Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
7108
Views
20
Helpful
5
Comments

ASA-x ROMMON upgrade for FTD/Sensors

HQuest
Level 1
Level 1

‎11-13-2018 04:28 PM - edited ‎02-21-2020 10:02 PM

Symptoms

Hardware based devices have, from time to time, BIOS, UEFI or firmware updates, which Cisco calls - for historical purposes - "ROMMON". While there is always an accompanying upgrade guide, there is no reference whatsoever for the ASA-x while running as FTD/sensor mode. This article will add this missing link, in the event anyone ever has to follow this process - as I just did. The below was tested successfully on a 5506-X lab device running FTD 6.2.3.6, managed by a FMC.

Diagnosis

As per "Cisco ASA Series General Operations CLI Configuration Guide, 9.5" document, section "Chapter: Software and Configurations", subsection "Upgrade the ROMMON Image (5506-x, 5508-x, and 5516-x)" [1], the instructions points the admin to upload the new ROMMON code to the device and run the upgrade rommon command. While the firmware revision verification and the file transfer commands can be achieved using the FTD CLI (with a minor command line adjustment for file transfer), there is no such upgrade command. As such, you now may feel stuck.

 

[1] https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/admin-swconfig.html#task_90917D0EBAC2427487F6F51D21ABC235

Solution

In order to perform the upgrade, the CLI needs to be changed from the default FTD mode to the Diagnostic mode. This is done with the use of command system support diagnostic-cli. This will bring back our old familiar Cisco CLI, where you can move up to the privileged mode with enable command. At this point, you are back in the process, able to perform the last required upgrade command, upgrade rommon. It will verify the file integrity, signature, confirm the configuration, and ask to reload it. The device will then reload twice, one to read the new code, then another to apply the new code, and finally reload to bring back the FTD alive.

 

On the 5506-X, this process took about 10 minutes. See below how it looks like.

 

 

Spoiler

Rom image verified correctly

 

 

Cisco Systems ROMMON, Version 1.1.12, RELEASE SOFTWARE

Copyright (c) 1994-2017  by Cisco Systems, Inc.

Compiled Wed 06/28/2017 14:36:11.63 by wchen64

 

 

Current image running: Boot ROM1

Last reset cause: PowerCycleRequest

DIMM Slot 0 : Present

INFO: Rommon upgrade state: ROMMON_UPG_START (1)

INFO: Reset code: 0x00002000

 

Firmware upgrade step 1...

Looking for file 'disk0:asa5500-firmware-1114.SPA'

Located 'asa5500-firmware-1114.SPA' @ cluster 99075.

 

###########################################################################################

Image base 0x7700a018, size 9241408

LFBFF signature verified.

Objtype: lfbff_object_rommon (0x800000 bytes @ 0x7700a238)

Objtype: lfbff_object_fpga (0xd0100 bytes @ 0x7780a258)

INFO: FPGA version in upgrade image: 0x0204

INFO: FPGA version currently active: 0x0204

INFO: The FPGA image is up-to-date.

INFO: Rommon version currently active: 1.1.12.

INFO: Rommon version in upgrade image: 1.1.14.

Active ROMMON: Preferred 1, selected 1, booted 1

Switching SPI access to standby rommon 0.

Please DO NOT reboot the unit, updating ROMMON...................

INFO: Duplicating machine state......

Reloading now as step 1 of the rommon upgrade process...

 

Toggling power on system board...

 

Rom image verified correctly

 

 

Cisco Systems ROMMON, Version 1.1.12, RELEASE SOFTWARE

Copyright (c) 1994-2017  by Cisco Systems, Inc.

Compiled Wed 06/28/2017 14:36:11.63 by wchen64

 

 

Current image running: Boot ROM1

Last reset cause: RP-Reset

DIMM Slot 0 : Present

INFO: Rommon upgrade state: ROMMON_UPG_START (1)

INFO: Reset code: 0x00000008

Active ROMMON: Preferred 1, selected 1, booted 1

 

Firmware upgrade step 2...

Detected current rommon upgrade is available, continue rommon upgrade process

Rommon upgrade reset 0 in progress

Reloading now as step 2 of the rommon upgrade process...

Rom image verified correctly

 

 

Cisco Systems ROMMON, Version 1.1.14, RELEASE SOFTWARE

Copyright (c) 1994-2018  by Cisco Systems, Inc.

Compiled Tue 06/05/2018 22:45:19.61 by builder

 

 

Current image running: *Upgrade in progress* Boot ROM0

Last reset cause: BootRomUpgrade

DIMM Slot 0 : Present

INFO: Rommon upgrade state: ROMMON_UPG_START (1)

INFO: Reset code: 0x00000010

PROM B: stopping boot timer 

Active ROMMON: Preferred 1, selected 1, booted 0

INFO: Rommon upgrade state: ROMMON_UPG_TEST

 

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!! Please manually or auto boot ASAOS now to complete firmware upgrade !!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

Comments
Erwan LE BIHAN
Level 1
Level 1
‎05-28-2020 04:46 AM

Should be integrated into the RomMon Upgrade Procedure as the documentation only covers Upgrade from ASA.

rboersma
Cisco Employee
Cisco Employee
‎06-11-2020 03:18 PM

In 6.3, the FTD copy command doesn't work (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn57678), and using copy within the diagnostic CLI doesn't work because it doesn't have any interfaces or routing. So I'm stuck trying to upgrade ROMMON using FTD, vs. having to reimage to ASA, upgrade ROMMON, and then reimage back to FTD. I don't think it would be appropriate to tell customers to go into expert mode and copy in linux. Copying from ROMMON won't work. [actually it does work to copy from the diagnostic CLI if you have a data interface configured.] 

GrapeafterEbc
Level 1
Level 1
‎07-23-2020 02:30 AM

Happy to hear that! Your comment made mine.

rboersma
Cisco Employee
Cisco Employee
‎07-27-2020 11:42 AM

Revision: You can copy from within the diagnostic CLI if you have a data interface configured (either Diagnostic or a regular data interface). I don't know why it wasn't working for me initially (deployment error, maybe).

aktiviswz
Level 1
Level 1
‎08-22-2020 03:35 AM
@HQuest wrote:

Symptoms

Hardware based devices have, from time to time, BIOS, UEFI or firmware updates, which Cisco calls - for historical purposes - "ROMMON". While there is always an accompanying upgrade guide, there is no reference whatsoever for the ASA-x while running as FTD/sensor mode. This article will add this missing link, in the event anyone ever has to follow this process - as I just did. The below was tested successfully on a 5506-X lab device running FTD 6.2.3.6, managed by a FMC.

Diagnosis

As per "Cisco ASA Series General Operations CLI Configuration Guide, 9.5" document, section "Chapter: Software and Configurations", subsection "Upgrade the ROMMON Image (5506-x, 5508-x, and 5516-x)" [1], the instructions points the admin to upload the new ROMMON code to the device and run the upgrade rommon command. While the firmware revision verification and the file transfer commands can be achieved using the FTD CLI (with a minor command line adjustment for file transfer), there is no such upgrade command. As such, you now may feel stuck.

 

[1] https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/admin-swconfig.html#task_90917D0EBAC2427487F6F51D21ABC235

Solution 

In order to perform the upgrade, the CLI needs to be changed from the default FTD mode to the Diagnostic mode. This is done with the use of command system support diagnostic-cli. This will bring back our old familiar Cisco CLI, where you can move up to the privileged mode with enable command. At this point, you are back in the process, able to perform the last required upgrade command, upgrade rommon. It will verify the file integrity, signature, confirm the configuration, and ask to reload it. The device will then reload twice, one to read the new code, then another to apply the new code, and finally reload to bring back the FTD alive. Sonic Survey

 

On the 5506-X, this process took about 10 minutes. See below how it looks like.

 

 

Spoiler

Rom image verified correctly

 

 

Cisco Systems ROMMON, Version 1.1.12, RELEASE SOFTWARE

Copyright (c) 1994-2017  by Cisco Systems, Inc.

Compiled Wed 06/28/2017 14:36:11.63 by wchen64

 

 

Current image running: Boot ROM1

Last reset cause: PowerCycleRequest

DIMM Slot 0 : Present

INFO: Rommon upgrade state: ROMMON_UPG_START (1)

INFO: Reset code: 0x00002000

 

Firmware upgrade step 1...

Looking for file 'disk0:asa5500-firmware-1114.SPA'

Located 'asa5500-firmware-1114.SPA' @ cluster 99075.

 

###########################################################################################

Image base 0x7700a018, size 9241408

LFBFF signature verified.

Objtype: lfbff_object_rommon (0x800000 bytes @ 0x7700a238)

Objtype: lfbff_object_fpga (0xd0100 bytes @ 0x7780a258)

INFO: FPGA version in upgrade image: 0x0204

INFO: FPGA version currently active: 0x0204

INFO: The FPGA image is up-to-date.

INFO: Rommon version currently active: 1.1.12.

INFO: Rommon version in upgrade image: 1.1.14.

Active ROMMON: Preferred 1, selected 1, booted 1

Switching SPI access to standby rommon 0.

Please DO NOT reboot the unit, updating ROMMON...................

INFO: Duplicating machine state......

Reloading now as step 1 of the rommon upgrade process...

 

Toggling power on system board...

 

Rom image verified correctly

 

 

Cisco Systems ROMMON, Version 1.1.12, RELEASE SOFTWARE

Copyright (c) 1994-2017  by Cisco Systems, Inc.

Compiled Wed 06/28/2017 14:36:11.63 by wchen64

 

 

Current image running: Boot ROM1

Last reset cause: RP-Reset

DIMM Slot 0 : Present

INFO: Rommon upgrade state: ROMMON_UPG_START (1)

INFO: Reset code: 0x00000008

Active ROMMON: Preferred 1, selected 1, booted 1

 

Firmware upgrade step 2...

Detected current rommon upgrade is available, continue rommon upgrade process

Rommon upgrade reset 0 in progress

Reloading now as step 2 of the rommon upgrade process...

Rom image verified correctly

 

 

Cisco Systems ROMMON, Version 1.1.14, RELEASE SOFTWARE

Copyright (c) 1994-2018  by Cisco Systems, Inc.

Compiled Tue 06/05/2018 22:45:19.61 by builder

 

 

Current image running: *Upgrade in progress* Boot ROM0

Last reset cause: BootRomUpgrade

DIMM Slot 0 : Present

INFO: Rommon upgrade state: ROMMON_UPG_START (1)

INFO: Reset code: 0x00000010

PROM B: stopping boot timer 

Active ROMMON: Preferred 1, selected 1, booted 0

INFO: Rommon upgrade state: ROMMON_UPG_TEST

 

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!! Please manually or auto boot ASAOS now to complete firmware upgrade !!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

Thank you for sharing superb informations. Your website is very cool. I’m impressed by the details that you have on this website.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents