Networks Training

You are here: Home / Cisco ASA General / Using the ROMMON to load a new image on Cisco ASA Firewall Step-by-Step

Using the ROMMON to load a new image on Cisco ASA Firewall Step-by-Step

Written By

If for any reason the software image on your Cisco ASA appliance is corrupted and the device does not boot to normal operating mode, then you can load a new image using ROMMON (ROM monitor mode) and TFTP.

load new image to cisco ASA with Rommon

Follow the steps below to get into ROMMON mode and then assign all necessary settings for uploading the new image file:

Step1: Connect to the ASA firewall using a console cable.

Step2: Power off the appliance and then power it on.

Step3: When the appliance starts, press the Escape key on your keyboard to force the appliance to enter ROMMON mode.

Step4: In ROMMON mode, configure all necessary settings for connecting to the TFTP server to load the new image. You need to connect a PC with TFTP server on a firewall port (e.g Ethernet0/0). Then enter the following commands on the ASA.

rommon #1> ADDRESS=192.168.1.10
rommon #2> SERVER=192.168.1.1
rommon #3> GATEWAY=192.168.1.1
rommon #4> IMAGE=asa800-232-k8.bin
rommon #5> PORT=Ethernet0/0

MORE READING:  Comparison of Cisco ASA5500 Vs ASA5500-X

The above configuration will assign an IP address of 192.168.1.10 to interface Ethernet0/0 of the firewall appliance. It will also tell the firewall that the TFTP SERVER is at address 192.168.1.1 and the image to load is asa800-232-k8.bin

Step5: Execute the TFTP upload from the ASA using:

rommon #6> tftp

The above instructs the firewall to start uploading the image file from TFTP.

After the firewall reboots, login and check that the new image has been installed (show version)

DOWNLOAD THIS ARTICLE AS PDF FILE

Related Posts

Filed Under: Cisco ASA General

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. James Flockton says

    Thank you for your time writing this guide, it was very helpful. It works perfectly on my ASA5505.

    James

  4. BlogAdmin says

    Which ASA model are you using? If its a higher end model (5520 and up) then the interface is Gigabitethernet and not Ethernet, so you need to specify the correct interface name in ROMMON

  6. BlogAdmin says

    Hello Alan,

    Connect your PC with the TFTP server on a different Ethernet port (e.g Ethernet0/1) and use that in the ROMMON command.

  7. ALAN WILSOIN says

    My bad, I didn’t have the ip for my pc set correctly. This worked great. Thanks from us that are just learning and shoot ourselves in the foot.

  10. BlogAdmin says

    You must have a contract with Cisco or from a reseller in order to be able to download the image

  11. shaig says

    hi admin.i did what you wrote above.but after i boots normally but after i reboot again it tries to boot from tftp server.i want it to boot from disk0.how can do it?
    i used the command copt tftp flash
    but it shows following
    ciscoasa# copy tftp flash

    Address or name of remote host []? 192.168.1.1

    Source filename []? asa804-23-k8.bin

    Destination filename [asa804-23-k8.bin]?

    Accessing tftp://192.168.1.1/asa804-23-k8.bin…
    %Error opening tftp://192.168.1.1/asa804-23-k8.bin (No such device)

    can any one help me?

  12. BlogAdmin says

    shaig,

    try the following command which tells the asa firewall to boot from the flash image:

    ASA(config)#boot system flash:/asa804-23-k8.bin

  13. jp says

    Hi Admin,
    I did all this and is still takes me back to rommon (asa5520)
    ciscoasa# config t
    ciscoasa(config)# boot system flash:/asa821-k8.bin
    INFO: Converting flash:/asa821-k8.bin to disk0:/asa821-k8.bin
    ciscoasa(config)#
    ciscoasa# sho boot

    BOOT variable = disk0:/asa821-k8.bin
    Current BOOT variable = disk0:/asa821-k8.bin
    CONFIG_FILE variable =
    Current CONFIG_FILE variable =
    ciscoasa# wr me
    Building configuration…
    Cryptochecksum: 6fe15315 a9d7c5a3 b9902e2e a43ee691

    1653 bytes copied in 3.330 secs (551 bytes/sec)
    [OK]
    ciscoasa#
    ciscoasa# dir disk0:

    Directory of disk0:/

    16 -rwx 16275456 12:45:54 Mar 04 2011 asa821-k8.bin
    17 -rwx 14240396 12:46:48 Mar 04 2011 asdm-631(asa).bin
    10 drwx 2048 12:46:58 Mar 04 2011 coredumpinfo
    2 drwx 2048 13:04:20 Mar 04 2011 log
    9 drwx 2048 13:04:28 Mar 04 2011 crypto_archive

    63035392 bytes total (32485376 bytes free)
    ciscoasa#reload

    {twiddle fingers}

    04 02 00 8086 1209 Ethernet 11
    04 03 00 8086 1209 Ethernet 5

    Evaluating BIOS Options …
    Launch BIOS Extension to setup ROMMON

    Cisco Systems ROMMON Version (1.0(10)0) #0: Fri Mar 25 23:02:10 PST 2005

    Platform ASA5520
    Management0/0
    Ethernet auto negotiation timed out.
    Interface-4 Link Not Established (check cable).

    Default Interface number-4 Not Up

    Use ? for help.
    rommon #0> boot
    Launching BootLoader…
    Default configuration file contains 1 entry.

    Searching / for images to boot.

    No images in /
    Error 15: File not found

    unable to boot an image

  14. BlogAdmin says

    Looks like you have either a corrupted image or you have stored the image in a different location in flash

  15. Claudio says

    I had the same problem, the way i fixed is by changing the config register to xxxf so the las byte had to be f so that it used the boot config to boot up.

  16. ambet says

    Please help!

    Use ? for help.
    rommon #0> ADDRESS=192.168.1.20
    rommon #1> SERVER=192.168.1.10
    rommon #2> GATEWAY=192.168.1.1
    rommon #3> IMAGE=asa825-k8.bin
    rommon #4> PORT=Ethernet0/0
    Ethernet0/0
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 0 could not be initialized.

  17. BlogAdmin says

    The problem could be related to two things:

    1) change the port to Ethernet0/1 and connect the tftp server to that port.
    2) maybe the ASA image file is corrupted.

  19. sdavis says

    Instructions to restore image lacking in information Do you have to type the = to get this to work?

  20. BlogAdmin says

    Yes you have to use the “=” sign in order to enter the required information in the parameters

  21. Ashok says

    Can someone help me I have erased the Disk0: now i am trying to upload new image i getting the following error.

    Received 16459776 bytes

    Launching TFTP Image…

    Cisco Security Appliance admin loader (3.0) #0: Mon Jan 11 14:23:33 MST 2010
    Platform ASA5520
    Loading…
    dosfsck 2.11, 12 Mar 2005, FAT32, LFN
    open /dev/hda1:No such device or address
    dosfsck(/dev/hda1) returned 1
    mount: mounting /dev/hda1 on /mnt/disk0 failed: No such device or address
    mount: mounting /dev/hda1 on /mnt/disk0 failed: No such device or address
    Set ‘tap0’ persistent and owned by uid 0
    IO memory 85360640 bytes

    Processor memory 344436736, Reserved memory: 62914560 (DSOs: 0 + kernel: 62914560)

    Total SSMs found: 0

    Total NICs found: 7
    mcwa i82557 Ethernet at irq 11 MAC: 001f.ca09.24b7
    mcwa i82557 Ethernet at irq 5 MAC: 0000.0001.0001
    Internal error. Crash dump information may not be read or written to flash
    i82547GI rev00 Gigabit Ethernet @ irq11 dev 1 index 05 MAC: 0000.0001.0002
    i82546GB rev03 Gigabit Ethernet @ irq09 dev 2 index 03 MAC: 001f.ca09.24bb
    i82546GB rev03 Gigabit Ethernet @ irq09 dev 2 index 02 MAC: 001f.ca09.24ba
    i82546GB rev03 Gigabit Ethernet @ irq09 dev 3 index 01 MAC: 001f.ca09.24b9
    i82546GB rev03 Gigabit Ethernet @ irq09 dev 3 index 00 MAC: 001f.ca09.24b8

    INFO: Unable to read firewall mode from flash
    Writing defa

  22. Bruce says

    My device always show rommon0 on reboot.

    I can get the bin file to the flash via tftpdnld,but when I try to save to disk on the ASA, i get the following error:

    ciscoasa(config)# boot system flash:/asa843-k8.bin
    “INFO: Converting flash:/asa843-k8.bin to disk0:/asa843-k8.bin
    WARNING: BOOT variable added, but unable to find disk0:/asa843-k8.bin”

    DIR disk0 shows:
    ciscoasa(config)# dir

    Directory of disk0:/

    2 drwx 2048 20:40:23 Feb 17 2012 log
    5 drwx 2048 20:40:39 Feb 17 2012 crypto_archive
    10 drwx 2048 20:40:41 Feb 17 2012 coredumpinfo
    12 -rwx 196 20:40:42 Feb 17 2012 upgrade_startup_errors_201202172040.log

    127004672 bytes total (126976000 bytes free)

    Here is the show run also:
    interface Ethernet0/0
    shutdown
    !
    interface Ethernet0/1
    shutdown
    !
    interface Ethernet0/2
    shutdown
    !
    interface Ethernet0/3
    shutdown
    !
    interface Ethernet0/4
    shutdown
    !
    interface Ethernet0/5
    shutdown
    !
    interface Ethernet0/6
    shutdown
    !
    interface Ethernet0/7
    shutdown
    !
    interface Vlan1
    no nameif
    no security-level
    no ip address
    !
    boot system disk0:/asa843-k8.bin
    ftp mode passive
    pager lines 24
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh timeout 5
    console timeout 0

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    !
    !
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:59b2d0b09e74ff0d0a323de4c8972a54
    : end

    and the show version:

    Cisco Adaptive Security Appliance Software Version 8.4(3)

    Compiled on Fri 06-Jan-12 10:24 by builders
    System image file is “tftp://10.0.0.109/ASA843-K8.BIN”
    Config file at boot was “startup-config”

    ciscoasa up 53 mins 38 secs

    Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
    Internal ATA Compact Flash, 128MB
    BIOS Flash M50FW080 @ 0xfff00000, 1024KB

    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
    Boot microcode : CN1000-MC-BOOT-2.00
    SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
    IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
    Number of accelerators: 1

    0: Int: Internal-Data0/0 : address is 0026.cb31.fe93, irq 11
    1: Ext: Ethernet0/0 : address is 0026.cb31.fe8b, irq 255
    2: Ext: Ethernet0/1 : address is 0026.cb31.fe8c, irq 255
    3: Ext: Ethernet0/2 : address is 0026.cb31.fe8d, irq 255
    4: Ext: Ethernet0/3 : address is 0026.cb31.fe8e, irq 255
    5: Ext: Ethernet0/4 : address is 0026.cb31.fe8f, irq 255
    6: Ext: Ethernet0/5 : address is 0026.cb31.fe90, irq 255
    7: Ext: Ethernet0/6 : address is 0026.cb31.fe91, irq 255
    8: Ext: Ethernet0/7 : address is 0026.cb31.fe92, irq 255
    9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
    10: Int: Not used : irq 255
    11: Int: Not used : irq 255
    The Running Activation Key is not valid, using default settings:

    Licensed features for this platform:
    Maximum Physical Interfaces : 8 perpetual
    VLANs : 3 DMZ Restricted
    Dual ISPs : Disabled perpetual
    VLAN Trunk Ports : 0 perpetual
    Inside Hosts : 10 perpetual
    Failover : Disabled perpetual
    VPN-DES : Enabled perpetual
    VPN-3DES-AES : Disabled perpetual
    AnyConnect Premium Peers : 2 perpetual
    AnyConnect Essentials : Disabled perpetual
    Other VPN Peers : 10 perpetual
    Total VPN Peers : 12 perpetual
    Shared License : Disabled perpetual
    AnyConnect for Mobile : Disabled perpetual
    AnyConnect for Cisco VPN Phone : Disabled perpetual
    Advanced Endpoint Assessment : Disabled perpetual
    UC Phone Proxy Sessions : 2 perpetual
    Total UC Proxy Sessions : 2 perpetual
    Botnet Traffic Filter : Disabled perpetual
    Intercompany Media Engine : Disabled perpetual

    This platform has a Base license.

    Serial Number: JMX1336Z1GD
    Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
    Configuration register is 0x102002
    Configuration last modified by enable_15 at 21:29:15.759 UTC Fri Feb 17 2012

    Can anyone help??

    TIA

    Bruce

  23. Josh says

    Bruce –

    You are missing the ASA image in flash, once you tftpdnld you’ll need to “copy tftp: flash:” again to save it to flash. Then make sure the boot system parameter is set correctly and you should be good to go.

  24. greasty says

    hi dears, very interested by the resolution of the problem.
    but my asa 505 while trying to initialized the port , it refusing to get address. here is the prtsc:

    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Boot interrupted.

    Ethernet0/0
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 0 could not be initialized.

    Default Interface number-0 Not Up

    Use ? for help.
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>

    CISCO SYSTEMS
    Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45

    Low Memory: 632 KB
    High Memory: 251 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class Irq
    00 01 00 1022 2080 Host Bridge
    00 01 02 1022 2082 Chipset En/Decrypt 11
    00 0C 00 1148 4320 Ethernet 11
    00 0D 00 177D 0003 Network En/Decrypt 10
    00 0F 00 1022 2090 ISA Bridge
    00 0F 02 1022 2092 IDE Controller
    00 0F 03 1022 2093 Audio 10
    00 0F 04 1022 2094 Serial Bus 9
    00 0F 05 1022 2095 Serial Bus 9

    Evaluating BIOS Options …
    Launch BIOS Extension to setup ROMMON

    Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
    i2c_read_word_w_wait() error, slot = 0x0, device = 0x64, address = 134 byte count = 2. Reason: I2C_UNPOPULATED_ERROR

    Platform ASA5505

    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Boot interrupted.

    Ethernet0/0
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 0 could not be initialized.

    Default Interface number-0 Not Up

    Use ? for help.
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0> ADDRESS=10.132.44.177
    rommon #1> SERVER=10.129.0.30
    rommon #2> GATEWAY=10.132.44.1
    rommon #3> IMAGE=f1/asa722-k8.bin
    rommon #4> PORT=Ethernet0/0
    Ethernet0/0
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 0 could not be initialized.

    rommon #4> port=Ethernet0/0
    Invalid or incorrect command. Use ‘help’ for help.
    rommon #4> PORT=Ethernet0/5
    Ethernet0/5
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 5 could not be initialized.

    rommon #4> Reason: I2C_UNPOPULATED_ERROR
    Invalid or incorrect command. Use ‘help’ for help.
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4> reset

    Rebooting….

    CISCO SYSTEMS
    Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45

    Low Memory: 632 KB
    High Memory: 251 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class Irq
    00 01 00 1022 2080 Host Bridge
    00 01 02 1022 2082 Chipset En/Decrypt 11
    00 0C 00 1148 4320 Ethernet 11
    00 0D 00 177D 0003 Network En/Decrypt 10
    00 0F 00 1022 2090 ISA Bridge
    00 0F 02 1022 2092 IDE Controller
    00 0F 03 1022 2093 Audio 10
    00 0F 04 1022 2094 Serial Bus 9
    00 0F 05 1022 2095 Serial Bus 9

    Evaluating BIOS Options …
    Launch BIOS Extension to setup ROMMON

    Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
    i2c_read_word_w_wait() error, slot = 0x0, device = 0x64, address = 134 byte count = 2. Reason: I2C_UNPOPULATED_ERROR

    Platform ASA5505

    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Boot interrupted.

    Ethernet0/0
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 0 could not be initialized.

    Default Interface number-0 Not Up

    Use ? for help.
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0>
    rommon #0> ADDRESS=192.168.1.10
    rommon #1> SERVER=192.168.1.1
    rommon #2> GATEWAY=192.168.1.1
    rommon #3> IMAGE=f1/asa722-k8.bin
    rommon #4>
    rommon #4> PORT=Ethernet0/0
    Ethernet0/0
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 0 could not be initialized.

    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4>
    rommon #4> PORT=Ethernet0/4
    Ethernet0/4
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 4 could not be initialized.

    rommon #4>
    rommon #4>
    rommon #4> PORT=Ethernet0/6 0/7
    Invalid PORT name argument, Valid arguments are:
    Ethernet0/0
    Ethernet0/1
    Ethernet0/2
    Ethernet0/3
    Ethernet0/4
    Ethernet0/5
    Ethernet0/6
    Ethernet0/7

    PORT= ethernet interface port

    rommon #4> PORT=Ethernet0/6
    Ethernet0/6
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 6 could not be initialized.

    rommon #4> PORT=Ethernet0/7
    Ethernet0/7
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 7 could not be initialized.

    rommon #4>

    help me pliz !!!

  25. BlogAdmin says

    I would suggest connecting a different computer directly to a cisco port (e.g port 0/1) and try again.It seams like a hardware problem. Maybe the speed and duplex of your current PC does not negotiate correctly with the ASA.

  26. Zied says

    Hi Admin,

    could you please help me,
    I had the same issue with my asa 5505.
    I tried to upload the image using rommon as specified above.
    the problem is at any reload the asa can’t find an image.

    wile checking I found that the path of boot is the following tftp://192.168.124.10/asa831-k8.bin which the tftp server I loaded the image from.

    the problem is that when running show flash I get the following

    ciscoasa# show flash
    –#– –length– —–date/time—— path
    3 2048 Aug 31 2012 05:30:18 log
    6 2048 Aug 31 2012 05:30:30 crypto_archive
    10 2048 Aug 31 2012 05:30:34 coredumpinfo
    11 43 Aug 31 2012 05:30:34 coredumpinfo/coredump.cfg

    127135744 bytes total (126844928 bytes free)

    how could I store the image to the flash knowing that while trying to do it using copy tftp flash there was an error

    ciscoasa# copy tftp flash

    Address or name of remote host []? 192.168.124.10

    Source filename []? asa831-k8.bin

    Destination filename [asa831-k8.bin]?

    Accessing tftp://192.168.124.10/asa831-k8.bin…
    WARNING: TFTP download incomplete!

    %Error reading tftp://192.168.124.10/asa831-k8.bin (Unspecified Error)
    ciscoasa#

    any suggestion please?

    thank for this great forum.

  27. BlogAdmin says

    Hello,

    First remove the command that points the image to be on tftp://192.168.124.10/asa831-k8.bin . Remove this line from ASA config, save it and reboot.

  28. Zied says

    Hi,

    Thanks for the reply.
    I tried to remove this line but I’ve got this:

    ciscoasa# conf t
    ciscoasa# conf terminal
    ciscoasa(config)# no tftp://192.168.124.10/asa831-k8.bin
    ^
    ERROR: % Invalid input detected at ‘^’ marker.
    ciscoasa(config)#

    the show run comand doesn’t show this line in the running-config file.
    it’s only shown when using “show version” command.

    the idea I’ve got is that when uploading the image using rommon, the file is uploaded to the RAM and not to the flash that’s why while rebooting, the asa doesn’t find an image for reboot.

    any idea about storing the image to the flash instead of RAM?
    or do you have any other suggestion?

  29. BlogAdmin says

    Maybe the problem is the configuration register which determines how the ASA will boot. You can see the confreg at “show ver” command output.

    You can change this register as shown below:

    ASA(config)# config-register 0x01

    Save and reboot.

  30. Zied says

    I did that but nothing happened the firewall doesn’t boot since there is no image in the flash..
    The idea is clear for me, using rommon to upload an image to the firewall.
    this image is stored into RAM.
    then I should be able to tftp the image to the flash using

    ASA(config)# copy tftp flash (specifying the server and the file)

    but this command doesn’t work. even I tried to upload an old config file to the running config and it also failed.

    the solution is either to upload the image directly from rommon or to upload it to the RAM annd then use tftp server which fails until now with me.

    do you have any idea why this command is blocked?

  31. Zied says

    Thank you for the help,
    I ‘ve changed my tftp soft and it functioned very well.

    I would ask you about one thing more, the command “show version” shows that:

    “The Running Activation Key is not valid”.

    does this has an impact on the firewall?

    what should I do in this case?

    thanks a lot again.

  33. Zied says

    Sorry for the late reply,

    I downloaded the image from an asa used in another site of the entreprise I work in.
    but it seems that the image is designated for asa k8 while the dammaged asa is K9. that’s why the activation key didn’t work.

  34. Deepu says

    Hi,

    I have used erase command which deleted image on flash as well as on disk0

    how can i re-install ios image.

    Please help

  36. BlogAdmin says

    If you have not rebooted the ASA, use tftp command to download a new image on the flash. If you have rebooted the device, you must get into ROMMON mode (as described in the article above) to download a new image on the flash or disk.

  37. MIke D. says

    I have erased disk0 on my ASA5505. I am trying to load a new image via rommon. I have set the interface address to match my laptop. I am unable to ping between them? I have also tried to Xmodem through Hyperterminal but it times out.

    Help?

  38. BlogAdmin says

    Mike,
    The interface address must be in the same subnet as the laptop and not the same. If the laptop IP is 192.168.1.10, then the interface IP of the ASA must be something like 192.168.1.11 for example.

  39. Roland says

    I struggled with it for 2 days to discover that my PC firewall needed to be turned off for this to work.

    But yes it works well, just keep in mind to turn off the PC firewall if your are experiencing issues with the command timing out

  40. Syed Arshad says

    Guys need help, facing below problem….
    —————————-
    ROMMON Variable Settings:
    ADDRESS=192.168.1.2
    SERVER=192.168.1.1
    GATEWAY=192.168.1.1
    PORT=Ethernet0/0
    VLAN=untagged
    IMAGE=asa831-k8.bin
    CONFIG=
    LINKTIMEOUT=20
    PKTTIMEOUT=4
    RETRY=20

    rommon #14> PORT=Ethernet0/0
    Ethernet0/1
    i2c_write_byte_w_wait() error, slot = 0x0, device = 0x64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
    esw_reg_read: i2c_write_byte_w_wait(0) returned 0x6
    Ethernet port 1 could not be initialized.

  41. pambosch10 says

    Have you connected some ports on a switch? It looks like there is a hardware problem with the device.

  42. Mousam says

    Hi admin,

    rommon #1> ADDRESS=192.168.1.10
    rommon #2> SERVER=192.168.1.1
    rommon #3> GATEWAY=192.168.1.1
    rommon #4> IMAGE=asa800-232-k8.bin
    rommon #5> PORT=Ethernet0/0

    in this case what should be range of my system? i have configure my system as
    ip 192.168.1.10
    gateway-192.168.1.1

    but unable to ping gateway. i can see tha port is up but unable to ping gateway

  43. BlogAdmin says

    The purpose of the ROMMON configuration above is to prepare the basic network settings in order to execute the “tftp” command in order to download a new software image to the flash of the ASA.

  44. Travis Deskins says

    rommon #8> tftpdnld
    ROMMON Variable Settings:
    ADDRESS=192.168.1.45
    SERVER=192.168.1.66
    GATEWAY=192.168.1.254
    PORT=GigabitEthernet0/0
    VLAN=untagged
    IMAGE=asa903-k8.bin
    CONFIG=
    LINKTIMEOUT=20
    PKTTIMEOUT=4
    RETRY=5

    tftp [email protected] via 192.168.1.254

    TFTP failure: Packet verify failed after 5 retries

    rommon #9>

    I dont see anything i did wrong. Could you possibly help me figure out what i cant tftp to this switch?

  45. Harris Andrea says

    Travis, it looks like the image you have downloaded is corrupted somehow. Try to check the MD5 sum of the image.

  46. Travis Deskins says

    My image is not corrupt I do not know why but if i set GATEWAY= 0.0.0.0 it works just fine.

  48. Jawad Abbasi says

    After the ASA boots through the tftp image, it displays the command prompt. Typed enable and pressed Enter to get into privilege mode . Pressed Enter at the password prompt but it does not accept it and says invalid password.

    cisco>enable
    Password:

    Can any one assist?

    Thanks.

  49. Harris Andrea says

    You are supplying the wrong privileged (enable secret) password. You need to reset the password if you have missed it.

    Harris

  50. Mackenson says

    Hi, does it work for ASA 5508-X?
    I am new in networking, and they ask me to configure an ASA 5508-X with FirePower. But it does not have any
    configuration files and ios image.
    Can I apply these steps to load a new IOS image?

  51. Harris Andrea says

    Yes it should work also for the 5508-X. Once you get into ROMMON it should work as explained.

  52. Mackenson says

    Thank you Harris for answer. I will try to do it.
    But I have another question, Does the IOS image for ASA 5508-X include the firepower software? Or I have to install the IOS image and then install the Firepower software?

  53. Harris Andrea says

    In order to have both ASA and Firepower you need to install the FTD image (Firepower Threat Defense) which is a unified software image. It is supported on the 5508-X as well.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Suggested Cisco Training

CISCO CERTIFICATION TRAINING
CISCO CCNA 200-120 TRAINING
CCNA SECURITY 640-554 TRAINING
CCENT ICND1 TRAINING
CISCO ICND2 TRAINING
CISCO CCNP TRAINING

BLOGROLL

Tech21Century
Firewall.cx