Boot Cisco ASA From TFTP (Upgrade from ROMMON)

KB ID 0000792

Problem

If your firewall wont boot, either because the OS is corrupt, or you have a faulty flash memory. You can get up and running by booting the device from a TFTP server instead.

Solution

Before you start make sure you have your TFTP server running and the operating system in its root folder.

Install and Use a TFTP Server

1. Power on the firewall, during the boot phase press ESC to boot to ROMMOM mode.

2. The following commands will set the firewall’s IP address, default gateway, and the IP address of the device running the TFTP server. (Note: unless you are on a different network segment gateway and server address should be set the same).

[box]

Use ? for help.
ROMMON #0> ADDRESS=172.16.254.150
ROMMON #1> SERVER=172.16.254.207
ROMMON #2> GATEWAY=172.16.254.207

[/box]

3. You will need to specify the name of the operating system file to load, and which interface the firewall should use, this is a 5505 and I’m using Ethernet0/1 (the interface that’s usually the inside one).

[box]

ROMMON #3> IMAGE=asa911-k8.bin
ROMMON #4> PORT=Ethernet0/1
 Ethernet0/1
 MAC Address: b0fa.eb21.378e
 Link is UP
ROMMON #5>

[/box]

4. You can check the settings with a ‘set’ command.

[box]

ROMMON #5> set
ROMMON Variable Settings
ADDRESS=172.16.254.150
SERVER=172.16.254.207
GATEWAY=172.16.254.207
PORT=Ethernet0/1
VLAN=untagged
IMAGE=asa911-k8.bin
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20

ROMMON #6>

[/box]

5. Start the process with a ‘tftp’ command.

[box]

 

ROMMON #6> tftp

tftp asa911-k8.bin@172.16.254.207 via 172.16.254.207

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

<Output removed for the sake of space>

[/box]

6. The firewall will load the operating system and boot. WARNING the operating system at this point is running in memory, NOT from flash, if you reboot it will attempt to load from flash memory again. (If you can access the flash memory ‘show flash’), then copy in the operating system from your TFTP server.

[box]

Petes-ASA# copy tftp disk0

Address or name of remote host []? 172.16.254.207

Source filename []? asa911-k8.bin

Destination filename [disk0]? asa911-k8.bin

Accessing tftp://172.16.254.207/asa911-k8.bin..
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!
 
 <Output removed for the sake of space>
 
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!
 Writing file disk0:asa911-k8.bin...
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!
 
 <Output removed for the sake of space>
 
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!
 
 8312832 bytes copied in 70.230 secs (118754 bytes/sec)

[/box]

7. Make sure you can see the file in flash memory.

[box]

Petes-ASA# show flash
 Initializing disk0: cache, please wait....Done.
 -#- --length-- -----date/time------ path
 6 6764544 Jan 01 2003 00:05:22 asa911-k8.bin <<<<
 7 1868412 Jan 01 2003 00:05:48 securedesktop-asa-3.1.1.29-k9.pkg
 8 398305 Jan 01 2003 00:06:04 sslclient-win-1.1.0.154.pkg
 9 7495680 Apr 25 2007 14:41:54 asdm711-k8.bin
 12 8312832 May 21 2007 13:29:08 asa722-k8.bin
 13 5623108 May 21 2007 13:31:26 asdm-522.bin

224886784 bytes available (30539776 bytes used)
 

[/box]

8. Set the new file as the default boot OS, and save the changes, then finally reboot the firewall.

[box]

Petes-ASA# configure terminal
 Petes-ASA(config)# boot system disk0:/asa911-k8.bin
 Petes-ASA(config)# write mem
 Building configuration...
 Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96

3965 bytes copied in 1.490 secs (3965 bytes/sec)
[OK]

Petes-ASA(config)# reload
Proceed with reload? [confirm]{Enter}
Petes-ASA#

***
*** — START GRACEFUL SHUTDOWN —
Shutting down isakmp
Shutting down webvpn
Shutting down License Controller
Shutting down File system

 

***
*** — SHUTDOWN NOW —

[/box]

9. The firewall will reboot, and load the new OS.

Related Articles, References, Credits, or External Links

NA