI or firmware updates, which Cisco calls - for historical purposes - "ROMMON". While there is always an accompanying upgrade guide, there is no reference whatsoever for the ASA-x while running as FTD/sensor mode. This article will add this missing link, in the event anyone ever has to follow this process - as I just did. The below was tested successfully on a 5506-X lab device running FTD 6.2.3.6, managed by a FMC.

Diagnosis

As per "Cisco ASA Series General Operations CLI Configuration Guide, 9.5" document, section "Chapter: Software and Configurations", subsection "Upgrade the ROMMON Image (5506-x, 5508-x, and 5516-x)" [1], the instructions points the admin to upload the new ROMMON code to the device and run the upgrade rommon command. While the firmware revision verification and the file transfer commands can be achieved using the FTD CLI (with a minor command line adjustment for file transfer), there is no such upgrade command. As such, you now may feel stuck.

 

[1] https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/admin-swconfig.html#task_90917D0EBAC2427487F6F51D21ABC235

Solution

In order to perform the upgrade, the CLI needs to be changed from the default FTD mode to the Diagnostic mode. This is done with the use of command system support diagnostic-cli. This will bring back our old familiar Cisco CLI, where you can move up to the privileged mode with enable command. At this point, you are back in the process, able to perform the last required upgrade command, upgrade rommon. It will verify the file integrity, signature, confirm the configuration, and ask to reload it. The device will then reload twice, one to read the new code, then another to apply the new code, and finally reload to bring back the FTD alive.

 

On the 5506-X, this process took about 10 minutes. See below how it looks like.

 

 

Spoiler

Rom image verified correctly

 

 

Cisco Systems ROMMON, Version 1.1.12, RELEASE SOFTWARE

Copyright (c) 1994-2017  by Cisco Systems, Inc.

Compiled Wed 06/28/2017 14:36:11.63 by wchen64

 

 

Current image running: Boot ROM1

Last reset cause: PowerCycleRequest

DIMM Slot 0 : Present

INFO: Rommon upgrade state: ROMMON_UPG_START (1)

INFO: Reset code: 0x00002000

 

Firmware upgrade step 1...

Looking for file 'disk0:asa5500-firmware-1114.SPA'

Located 'asa5500-firmware-1114.SPA' @ cluster 99075.

 

###########################################################################################

Image base 0x7700a018, size 9241408

LFBFF signature verified.

Objtype: lfbff_object_rommon (0x800000 bytes @ 0x7700a238)

Objtype: lfbff_object_fpga (0xd0100 bytes @ 0x7780a258)

INFO: FPGA version in upgrade image: 0x0204

INFO: FPGA version currently active: 0x0204

INFO: The FPGA image is up-to-date.

INFO: Rommon version currently active: 1.1.12.

INFO: Rommon version in upgrade image: 1.1.14.

Active ROMMON: Preferred 1, selected 1, booted 1

Switching SPI access to standby rommon 0.

Please DO NOT reboot the unit, updating ROMMON...................

INFO: Duplicating machine state......

Reloading now as step 1 of the rommon upgrade process...

 

Toggling power on system board...

 

Rom image verified correctly

 

 

Cisco Systems ROMMON, Version 1.1.12, RELEASE SOFTWARE

Copyright (c) 1994-2017  by Cisco Systems, Inc.

Compiled Wed 06/28/2017 14:36:11.63 by wchen64

 

 

Current image running: Boot ROM1

Last reset cause: RP-Reset

DIMM Slot 0 : Present

INFO: Rommon upgrade state: ROMMON_UPG_START (1)

INFO: Reset code: 0x00000008

Active ROMMON: Preferred 1, selected 1, booted 1

 

Firmware upgrade step 2...

Detected current rommon upgrade is available, continue rommon upgrade process

Rommon upgrade reset 0 in progress

Reloading now as step 2 of the rommon upgrade process...

Rom image verified correctly

 

 

Cisco Systems ROMMON, Version 1.1.14, RELEASE SOFTWARE

Copyright (c) 1994-2018  by Cisco Systems, Inc.

Compiled Tue 06/05/2018 22:45:19.61 by builder

 

 

Current image running: *Upgrade in progress* Boot ROM0

Last reset cause: BootRomUpgrade

DIMM Slot 0 : Present

INFO: Rommon upgrade state: ROMMON_UPG_START (1)

INFO: Reset code: 0x00000010

PROM B: stopping boot timer 

Active ROMMON: Preferred 1, selected 1, booted 0

INFO: Rommon upgrade state: ROMMON_UPG_TEST

 

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!! Please manually or auto boot ASAOS now to complete firmware upgrade !!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!