Using the ROMMON to load a new image on Cisco ASA Firewall
If for any reason the software image on your Cisco ASA appliance is corrupted and the device does not boot to normal operating mode, then you can load a new image using ROMMON (ROM monitor mode) and TFTP. Follow the steps below to get into ROMMON mode and then assign all necessary settings for uploading the new image file:
Step1: Connect to the ASA firewall using a console cable.
Step2: Power off the appliance and then power it on.
Step3: When the appliance starts, press the Escape key on your keyboard to force the appliance to enter ROMMON mode.
Step4: In ROMMON mode, configure all necessary settings for connecting to the TFTP server to load the new image. You need to connect a PC with TFTP server on a firewall port (e.g Ethernet0/0). Then enter the following commands on the ASA.
rommon #1> ADDRESS=192.168.1.10
rommon #2> SERVER=192.168.1.1
rommon #3> GATEWAY=192.168.1.1
rommon #4> IMAGE=asa800-232-k8.bin
rommon #5> PORT=Ethernet0/0
The above configuration will assign an IP address of 192.168.1.10 to interface Ethernet0/0 of the firewall appliance. It will also tell the firewall that the TFTP SERVER is at address 192.168.1.1 and the image to load is asa800-232-k8.bin
Step5: Execute the TFTP upload from the ASA using:
rommon #6> tftp
The above instructs the firewall to start uploading the image file from TFTP.
After the firewall reboots, login and check that the new image has been installed (show version)
Related posts:
- IP Phones behind a Cisco ASA 5505 Firewall
- Password Recovery for the Cisco ASA 5500 Firewall
- How to upgrade the Cisco ASA 5505 software
Tagged with: asa rommon • asa tftp image • how to load new image using rommon
Filed under: Cisco ASA General
Like this post? Subscribe to my RSS feed and get loads more!
Thank you for your time writing this guide, it was very helpful. It works perfectly on my ASA5505.
James
Hello James,
Thanks for your feedback. I’m glad the guide was helpful to you.
Harris
Tried this but Ethernet0/0 link is down. Do you know how I can bring it up?
Which ASA model are you using? If its a higher end model (5520 and up) then the interface is Gigabitethernet and not Ethernet, so you need to specify the correct interface name in ROMMON
It’s the 5510. the commands work but the ethernet0/0 link is down.
Hello Alan,
Connect your PC with the TFTP server on a different Ethernet port (e.g Ethernet0/1) and use that in the ROMMON command.
My bad, I didn’t have the ip for my pc set correctly. This worked great. Thanks from us that are just learning and shoot ourselves in the foot.
Thnx Man, That helped a lot!!!!
thinx
ok where i find the image to download
You must have a contract with Cisco or from a reseller in order to be able to download the image
hi admin.i did what you wrote above.but after i boots normally but after i reboot again it tries to boot from tftp server.i want it to boot from disk0.how can do it?
i used the command copt tftp flash
but it shows following
ciscoasa# copy tftp flash
Address or name of remote host []? 192.168.1.1
Source filename []? asa804-23-k8.bin
Destination filename [asa804-23-k8.bin]?
Accessing tftp://192.168.1.1/asa804-23-k8.bin…
%Error opening tftp://192.168.1.1/asa804-23-k8.bin (No such device)
can any one help me?
shaig,
try the following command which tells the asa firewall to boot from the flash image:
ASA(config)#boot system flash:/asa804-23-k8.bin
Hi Admin,
I did all this and is still takes me back to rommon (asa5520)
ciscoasa# config t
ciscoasa(config)# boot system flash:/asa821-k8.bin
INFO: Converting flash:/asa821-k8.bin to disk0:/asa821-k8.bin
ciscoasa(config)#
ciscoasa# sho boot
BOOT variable = disk0:/asa821-k8.bin
Current BOOT variable = disk0:/asa821-k8.bin
CONFIG_FILE variable =
Current CONFIG_FILE variable =
ciscoasa# wr me
Building configuration…
Cryptochecksum: 6fe15315 a9d7c5a3 b9902e2e a43ee691
1653 bytes copied in 3.330 secs (551 bytes/sec)
[OK]
ciscoasa#
ciscoasa# dir disk0:
Directory of disk0:/
16 -rwx 16275456 12:45:54 Mar 04 2011 asa821-k8.bin
17 -rwx 14240396 12:46:48 Mar 04 2011 asdm-631(asa).bin
10 drwx 2048 12:46:58 Mar 04 2011 coredumpinfo
2 drwx 2048 13:04:20 Mar 04 2011 log
9 drwx 2048 13:04:28 Mar 04 2011 crypto_archive
63035392 bytes total (32485376 bytes free)
ciscoasa#reload
{twiddle fingers}
04 02 00 8086 1209 Ethernet 11
04 03 00 8086 1209 Ethernet 5
Evaluating BIOS Options …
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(10)0) #0: Fri Mar 25 23:02:10 PST 2005
Platform ASA5520
Management0/0
Ethernet auto negotiation timed out.
Interface-4 Link Not Established (check cable).
Default Interface number-4 Not Up
Use ? for help.
rommon #0> boot
Launching BootLoader…
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Looks like you have either a corrupted image or you have stored the image in a different location in flash
I had the same problem, the way i fixed is by changing the config register to xxxf so the las byte had to be f so that it used the boot config to boot up.
Please help!
Use ? for help.
rommon #0> ADDRESS=192.168.1.20
rommon #1> SERVER=192.168.1.10
rommon #2> GATEWAY=192.168.1.1
rommon #3> IMAGE=asa825-k8.bin
rommon #4> PORT=Ethernet0/0
Ethernet0/0
i2c_write_byte_w_wait() error, slot = 0×0, device = 0×64, address = 128 byte count = 1. Reason: I2C_UNPOPULATED_ERROR
esw_reg_read: i2c_write_byte_w_wait(0) returned 0×6
Ethernet port 0 could not be initialized.
The problem could be related to two things:
1) change the port to Ethernet0/1 and connect the tftp server to that port.
2) maybe the ASA image file is corrupted.
How about to backup image using rommon?
Instructions to restore image lacking in information Do you have to type the = to get this to work?
Yes you have to use the “=” sign in order to enter the required information in the parameters
Can someone help me I have erased the Disk0: now i am trying to upload new image i getting the following error.
Received 16459776 bytes
Launching TFTP Image…
Cisco Security Appliance admin loader (3.0) #0: Mon Jan 11 14:23:33 MST 2010
Platform ASA5520
Loading…
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
open /dev/hda1:No such device or address
dosfsck(/dev/hda1) returned 1
mount: mounting /dev/hda1 on /mnt/disk0 failed: No such device or address
mount: mounting /dev/hda1 on /mnt/disk0 failed: No such device or address
Set ‘tap0′ persistent and owned by uid 0
IO memory 85360640 bytes
Processor memory 344436736, Reserved memory: 62914560 (DSOs: 0 + kernel: 62914560)
Total SSMs found: 0
Total NICs found: 7
mcwa i82557 Ethernet at irq 11 MAC: 001f.ca09.24b7
mcwa i82557 Ethernet at irq 5 MAC: 0000.0001.0001
Internal error. Crash dump information may not be read or written to flash
i82547GI rev00 Gigabit Ethernet @ irq11 dev 1 index 05 MAC: 0000.0001.0002
i82546GB rev03 Gigabit Ethernet @ irq09 dev 2 index 03 MAC: 001f.ca09.24bb
i82546GB rev03 Gigabit Ethernet @ irq09 dev 2 index 02 MAC: 001f.ca09.24ba
i82546GB rev03 Gigabit Ethernet @ irq09 dev 3 index 01 MAC: 001f.ca09.24b9
i82546GB rev03 Gigabit Ethernet @ irq09 dev 3 index 00 MAC: 001f.ca09.24b8
INFO: Unable to read firewall mode from flash
Writing defa