Using the ROMMON to load a new image on Cisco ASA Firewall Step-by-Step

Written By Harris Andrea

If for any reason the software image on your Cisco ASA appliance is corrupted and the device does not boot to normal operating mode, then you can load a new image using ROMMON (ROM monitor mode) and TFTP.

Follow the steps below to get into ROMMON mode and then assign all necessary settings for uploading the new image file:

Step1: Connect to the ASA firewall using a console cable.

Step2: Power off the appliance and then power it on.

Step3: When the appliance starts, press the Escape key on your keyboard to force the appliance to enter ROMMON mode.

Step4: In ROMMON mode, configure all necessary settings for connecting to the TFTP server to load the new image. You need to connect a PC with TFTP server on a firewall port (e.g Ethernet0/0). Then enter the following commands on the ASA.

rommon #1> ADDRESS=192.168.1.10
rommon #2> SERVER=192.168.1.1
rommon #3> GATEWAY=192.168.1.1
rommon #4> IMAGE=asa800-232-k8.bin
rommon #5> PORT=Ethernet0/0

MORE READING: Connections and Translations on Cisco ASA Firewalls

The above configuration will assign an IP address of 192.168.1.10 to interface Ethernet0/0 of the firewall appliance. It will also tell the firewall that the TFTP SERVER is at address 192.168.1.1 and the image to load is asa800-232-k8.bin

Step5: Execute the TFTP upload from the ASA using:

rommon #6> tftp

The above instructs the firewall to start uploading the image file from TFTP.

After the firewall reboots, login and check that the new image has been installed (show version)

DOWNLOAD THIS ARTICLE AS PDF FILE

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

James Flockton says

August 25, 2009 at 12:42 pm

Thank you for your time writing this guide, it was very helpful. It works perfectly on my ASA5505.

James
BlogAdmin says

August 25, 2009 at 12:56 pm

Hello James,

Thanks for your feedback. I’m glad the guide was helpful to you.

Harris
ALAN WILSON says

September 28, 2009 at 9:48 pm

Tried this but Ethernet0/0 link is down. Do you know how I can bring it up?
BlogAdmin says

September 29, 2009 at 10:48 am

Which ASA model are you using? If its a higher end model (5520 and up) then the interface is Gigabitethernet and not Ethernet, so you need to specify the correct interface name in ROMMON
ALAN WILSOIN says

September 29, 2009 at 4:46 pm

It’s the 5510. the commands work but the ethernet0/0 link is down.
BlogAdmin says

September 29, 2009 at 6:32 pm

Hello Alan,

Connect your PC with the TFTP server on a different Ethernet port (e.g Ethernet0/1) and use that in the ROMMON command.
ALAN WILSOIN says

September 29, 2009 at 7:51 pm

My bad, I didn’t have the ip for my pc set correctly. This worked great. Thanks from us that are just learning and shoot ourselves in the foot.
Naveed says

January 13, 2010 at 10:34 pm

Thnx Man, That helped a lot!!!!
faris Ghanim says

October 14, 2010 at 9:22 pm

thinx
ok where i find the image to download
BlogAdmin says

October 15, 2010 at 6:39 am

You must have a contract with Cisco or from a reseller in order to be able to download the image
shaig says

January 24, 2011 at 2:01 pm

hi admin.i did what you wrote above.but after i boots normally but after i reboot again it tries to boot from tftp server.i want it to boot from disk0.how can do it?
i used the command copt tftp flash
but it shows following
ciscoasa# copy tftp flash

Address or name of remote host []? 192.168.1.1

Source filename []? asa804-23-k8.bin

Destination filename [asa804-23-k8.bin]?

Accessing tftp://192.168.1.1/asa804-23-k8.bin…
%Error opening tftp://192.168.1.1/asa804-23-k8.bin (No such device)

can any one help me?
BlogAdmin says

January 24, 2011 at 2:45 pm

shaig,

try the following command which tells the asa firewall to boot from the flash image:

ASA(config)#boot system flash:/asa804-23-k8.bin
jp says

March 5, 2011 at 1:57 am

Hi Admin,
I did all this and is still takes me back to rommon (asa5520)
ciscoasa# config t
ciscoasa(config)# boot system flash:/asa821-k8.bin
INFO: Converting flash:/asa821-k8.bin to disk0:/asa821-k8.bin
ciscoasa(config)#
ciscoasa# sho boot

BOOT variable = disk0:/asa821-k8.bin
Current BOOT variable = disk0:/asa821-k8.bin
CONFIG_FILE variable =
Current CONFIG_FILE variable =
ciscoasa# wr me
Building configuration…
Cryptochecksum: 6fe15315 a9d7c5a3 b9902e2e a43ee691

1653 bytes copied in 3.330 secs (551 bytes/sec)
[OK]
ciscoasa#
ciscoasa# dir disk0:

Directory of disk0:/

16 -rwx 16275456 12:45:54 Mar 04 2011 asa821-k8.bin
17 -rwx 14240396 12:46:48 Mar 04 2011 asdm-631(asa).bin
10 drwx 2048 12:46:58 Mar 04 2011 coredumpinfo
2 drwx 2048 13:04:20 Mar 04 2011 log
9 drwx 2048 13:04:28 Mar 04 2011 crypto_archive

63035392 bytes total (32485376 bytes free)
ciscoasa#reload

{twiddle fingers}

04 02 00 8086 1209 Ethernet 11
04 03 00 8086 1209 Ethernet 5

Evaluating BIOS Options …
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(10)0) #0: Fri Mar 25 23:02:10 PST 2005

Platform ASA5520
Management0/0
Ethernet auto negotiation timed out.
Interface-4 Link Not Established (check cable).

Default Interface number-4 Not Up

Use ? for help.
rommon #0> boot
Launching BootLoader…
Default configuration file contains 1 entry.

Searching / for images to boot.

No images in /
Error 15: File not found

unable to boot an image
BlogAdmin says

March 7, 2011 at 9:51 am

Looks like you have either a corrupted image or you have stored the image in a different location in flash
Claudio says

June 3, 2011 at 5:28 pm

I had the same problem, the way i fixed is by changing the config register to xxxf so the las byte had to be f so that it used the boot config to boot up.
ambet says

June 16, 2011 at 3:34 pm

Please help!

Use ? for help.
rommon #0> ADDRESS=192.168.1.20
rommon #1> SERVER=192.168.1.10
rommon #2> GATEWAY=192.168.1.1
rommon #3> IMAGE=asa825-k8.bin
rommon #4> PORT=Ethernet0/0
Ethernet0/0
i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
Ethernet port 0 could not be initialized.
BlogAdmin says

June 17, 2011 at 9:45 pm

The problem could be related to two things:

1) change the port to Ethernet0/1 and connect the tftp server to that port.
2) maybe the ASA image file is corrupted.
mamang says

June 21, 2011 at 12:59 am

How about to backup image using rommon?
sdavis says

August 16, 2011 at 10:45 pm

Instructions to restore image lacking in information Do you have to type the = to get this to work?
BlogAdmin says

August 17, 2011 at 6:44 am

Yes you have to use the “=” sign in order to enter the required information in the parameters
Ashok says

October 28, 2011 at 12:06 pm

Can someone help me I have erased the Disk0: now i am trying to upload new image i getting the following error.

Received 16459776 bytes

Launching TFTP Image…

Cisco Security Appliance admin loader (3.0) #0: Mon Jan 11 14:23:33 MST 2010
Platform ASA5520
Loading…
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
open /dev/hda1:No such device or address
dosfsck(/dev/hda1) returned 1
mount: mounting /dev/hda1 on /mnt/disk0 failed: No such device or address
mount: mounting /dev/hda1 on /mnt/disk0 failed: No such device or address
Set ‘tap0’ persistent and owned by uid 0
IO memory 85360640 bytes

Processor memory 344436736, Reserved memory: 62914560 (DSOs: 0 + kernel: 62914560)

Total SSMs found: 0

Total NICs found: 7
mcwa i82557 Ethernet at irq 11 MAC: 001f.ca09.24b7
mcwa i82557 Ethernet at irq 5 MAC: 0000.0001.0001
Internal error. Crash dump information may not be read or written to flash
i82547GI rev00 Gigabit Ethernet @ irq11 dev 1 index 05 MAC: 0000.0001.0002
i82546GB rev03 Gigabit Ethernet @ irq09 dev 2 index 03 MAC: 001f.ca09.24bb
i82546GB rev03 Gigabit Ethernet @ irq09 dev 2 index 02 MAC: 001f.ca09.24ba
i82546GB rev03 Gigabit Ethernet @ irq09 dev 3 index 01 MAC: 001f.ca09.24b9
i82546GB rev03 Gigabit Ethernet @ irq09 dev 3 index 00 MAC: 001f.ca09.24b8

INFO: Unable to read firewall mode from flash
Writing defa
Bruce says

February 17, 2012 at 11:42 pm

My device always show rommon0 on reboot.

I can get the bin file to the flash via tftpdnld,but when I try to save to disk on the ASA, i get the following error:

ciscoasa(config)# boot system flash:/asa843-k8.bin
“INFO: Converting flash:/asa843-k8.bin to disk0:/asa843-k8.bin
WARNING: BOOT variable added, but unable to find disk0:/asa843-k8.bin”

DIR disk0 shows:
ciscoasa(config)# dir

Directory of disk0:/

2 drwx 2048 20:40:23 Feb 17 2012 log
5 drwx 2048 20:40:39 Feb 17 2012 crypto_archive
10 drwx 2048 20:40:41 Feb 17 2012 coredumpinfo
12 -rwx 196 20:40:42 Feb 17 2012 upgrade_startup_errors_201202172040.log

127004672 bytes total (126976000 bytes free)

Here is the show run also:
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
no nameif
no security-level
no ip address
!
boot system disk0:/asa843-k8.bin
ftp mode passive
pager lines 24
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:59b2d0b09e74ff0d0a323de4c8972a54
: end

and the show version:

Cisco Adaptive Security Appliance Software Version 8.4(3)

Compiled on Fri 06-Jan-12 10:24 by builders
System image file is “tftp://10.0.0.109/ASA843-K8.BIN”
Config file at boot was “startup-config”

ciscoasa up 53 mins 38 secs

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1

0: Int: Internal-Data0/0 : address is 0026.cb31.fe93, irq 11
1: Ext: Ethernet0/0 : address is 0026.cb31.fe8b, irq 255
2: Ext: Ethernet0/1 : address is 0026.cb31.fe8c, irq 255
3: Ext: Ethernet0/2 : address is 0026.cb31.fe8d, irq 255
4: Ext: Ethernet0/3 : address is 0026.cb31.fe8e, irq 255
5: Ext: Ethernet0/4 : address is 0026.cb31.fe8f, irq 255
6: Ext: Ethernet0/5 : address is 0026.cb31.fe90, irq 255
7: Ext: Ethernet0/6 : address is 0026.cb31.fe91, irq 255
8: Ext: Ethernet0/7 : address is 0026.cb31.fe92, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
The Running Activation Key is not valid, using default settings:

Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual

This platform has a Base license.

Serial Number: JMX1336Z1GD
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x102002
Configuration last modified by enable_15 at 21:29:15.759 UTC Fri Feb 17 2012

Can anyone help??

TIA

Bruce
Josh says

May 31, 2012 at 3:43 pm

Bruce –

You are missing the ASA image in flash, once you tftpdnld you’ll need to “copy tftp: flash:” again to save it to flash. Then make sure the boot system parameter is set correctly and you should be good to go.
greasty says

August 15, 2012 at 4:47 pm

hi dears, very interested by the resolution of the problem.
but my asa 505 while trying to initialized the port , it refusing to get address. here is the prtsc:

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.

Ethernet0/0
i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
Ethernet port 0 could not be initialized.

Default Interface number-0 Not Up

Use ? for help.
rommon #0>
rommon #0>
rommon #0>
rommon #0>
rommon #0>
rommon #0>
rommon #0>

CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45

Low Memory: 632 KB
High Memory: 251 MB
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 01 00 1022 2080 Host Bridge
00 01 02 1022 2082 Chipset En/Decrypt 11
00 0C 00 1148 4320 Ethernet 11
00 0D 00 177D 0003 Network En/Decrypt 10
00 0F 00 1022 2090 ISA Bridge
00 0F 02 1022 2092 IDE Controller
00 0F 03 1022 2093 Audio 10
00 0F 04 1022 2094 Serial Bus 9
00 0F 05 1022 2095 Serial Bus 9

Evaluating BIOS Options …
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
i2c_read_word_w_wait() error, slot = 0x0, device = 0x64, address = 134 byte count = 2. Reason: I2C_UNPOPULATED_ERROR

Platform ASA5505

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.

Ethernet0/0
i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
Ethernet port 0 could not be initialized.

Default Interface number-0 Not Up

Use ? for help.
rommon #0>
rommon #0>
rommon #0>
rommon #0>
rommon #0>
rommon #0>
rommon #0>
rommon #0>
rommon #0>
rommon #0>
rommon #0>
rommon #0>
rommon #0>
rommon #0> ADDRESS=10.132.44.177
rommon #1> SERVER=10.129.0.30
rommon #2> GATEWAY=10.132.44.1
rommon #3> IMAGE=f1/asa722-k8.bin
rommon #4> PORT=Ethernet0/0
Ethernet0/0
i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
Ethernet port 0 could not be initialized.

rommon #4> port=Ethernet0/0
Invalid or incorrect command. Use ‘help’ for help.
rommon #4> PORT=Ethernet0/5
Ethernet0/5
i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
Ethernet port 5 could not be initialized.

rommon #4> Reason: I2C_UNPOPULATED_ERROR
Invalid or incorrect command. Use ‘help’ for help.
rommon #4>
rommon #4>
rommon #4>
rommon #4>
rommon #4>
rommon #4>
rommon #4>
rommon #4>
rommon #4>
rommon #4> reset

Rebooting….

CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45

Low Memory: 632 KB
High Memory: 251 MB
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 01 00 1022 2080 Host Bridge
00 01 02 1022 2082 Chipset En/Decrypt 11
00 0C 00 1148 4320 Ethernet 11
00 0D 00 177D 0003 Network En/Decrypt 10
00 0F 00 1022 2090 ISA Bridge
00 0F 02 1022 2092 IDE Controller
00 0F 03 1022 2093 Audio 10
00 0F 04 1022 2094 Serial Bus 9
00 0F 05 1022 2095 Serial Bus 9

Evaluating BIOS Options …
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
i2c_read_word_w_wait() error, slot = 0x0, device = 0x64, address = 134 byte count = 2. Reason: I2C_UNPOPULATED_ERROR

Platform ASA5505

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.

Ethernet0/0
i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
Ethernet port 0 could not be initialized.

Default Interface number-0 Not Up

Use ? for help.
rommon #0>
rommon #0>
rommon #0>
rommon #0>
rommon #0>
rommon #0>
rommon #0> ADDRESS=192.168.1.10
rommon #1> SERVER=192.168.1.1
rommon #2> GATEWAY=192.168.1.1
rommon #3> IMAGE=f1/asa722-k8.bin
rommon #4>
rommon #4> PORT=Ethernet0/0
Ethernet0/0
i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
Ethernet port 0 could not be initialized.

rommon #4>
rommon #4>
rommon #4>
rommon #4>
rommon #4>
rommon #4>
rommon #4>
rommon #4>
rommon #4>
rommon #4>
rommon #4>
rommon #4>
rommon #4>
rommon #4> PORT=Ethernet0/4
Ethernet0/4
i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
Ethernet port 4 could not be initialized.

rommon #4>
rommon #4>
rommon #4> PORT=Ethernet0/6 0/7
Invalid PORT name argument, Valid arguments are:
Ethernet0/0
Ethernet0/1
Ethernet0/2
Ethernet0/3
Ethernet0/4
Ethernet0/5
Ethernet0/6
Ethernet0/7

PORT= ethernet interface port

rommon #4> PORT=Ethernet0/6
Ethernet0/6
i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
Ethernet port 6 could not be initialized.

rommon #4> PORT=Ethernet0/7
Ethernet0/7
i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
Ethernet port 7 could not be initialized.

rommon #4>

help me pliz !!!
BlogAdmin says

August 15, 2012 at 5:51 pm

I would suggest connecting a different computer directly to a cisco port (e.g port 0/1) and try again.It seams like a hardware problem. Maybe the speed and duplex of your current PC does not negotiate correctly with the ASA.
Zied says

August 31, 2012 at 5:06 pm

Hi Admin,

could you please help me,
I had the same issue with my asa 5505.
I tried to upload the image using rommon as specified above.
the problem is at any reload the asa can’t find an image.

wile checking I found that the path of boot is the following tftp://192.168.124.10/asa831-k8.bin which the tftp server I loaded the image from.

the problem is that when running show flash I get the following

ciscoasa# show flash
–#– –length– —–date/time—— path
3 2048 Aug 31 2012 05:30:18 log
6 2048 Aug 31 2012 05:30:30 crypto_archive
10 2048 Aug 31 2012 05:30:34 coredumpinfo
11 43 Aug 31 2012 05:30:34 coredumpinfo/coredump.cfg

127135744 bytes total (126844928 bytes free)

how could I store the image to the flash knowing that while trying to do it using copy tftp flash there was an error

ciscoasa# copy tftp flash

Address or name of remote host []? 192.168.124.10

Source filename []? asa831-k8.bin

Destination filename [asa831-k8.bin]?

Accessing tftp://192.168.124.10/asa831-k8.bin…
WARNING: TFTP download incomplete!

%Error reading tftp://192.168.124.10/asa831-k8.bin (Unspecified Error)
ciscoasa#

any suggestion please?

thank for this great forum.
BlogAdmin says

September 1, 2012 at 11:04 am

Hello,

First remove the command that points the image to be on tftp://192.168.124.10/asa831-k8.bin . Remove this line from ASA config, save it and reboot.
Zied says

September 3, 2012 at 9:54 am

Hi,

Thanks for the reply.
I tried to remove this line but I’ve got this:

ciscoasa# conf t
ciscoasa# conf terminal
ciscoasa(config)# no tftp://192.168.124.10/asa831-k8.bin
^
ERROR: % Invalid input detected at ‘^’ marker.
ciscoasa(config)#

the show run comand doesn’t show this line in the running-config file.
it’s only shown when using “show version” command.

the idea I’ve got is that when uploading the image using rommon, the file is uploaded to the RAM and not to the flash that’s why while rebooting, the asa doesn’t find an image for reboot.

any idea about storing the image to the flash instead of RAM?
or do you have any other suggestion?
BlogAdmin says

September 3, 2012 at 5:12 pm

Maybe the problem is the configuration register which determines how the ASA will boot. You can see the confreg at “show ver” command output.

You can change this register as shown below:

ASA(config)# config-register 0x01

Save and reboot.
Zied says

September 4, 2012 at 11:12 am

I did that but nothing happened the firewall doesn’t boot since there is no image in the flash..
The idea is clear for me, using rommon to upload an image to the firewall.
this image is stored into RAM.
then I should be able to tftp the image to the flash using

ASA(config)# copy tftp flash (specifying the server and the file)

but this command doesn’t work. even I tried to upload an old config file to the running config and it also failed.

the solution is either to upload the image directly from rommon or to upload it to the RAM annd then use tftp server which fails until now with me.

do you have any idea why this command is blocked?
Zied says

September 4, 2012 at 4:50 pm

Thank you for the help,
I ‘ve changed my tftp soft and it functioned very well.

I would ask you about one thing more, the command “show version” shows that:

“The Running Activation Key is not valid”.

does this has an impact on the firewall?

what should I do in this case?

thanks a lot again.
BlogAdmin says

September 5, 2012 at 12:07 pm

never seen such an error before. Have you installed a non-official image?
Zied says

September 9, 2012 at 9:45 pm

Sorry for the late reply,

I downloaded the image from an asa used in another site of the entreprise I work in.
but it seems that the image is designated for asa k8 while the dammaged asa is K9. that’s why the activation key didn’t work.
Deepu says

August 24, 2013 at 9:18 am

Hi,

I have used erase command which deleted image on flash as well as on disk0

how can i re-install ios image.

Please help
Deepu says

August 24, 2013 at 9:19 am

sorry for missing device model asa 5520 firewall.
BlogAdmin says

August 24, 2013 at 10:51 am

If you have not rebooted the ASA, use tftp command to download a new image on the flash. If you have rebooted the device, you must get into ROMMON mode (as described in the article above) to download a new image on the flash or disk.
MIke D. says

January 20, 2014 at 7:30 pm

I have erased disk0 on my ASA5505. I am trying to load a new image via rommon. I have set the interface address to match my laptop. I am unable to ping between them? I have also tried to Xmodem through Hyperterminal but it times out.

Help?
BlogAdmin says

January 20, 2014 at 8:23 pm

Mike,
The interface address must be in the same subnet as the laptop and not the same. If the laptop IP is 192.168.1.10, then the interface IP of the ASA must be something like 192.168.1.11 for example.
Roland says

April 8, 2014 at 11:24 am

I struggled with it for 2 days to discover that my PC firewall needed to be turned off for this to work.

But yes it works well, just keep in mind to turn off the PC firewall if your are experiencing issues with the command timing out
Syed Arshad says

May 8, 2014 at 2:10 pm

Guys need help, facing below problem….
—————————-
ROMMON Variable Settings:
ADDRESS=192.168.1.2
SERVER=192.168.1.1
GATEWAY=192.168.1.1
PORT=Ethernet0/0
VLAN=untagged
IMAGE=asa831-k8.bin
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20

rommon #14> PORT=Ethernet0/0
Ethernet0/1
i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
Ethernet port 1 could not be initialized.
pambosch10 says

May 8, 2014 at 6:05 pm

Have you connected some ports on a switch? It looks like there is a hardware problem with the device.
Mousam says

November 22, 2014 at 1:33 pm

Hi admin,

rommon #1> ADDRESS=192.168.1.10
rommon #2> SERVER=192.168.1.1
rommon #3> GATEWAY=192.168.1.1
rommon #4> IMAGE=asa800-232-k8.bin
rommon #5> PORT=Ethernet0/0

in this case what should be range of my system? i have configure my system as
ip 192.168.1.10
gateway-192.168.1.1

but unable to ping gateway. i can see tha port is up but unable to ping gateway
BlogAdmin says

November 22, 2014 at 3:52 pm

The purpose of the ROMMON configuration above is to prepare the basic network settings in order to execute the “tftp” command in order to download a new software image to the flash of the ASA.
Travis Deskins says

March 31, 2016 at 8:34 pm

rommon #8> tftpdnld
ROMMON Variable Settings:
ADDRESS=192.168.1.45
SERVER=192.168.1.66
GATEWAY=192.168.1.254
PORT=GigabitEthernet0/0
VLAN=untagged
IMAGE=asa903-k8.bin
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=5

tftp [email protected] via 192.168.1.254

TFTP failure: Packet verify failed after 5 retries

rommon #9>

I dont see anything i did wrong. Could you possibly help me figure out what i cant tftp to this switch?
Harris Andrea says

April 1, 2016 at 5:10 pm

Travis, it looks like the image you have downloaded is corrupted somehow. Try to check the MD5 sum of the image.
Travis Deskins says

April 1, 2016 at 6:17 pm

My image is not corrupt I do not know why but if i set GATEWAY= 0.0.0.0 it works just fine.
Harris Andrea says

April 1, 2016 at 8:15 pm

Hm that’s interesting. Thanks for letting us know.
Jawad Abbasi says

April 12, 2017 at 6:32 am

After the ASA boots through the tftp image, it displays the command prompt. Typed enable and pressed Enter to get into privilege mode . Pressed Enter at the password prompt but it does not accept it and says invalid password.

cisco>enable
Password:

Can any one assist?

Thanks.
Harris Andrea says

April 12, 2017 at 2:35 pm

You are supplying the wrong privileged (enable secret) password. You need to reset the password if you have missed it.

Harris
Mackenson says

August 7, 2019 at 3:36 pm

Hi, does it work for ASA 5508-X?
I am new in networking, and they ask me to configure an ASA 5508-X with FirePower. But it does not have any
configuration files and ios image.
Can I apply these steps to load a new IOS image?
Harris Andrea says

August 7, 2019 at 4:18 pm

Yes it should work also for the 5508-X. Once you get into ROMMON it should work as explained.
Mackenson says

August 7, 2019 at 4:32 pm

Thank you Harris for answer. I will try to do it.
But I have another question, Does the IOS image for ASA 5508-X include the firepower software? Or I have to install the IOS image and then install the Firepower software?
Harris Andrea says

August 7, 2019 at 7:16 pm

In order to have both ASA and Firepower you need to install the FTD image (Firepower Threat Defense) which is a unified software image. It is supported on the 5508-X as well.
Emmanuel says

September 19, 2019 at 12:06 pm

Please, where do i download a valid image for my ASA 5505?
Harris Andrea says

September 19, 2019 at 2:19 pm

Images for ASA5505 must be obtained from Cisco or an official Cisco distributor/partner
Evan Kean says

February 13, 2020 at 2:25 pm

Thanks. Great site.
Harris Andrea says

February 13, 2020 at 5:00 pm

Thanks a lot Evan, I’m glad you liked my site and the content.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Using the ROMMON to load a new image on Cisco ASA Firewall Step-by-Step

DOWNLOAD THIS ARTICLE AS PDF FILE

Related Posts

Download Free Cisco Commands Cheat Sheets

About Harris Andrea

Comments

Leave a Reply

About Networks Training

Amazon Disclosure

Search

BLOGROLL