Using the ROMMON to load a new image on Cisco ASA Firewall Step-by-Step

Comments

1. James Flockton says

   August 25, 2009 at 12:42 pm

   Thank you for your time writing this guide, it was very helpful. It works perfectly on my ASA5505.

   James

2. BlogAdmin says

   August 25, 2009 at 12:56 pm

   Hello James,

   Thanks for your feedback. I’m glad the guide was helpful to you.

   Harris

3. ALAN WILSON says

   September 28, 2009 at 9:48 pm

   Tried this but Ethernet0/0 link is down. Do you know how I can bring it up?

4. BlogAdmin says

   September 29, 2009 at 10:48 am

   Which ASA model are you using? If its a higher end model (5520 and up) then the interface is Gigabitethernet and not Ethernet, so you need to specify the correct interface name in ROMMON

5. ALAN WILSOIN says

   September 29, 2009 at 4:46 pm

   It’s the 5510. the commands work but the ethernet0/0 link is down.

6. BlogAdmin says

   September 29, 2009 at 6:32 pm

   Hello Alan,

   Connect your PC with the TFTP server on a different Ethernet port (e.g Ethernet0/1) and use that in the ROMMON command.

7. ALAN WILSOIN says

   September 29, 2009 at 7:51 pm

   My bad, I didn’t have the ip for my pc set correctly. This worked great. Thanks from us that are just learning and shoot ourselves in the foot.

8. Naveed says

   January 13, 2010 at 10:34 pm

   Thnx Man, That helped a lot!!!!

9. faris Ghanim says

   October 14, 2010 at 9:22 pm

   thinx
   ok where i find the image to download

10. BlogAdmin says

    October 15, 2010 at 6:39 am

    You must have a contract with Cisco or from a reseller in order to be able to download the image

11. shaig says

    January 24, 2011 at 2:01 pm

    hi admin.i did what you wrote above.but after i boots normally but after i reboot again it tries to boot from tftp server.i want it to boot from disk0.how can do it?
    i used the command copt tftp flash
    but it shows following
    ciscoasa# copy tftp flash

    Address or name of remote host []? 192.168.1.1

    Source filename []? asa804-23-k8.bin

    Destination filename [asa804-23-k8.bin]?

    Accessing tftp://192.168.1.1/asa804-23-k8.bin…
    %Error opening tftp://192.168.1.1/asa804-23-k8.bin (No such device)

    can any one help me?

12. BlogAdmin says

    January 24, 2011 at 2:45 pm

    shaig,

    try the following command which tells the asa firewall to boot from the flash image:

    ASA(config)#boot system flash:/asa804-23-k8.bin
    

13. jp says

    March 5, 2011 at 1:57 am

    Hi Admin,
    I did all this and is still takes me back to rommon (asa5520)
    ciscoasa# config t
    ciscoasa(config)# boot system flash:/asa821-k8.bin
    INFO: Converting flash:/asa821-k8.bin to disk0:/asa821-k8.bin
    ciscoasa(config)#
    ciscoasa# sho boot

    BOOT variable = disk0:/asa821-k8.bin
    Current BOOT variable = disk0:/asa821-k8.bin
    CONFIG_FILE variable =
    Current CONFIG_FILE variable =
    ciscoasa# wr me
    Building configuration…
    Cryptochecksum: 6fe15315 a9d7c5a3 b9902e2e a43ee691

    1653 bytes copied in 3.330 secs (551 bytes/sec)
    [OK]
    ciscoasa#
    ciscoasa# dir disk0:

    Directory of disk0:/

    16 -rwx 16275456 12:45:54 Mar 04 2011 asa821-k8.bin
    17 -rwx 14240396 12:46:48 Mar 04 2011 asdm-631(asa).bin
    10 drwx 2048 12:46:58 Mar 04 2011 coredumpinfo
    2 drwx 2048 13:04:20 Mar 04 2011 log
    9 drwx 2048 13:04:28 Mar 04 2011 crypto_archive

    63035392 bytes total (32485376 bytes free)
    ciscoasa#reload

    {twiddle fingers}

    04 02 00 8086 1209 Ethernet 11
    04 03 00 8086 1209 Ethernet 5

    Evaluating BIOS Options …
    Launch BIOS Extension to setup ROMMON

    Cisco Systems ROMMON Version (1.0(10)0) #0: Fri Mar 25 23:02:10 PST 2005

    Platform ASA5520
    Management0/0
    Ethernet auto negotiation timed out.
    Interface-4 Link Not Established (check cable).

    Default Interface number-4 Not Up

    Use ? for help.
    rommon #0> boot
    Launching BootLoader…
    Default configuration file contains 1 entry.

    Searching / for images to boot.

    No images in /
    Error 15: File not found

    unable to boot an image

14. BlogAdmin says

    March 7, 2011 at 9:51 am

    Looks like you have either a corrupted image or you have stored the image in a different location in flash

15. Claudio says

    June 3, 2011 at 5:28 pm

    I had the same problem, the way i fixed is by changing the config register to xxxf so the las byte had to be f so that it used the boot config to boot up.

16. ambet says

    June 16, 2011 at 3:34 pm

    Please help!

    Use ? for help.
    rommon #0> ADDRESS=192.168.1.20
    rommon #1> SERVER=192.168.1.10
    rommon #2> GATEWAY=192.168.1.1
    rommon #3> IMAGE=asa825-k8.bin
    rommon #4> PORT=Ethernet0/0
    Ethernet0/0
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 0 could not be initialized.

17. BlogAdmin says

    June 17, 2011 at 9:45 pm

    The problem could be related to two things:

    1) change the port to Ethernet0/1 and connect the tftp server to that port.
    2) maybe the ASA image file is corrupted.

18. mamang says

    June 21, 2011 at 12:59 am

    How about to backup image using rommon?

19. sdavis says

    August 16, 2011 at 10:45 pm

    Instructions to restore image lacking in information Do you have to type the = to get this to work?

20. BlogAdmin says

    August 17, 2011 at 6:44 am

    Yes you have to use the “=” sign in order to enter the required information in the parameters

21. Ashok says

    October 28, 2011 at 12:06 pm

    Can someone help me I have erased the Disk0: now i am trying to upload new image i getting the following error.

    Received 16459776 bytes

    Launching TFTP Image…

    Cisco Security Appliance admin loader (3.0) #0: Mon Jan 11 14:23:33 MST 2010
    Platform ASA5520
    Loading…
    dosfsck 2.11, 12 Mar 2005, FAT32, LFN
    open /dev/hda1:No such device or address
    dosfsck(/dev/hda1) returned 1
    mount: mounting /dev/hda1 on /mnt/disk0 failed: No such device or address
    mount: mounting /dev/hda1 on /mnt/disk0 failed: No such device or address
    Set ‘tap0’ persistent and owned by uid 0
    IO memory 85360640 bytes

    Processor memory 344436736, Reserved memory: 62914560 (DSOs: 0 + kernel: 62914560)

    Total SSMs found: 0

    Total NICs found: 7
    mcwa i82557 Ethernet at irq 11 MAC: 001f.ca09.24b7
    mcwa i82557 Ethernet at irq 5 MAC: 0000.0001.0001
    Internal error. Crash dump information may not be read or written to flash
    i82547GI rev00 Gigabit Ethernet @ irq11 dev 1 index 05 MAC: 0000.0001.0002
    i82546GB rev03 Gigabit Ethernet @ irq09 dev 2 index 03 MAC: 001f.ca09.24bb
    i82546GB rev03 Gigabit Ethernet @ irq09 dev 2 index 02 MAC: 001f.ca09.24ba
    i82546GB rev03 Gigabit Ethernet @ irq09 dev 3 index 01 MAC: 001f.ca09.24b9
    i82546GB rev03 Gigabit Ethernet @ irq09 dev 3 index 00 MAC: 001f.ca09.24b8

    INFO: Unable to read firewall mode from flash
    Writing defa

22. Bruce says

    February 17, 2012 at 11:42 pm

    My device always show rommon0 on reboot.

    I can get the bin file to the flash via tftpdnld,but when I try to save to disk on the ASA, i get the following error:

    ciscoasa(config)# boot system flash:/asa843-k8.bin
    “INFO: Converting flash:/asa843-k8.bin to disk0:/asa843-k8.bin
    WARNING: BOOT variable added, but unable to find disk0:/asa843-k8.bin”

    DIR disk0 shows:
    ciscoasa(config)# dir

    Directory of disk0:/

    2 drwx 2048 20:40:23 Feb 17 2012 log
    5 drwx 2048 20:40:39 Feb 17 2012 crypto_archive
    10 drwx 2048 20:40:41 Feb 17 2012 coredumpinfo
    12 -rwx 196 20:40:42 Feb 17 2012 upgrade_startup_errors_201202172040.log

    127004672 bytes total (126976000 bytes free)

    Here is the show run also:
    interface Ethernet0/0
    shutdown
    !
    interface Ethernet0/1
    shutdown
    !
    interface Ethernet0/2
    shutdown
    !
    interface Ethernet0/3
    shutdown
    !
    interface Ethernet0/4
    shutdown
    !
    interface Ethernet0/5
    shutdown
    !
    interface Ethernet0/6
    shutdown
    !
    interface Ethernet0/7
    shutdown
    !
    interface Vlan1
    no nameif
    no security-level
    no ip address
    !
    boot system disk0:/asa843-k8.bin
    ftp mode passive
    pager lines 24
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh timeout 5
    console timeout 0

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    !
    !
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:59b2d0b09e74ff0d0a323de4c8972a54
    : end

    and the show version:

    Cisco Adaptive Security Appliance Software Version 8.4(3)

    Compiled on Fri 06-Jan-12 10:24 by builders
    System image file is “tftp://10.0.0.109/ASA843-K8.BIN”
    Config file at boot was “startup-config”

    ciscoasa up 53 mins 38 secs

    Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
    Internal ATA Compact Flash, 128MB
    BIOS Flash M50FW080 @ 0xfff00000, 1024KB

    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
    Boot microcode : CN1000-MC-BOOT-2.00
    SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
    IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
    Number of accelerators: 1

    0: Int: Internal-Data0/0 : address is 0026.cb31.fe93, irq 11
    1: Ext: Ethernet0/0 : address is 0026.cb31.fe8b, irq 255
    2: Ext: Ethernet0/1 : address is 0026.cb31.fe8c, irq 255
    3: Ext: Ethernet0/2 : address is 0026.cb31.fe8d, irq 255
    4: Ext: Ethernet0/3 : address is 0026.cb31.fe8e, irq 255
    5: Ext: Ethernet0/4 : address is 0026.cb31.fe8f, irq 255
    6: Ext: Ethernet0/5 : address is 0026.cb31.fe90, irq 255
    7: Ext: Ethernet0/6 : address is 0026.cb31.fe91, irq 255
    8: Ext: Ethernet0/7 : address is 0026.cb31.fe92, irq 255
    9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
    10: Int: Not used : irq 255
    11: Int: Not used : irq 255
    The Running Activation Key is not valid, using default settings:

    Licensed features for this platform:
    Maximum Physical Interfaces : 8 perpetual
    VLANs : 3 DMZ Restricted
    Dual ISPs : Disabled perpetual
    VLAN Trunk Ports : 0 perpetual
    Inside Hosts : 10 perpetual
    Failover : Disabled perpetual
    VPN-DES : Enabled perpetual
    VPN-3DES-AES : Disabled perpetual
    AnyConnect Premium Peers : 2 perpetual
    AnyConnect Essentials : Disabled perpetual
    Other VPN Peers : 10 perpetual
    Total VPN Peers : 12 perpetual
    Shared License : Disabled perpetual
    AnyConnect for Mobile : Disabled perpetual
    AnyConnect for Cisco VPN Phone : Disabled perpetual
    Advanced Endpoint Assessment : Disabled perpetual
    UC Phone Proxy Sessions : 2 perpetual
    Total UC Proxy Sessions : 2 perpetual
    Botnet Traffic Filter : Disabled perpetual
    Intercompany Media Engine : Disabled perpetual

    This platform has a Base license.

    Serial Number: JMX1336Z1GD
    Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
    Configuration register is 0x102002
    Configuration last modified by enable_15 at 21:29:15.759 UTC Fri Feb 17 2012

    Can anyone help??

    TIA

    Bruce

23. Josh says

    May 31, 2012 at 3:43 pm

    Bruce –

    You are missing the ASA image in flash, once you tftpdnld you’ll need to “copy tftp: flash:” again to save it to flash. Then make sure the boot system parameter is set correctly and you should be good to go.

24. greasty says

    August 15, 2012 at 4:47 pm

    hi dears, very interested by the resolution of the problem.
    but my asa 505 while trying to initialized the port , it refusing to get address. here is the prtsc:

    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Boot interrupted.

    Ethernet0/0
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 0 could not be initialized.

    Default Interface number-0 Not Up

    Use ? for help.
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>

    CISCO SYSTEMS
    Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45

    Low Memory: 632 KB
    High Memory: 251 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class Irq
    00 01 00 1022 2080 Host Bridge
    00 01 02 1022 2082 Chipset En/Decrypt 11
    00 0C 00 1148 4320 Ethernet 11
    00 0D 00 177D 0003 Network En/Decrypt 10
    00 0F 00 1022 2090 ISA Bridge
    00 0F 02 1022 2092 IDE Controller
    00 0F 03 1022 2093 Audio 10
    00 0F 04 1022 2094 Serial Bus 9
    00 0F 05 1022 2095 Serial Bus 9

    Evaluating BIOS Options …
    Launch BIOS Extension to setup ROMMON

    Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
    i2c_read_word_w_wait() error, slot = 0x0, device = 0x64, address = 134 byte count = 2. Reason: I2C_UNPOPULATED_ERROR

    Platform ASA5505

    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Boot interrupted.

    Ethernet0/0
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 0 could not be initialized.

    Default Interface number-0 Not Up

    Use ? for help.
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0> ADDRESS=10.132.44.177
    rommon #1> SERVER=10.129.0.30
    rommon #2> GATEWAY=10.132.44.1
    rommon #3> IMAGE=f1/asa722-k8.bin
    rommon #4> PORT=Ethernet0/0
    Ethernet0/0
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 0 could not be initialized.

    rommon #4> port=Ethernet0/0
    Invalid or incorrect command. Use ‘help’ for help.
    rommon #4> PORT=Ethernet0/5
    Ethernet0/5
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 5 could not be initialized.

    rommon #4> Reason: I2C_UNPOPULATED_ERROR
    Invalid or incorrect command. Use ‘help’ for help.
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4> reset

    Rebooting….

    CISCO SYSTEMS
    Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45

    Low Memory: 632 KB
    High Memory: 251 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class Irq
    00 01 00 1022 2080 Host Bridge
    00 01 02 1022 2082 Chipset En/Decrypt 11
    00 0C 00 1148 4320 Ethernet 11
    00 0D 00 177D 0003 Network En/Decrypt 10
    00 0F 00 1022 2090 ISA Bridge
    00 0F 02 1022 2092 IDE Controller
    00 0F 03 1022 2093 Audio 10
    00 0F 04 1022 2094 Serial Bus 9
    00 0F 05 1022 2095 Serial Bus 9

    Evaluating BIOS Options …
    Launch BIOS Extension to setup ROMMON

    Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
    i2c_read_word_w_wait() error, slot = 0x0, device = 0x64, address = 134 byte count = 2. Reason: I2C_UNPOPULATED_ERROR

    Platform ASA5505

    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Boot interrupted.

    Ethernet0/0
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 0 could not be initialized.

    Default Interface number-0 Not Up

    Use ? for help.
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0> ADDRESS=192.168.1.10
    rommon #1> SERVER=192.168.1.1
    rommon #2> GATEWAY=192.168.1.1
    rommon #3> IMAGE=f1/asa722-k8.bin
    rommon #4>
    rommon #4> PORT=Ethernet0/0
    Ethernet0/0
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 0 could not be initialized.

    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4> PORT=Ethernet0/4
    Ethernet0/4
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 4 could not be initialized.

    rommon #4>
    rommon #4>
    rommon #4> PORT=Ethernet0/6 0/7
    Invalid PORT name argument, Valid arguments are:
    Ethernet0/0
    Ethernet0/1
    Ethernet0/2
    Ethernet0/3
    Ethernet0/4
    Ethernet0/5
    Ethernet0/6
    Ethernet0/7

    PORT= ethernet interface port

    rommon #4> PORT=Ethernet0/6
    Ethernet0/6
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 6 could not be initialized.

    rommon #4> PORT=Ethernet0/7
    Ethernet0/7
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 7 could not be initialized.

    rommon #4>

    help me pliz !!!

25. BlogAdmin says

    August 15, 2012 at 5:51 pm

    I would suggest connecting a different computer directly to a cisco port (e.g port 0/1) and try again.It seams like a hardware problem. Maybe the speed and duplex of your current PC does not negotiate correctly with the ASA.

26. Zied says

    August 31, 2012 at 5:06 pm

    Hi Admin,

    could you please help me,
    I had the same issue with my asa 5505.
    I tried to upload the image using rommon as specified above.
    the problem is at any reload the asa can’t find an image.

    wile checking I found that the path of boot is the following tftp://192.168.124.10/asa831-k8.bin which the tftp server I loaded the image from.

    the problem is that when running show flash I get the following

    ciscoasa# show flash
    –#– –length– —–date/time—— path
    3 2048 Aug 31 2012 05:30:18 log
    6 2048 Aug 31 2012 05:30:30 crypto_archive
    10 2048 Aug 31 2012 05:30:34 coredumpinfo
    11 43 Aug 31 2012 05:30:34 coredumpinfo/coredump.cfg

    127135744 bytes total (126844928 bytes free)

    how could I store the image to the flash knowing that while trying to do it using copy tftp flash there was an error

    ciscoasa# copy tftp flash

    Address or name of remote host []? 192.168.124.10

    Source filename []? asa831-k8.bin

    Destination filename [asa831-k8.bin]?

    Accessing tftp://192.168.124.10/asa831-k8.bin…
    WARNING: TFTP download incomplete!

    %Error reading tftp://192.168.124.10/asa831-k8.bin (Unspecified Error)
    ciscoasa#

    any suggestion please?

    thank for this great forum.

27. BlogAdmin says

    September 1, 2012 at 11:04 am

    Hello,

    First remove the command that points the image to be on tftp://192.168.124.10/asa831-k8.bin . Remove this line from ASA config, save it and reboot.

28. Zied says

    September 3, 2012 at 9:54 am

    Hi,

    Thanks for the reply.
    I tried to remove this line but I’ve got this:

    ciscoasa# conf t
    ciscoasa# conf terminal
    ciscoasa(config)# no tftp://192.168.124.10/asa831-k8.bin
    ^
    ERROR: % Invalid input detected at ‘^’ marker.
    ciscoasa(config)#

    the show run comand doesn’t show this line in the running-config file.
    it’s only shown when using “show version” command.

    the idea I’ve got is that when uploading the image using rommon, the file is uploaded to the RAM and not to the flash that’s why while rebooting, the asa doesn’t find an image for reboot.

    any idea about storing the image to the flash instead of RAM?
    or do you have any other suggestion?

29. BlogAdmin says

    September 3, 2012 at 5:12 pm

    Maybe the problem is the configuration register which determines how the ASA will boot. You can see the confreg at “show ver” command output.

    You can change this register as shown below:

    ASA(config)# config-register 0x01

    Save and reboot.

30. Zied says

    September 4, 2012 at 11:12 am

    I did that but nothing happened the firewall doesn’t boot since there is no image in the flash..
    The idea is clear for me, using rommon to upload an image to the firewall.
    this image is stored into RAM.
    then I should be able to tftp the image to the flash using

    ASA(config)# copy tftp flash (specifying the server and the file)

    but this command doesn’t work. even I tried to upload an old config file to the running config and it also failed.

    the solution is either to upload the image directly from rommon or to upload it to the RAM annd then use tftp server which fails until now with me.

    do you have any idea why this command is blocked?

31. Zied says

    September 4, 2012 at 4:50 pm

    Thank you for the help,
    I ‘ve changed my tftp soft and it functioned very well.

    I would ask you about one thing more, the command “show version” shows that:

    “The Running Activation Key is not valid”.

    does this has an impact on the firewall?

    what should I do in this case?

    thanks a lot again.

32. BlogAdmin says

    September 5, 2012 at 12:07 pm

    never seen such an error before. Have you installed a non-official image?

33. Zied says

    September 9, 2012 at 9:45 pm

    Sorry for the late reply,

    I downloaded the image from an asa used in another site of the entreprise I work in.
    but it seems that the image is designated for asa k8 while the dammaged asa is K9. that’s why the activation key didn’t work.

34. Deepu says

    August 24, 2013 at 9:18 am

    Hi,

    I have used erase command which deleted image on flash as well as on disk0

    how can i re-install ios image.

    Please help

35. Deepu says

    August 24, 2013 at 9:19 am

    sorry for missing device model asa 5520 firewall.

36. BlogAdmin says

    August 24, 2013 at 10:51 am

    If you have not rebooted the ASA, use tftp command to download a new image on the flash. If you have rebooted the device, you must get into ROMMON mode (as described in the article above) to download a new image on the flash or disk.

37. MIke D. says

    January 20, 2014 at 7:30 pm

    I have erased disk0 on my ASA5505. I am trying to load a new image via rommon. I have set the interface address to match my laptop. I am unable to ping between them? I have also tried to Xmodem through Hyperterminal but it times out.

    Help?

38. BlogAdmin says

    January 20, 2014 at 8:23 pm

    Mike,
    The interface address must be in the same subnet as the laptop and not the same. If the laptop IP is 192.168.1.10, then the interface IP of the ASA must be something like 192.168.1.11 for example.

39. Roland says

    April 8, 2014 at 11:24 am

    I struggled with it for 2 days to discover that my PC firewall needed to be turned off for this to work.

    But yes it works well, just keep in mind to turn off the PC firewall if your are experiencing issues with the command timing out

40. Syed Arshad says

    May 8, 2014 at 2:10 pm

    Guys need help, facing below problem….
    —————————-
    ROMMON Variable Settings:
    ADDRESS=192.168.1.2
    SERVER=192.168.1.1
    GATEWAY=192.168.1.1
    PORT=Ethernet0/0
    VLAN=untagged
    IMAGE=asa831-k8.bin
    CONFIG=
    LINKTIMEOUT=20
    PKTTIMEOUT=4
    RETRY=20

    rommon #14> PORT=Ethernet0/0
    Ethernet0/1
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 1 could not be initialized.

41. pambosch10 says

    May 8, 2014 at 6:05 pm

    Have you connected some ports on a switch? It looks like there is a hardware problem with the device.

42. Mousam says

    November 22, 2014 at 1:33 pm

    Hi admin,

    rommon #1> ADDRESS=192.168.1.10
    rommon #2> SERVER=192.168.1.1
    rommon #3> GATEWAY=192.168.1.1
    rommon #4> IMAGE=asa800-232-k8.bin
    rommon #5> PORT=Ethernet0/0

    in this case what should be range of my system? i have configure my system as
    ip 192.168.1.10
    gateway-192.168.1.1

    but unable to ping gateway. i can see tha port is up but unable to ping gateway

43. BlogAdmin says

    November 22, 2014 at 3:52 pm

    The purpose of the ROMMON configuration above is to prepare the basic network settings in order to execute the “tftp” command in order to download a new software image to the flash of the ASA.

44. Travis Deskins says

    March 31, 2016 at 8:34 pm

    rommon #8> tftpdnld
    ROMMON Variable Settings:
    ADDRESS=192.168.1.45
    SERVER=192.168.1.66
    GATEWAY=192.168.1.254
    PORT=GigabitEthernet0/0
    VLAN=untagged
    IMAGE=asa903-k8.bin
    CONFIG=
    LINKTIMEOUT=20
    PKTTIMEOUT=4
    RETRY=5

    tftp [email protected] via 192.168.1.254

    TFTP failure: Packet verify failed after 5 retries

    rommon #9>

    I dont see anything i did wrong. Could you possibly help me figure out what i cant tftp to this switch?

45. Harris Andrea says

    April 1, 2016 at 5:10 pm

    Travis, it looks like the image you have downloaded is corrupted somehow. Try to check the MD5 sum of the image.

46. Travis Deskins says

    April 1, 2016 at 6:17 pm

    My image is not corrupt I do not know why but if i set GATEWAY= 0.0.0.0 it works just fine.

47. Harris Andrea says

    April 1, 2016 at 8:15 pm

    Hm that’s interesting. Thanks for letting us know.

48. Jawad Abbasi says

    April 12, 2017 at 6:32 am

    After the ASA boots through the tftp image, it displays the command prompt. Typed enable and pressed Enter to get into privilege mode . Pressed Enter at the password prompt but it does not accept it and says invalid password.

    cisco>enable
    Password:

    Can any one assist?

    Thanks.

49. Harris Andrea says

    April 12, 2017 at 2:35 pm

    You are supplying the wrong privileged (enable secret) password. You need to reset the password if you have missed it.

    Harris

50. Mackenson says

    August 7, 2019 at 3:36 pm

    Hi, does it work for ASA 5508-X?
    I am new in networking, and they ask me to configure an ASA 5508-X with FirePower. But it does not have any
    configuration files and ios image.
    Can I apply these steps to load a new IOS image?

51. Harris Andrea says

    August 7, 2019 at 4:18 pm

    Yes it should work also for the 5508-X. Once you get into ROMMON it should work as explained.

52. Mackenson says

    August 7, 2019 at 4:32 pm

    Thank you Harris for answer. I will try to do it.
    But I have another question, Does the IOS image for ASA 5508-X include the firepower software? Or I have to install the IOS image and then install the Firepower software?

53. Harris Andrea says

    August 7, 2019 at 7:16 pm

    In order to have both ASA and Firepower you need to install the FTD image (Firepower Threat Defense) which is a unified software image. It is supported on the 5508-X as well.

54. Emmanuel says

    September 19, 2019 at 12:06 pm

    Please, where do i download a valid image for my ASA 5505?

55. Harris Andrea says

    September 19, 2019 at 2:19 pm

    Images for ASA5505 must be obtained from Cisco or an official Cisco distributor/partner

56. Evan Kean says

    February 13, 2020 at 2:25 pm

    Thanks. Great site.

57. Harris Andrea says

    February 13, 2020 at 5:00 pm

    Thanks a lot Evan, I’m glad you liked my site and the content.