Boot Cisco ASA From TFTP (Upgrade from ROMMON)

KB ID 0000792 Dtd 22/03/13


If your firewall wont boot, either because the OS is corrupt, or you have a faulty flash memory. You can get up and running by booting the device from a TFTP server instead.


Before you start make sure you have your TFTP server running and the operating system in its root folder.

Install and Use a TFTP Server

1. Power on the firewall, during the boot phase press ESC to boot to ROMMOM mode.

2. The following commands will set the firewall’s IP address, default gateway, and the IP address of the device running the TFTP server. (Note: unless you are on a different network segment gateway and server address should be set the same).


3. You will need to specify the name of the operating system file to load, and which interface the firewall should use, this is a 5505 and I’m using Ethernet0/1 (the interface that’s usually the inside one).

ASA 5505 Port1

ROMMON #3> IMAGE=asa911-k8.bin ROMMON #4> PORT=Ethernet0/1 Ethernet0/1 MAC Address: b0fa.eb21.378e Link is UP ROMMON #5>

4. You can check the settings with a ‘set’ command.

ROMMON #5> set ROMMON Variable Settings ADDRESS= SERVER= GATEWAY= PORT=Ethernet0/1 VLAN=untagged IMAGE=asa911-k8.bin CONFIG= LINKTIMEOUT=20 PKTTIMEOUT=4 RETRY=20


5. Start the process with a ‘tftp’ command.

ROMMON #6> tftp

tftp asa911-k8.bin@ via


<Output removed for the sake of space>

6. The firewall will load the operating system and boot. WARNING the operating system at this point is running in memory, NOT from flash, if you reboot it will attempt to load from flash memory again. (If you can access the flash memory ‘show flash’), then copy in the operating system from your TFTP server.

Petes-ASA# copy tftp disk0

Address or name of remote host []?

Source filename []? asa911-k8.bin

Destination filename [disk0]? asa911-k8.bin

Accessing tftp:// !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!! <Output removed for the sake of space> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!! Writing file disk0:asa911-k8.bin… !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!! <Output removed for the sake of space> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!! 8312832 bytes copied in 70.230 secs (118754 bytes/sec)

7. Make sure you can see the file in flash memory.

Petes-ASA# show flash Initializing disk0: cache, please wait….Done. -#- –length– —–date/time—— path 6 6764544 Jan 01 2003 00:05:22 asa911-k8.bin <<<< 7 1868412 Jan 01 2003 00:05:48 securedesktop-asa- 8 398305 Jan 01 2003 00:06:04 sslclient-win- 9 7495680 Apr 25 2007 14:41:54 asdm711-k8.bin 12 8312832 May 21 2007 13:29:08 asa722-k8.bin 13 5623108 May 21 2007 13:31:26 asdm-522.bin

224886784 bytes available (30539776 bytes used)

8. Set the new file as the default boot OS, and save the changes, then finally reboot the firewall.

Petes-ASA# configure terminal Petes-ASA(config)# boot system disk0:/asa911-k8.bin Petes-ASA(config)# write mem Building configuration… Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96

3965 bytes copied in 1.490 secs (3965 bytes/sec) [OK]

Petes-ASA(config)# reload Proceed with reload? [confirm]{Enter} Petes-ASA#

*** *** — START GRACEFUL SHUTDOWN — Shutting down isakmp Shutting down webvpn Shutting down License Controller Shutting down File system


*** *** — SHUTDOWN NOW —

9. The firewall will reboot, and load the new OS.

Related Articles, References, Credits, or External Links


Author: Migrated

Share This Post On