Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco ASA 5505 dumped config,software, and license upon upgrade to 8.0.4 OS

Posted on 2008-11-06
7
Medium Priority
?
5,795 Views
Last Modified: 2012-06-21
We have 5 of our ASA 5505 security devices that have erased all of their configuration, and software images upon attempting to upgrade to ASA804-k8.  When the systems boot we get to "Launching BootLoader..." and the systems hang.  I can break into rommon and boot from a tftp image, from there I can load a config, save it to startup-config, and copy the image down from tftp, however the systems are still hanging on the bootloader after reboot.  Also they showing the license key as invalid when booting from tftp.

The upgrade was run in two phases, the software images were pushed to the devices and ensured that they copied fine.  secondly a job was run using kiwi cat tools to run the following commands on the  the devices:

conf t
no boot system disk0:/asa802-k8.bin
boot system disk0:/asa804-k8.bin
boot system disk0:/asa802-k8.bin
asdm image disk0:/asdm-615.bin
write mem
reload noconfirm

80+ worked fine using this technique.  5 blew up and have not worked since.  Does anyone have any experience with these devices hanging on bootloader....
0
Comment
Question by:mti-adminz
  • 4
  • 2
7 Comments
 
LVL 4

Expert Comment

by:damalano
ID: 22897227
can you give me a sh flash ?

0
 

Author Comment

by:mti-adminz
ID: 22904905
Will do.  I have been doing some work on one of the units wtih Cisco TAC.  I will fire up another one and show you exactly what I see  when I first boot Via TFTP.
Thanks,
0
 

Author Comment

by:mti-adminz
ID: 22905020
First I have to boot into ROMON and tftpboot to the new image asa804-k8.bin  The system will then boot:
ciscoasa> en
Password:
ciscoasa# show flash
--#--  --length--  -----date/time------  path
   62  2048        Nov 07 2008 15:06:13  log
   65  2048        Nov 07 2008 15:06:28  crypto_archive

127135744 bytes total (87851008 bytes free)
ciscoasa# dir /all

Directory of disk0:/

62     drwx  2048        15:06:13 Nov 07 2008  log
65     drwx  2048        15:06:28 Nov 07 2008  crypto_archive

127135744 bytes total (87851008 bytes free)
ciscoasa# show start
ciscoasa# show startup-config
ciscoasa#
ciscoasa#
ciscoasa# show boot

BOOT variable =
Current BOOT variable =
CONFIG_FILE variable =
Current CONFIG_FILE variable =
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# show ver

Cisco Adaptive Security Appliance Software Version 8.0(4)

Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "tftp://172.16.19.5/asa804-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 2 mins 22 secs

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
 0: Int: Internal-Data0/0    : address is 001d.a24d.fab8, irq 11
 1: Ext: Ethernet0/0         : address is 001d.a24d.fab0, irq 255
 2: Ext: Ethernet0/1         : address is 001d.a24d.fab1, irq 255
 3: Ext: Ethernet0/2         : address is 001d.a24d.fab2, irq 255
 4: Ext: Ethernet0/3         : address is 001d.a24d.fab3, irq 255
 5: Ext: Ethernet0/4         : address is 001d.a24d.fab4, irq 255
 6: Ext: Ethernet0/5         : address is 001d.a24d.fab5, irq 255
 7: Ext: Ethernet0/6         : address is 001d.a24d.fab6, irq 255
 8: Ext: Ethernet0/7         : address is 001d.a24d.fab7, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255
The Running Activation Key is not valid, using default settings:

Licensed features for this platform:
Maximum Physical Interfaces  : 8        
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : 10        
Failover                     : Disabled
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Disabled  
VPN Peers                    : 10        
WebVPN Peers                 : 2        
Dual ISPs                    : Disabled  
VLAN Trunk Ports             : 0        
AnyConnect for Mobile        : Disabled  
AnyConnect for Linksys phone : Disabled  
Advanced Endpoint Assessment : Disabled  
UC Proxy Sessions            : 2        

This platform has a Base license.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
LVL 4

Expert Comment

by:damalano
ID: 22908460
i don't see the asa804-k8.bin  file in the flash on disk0
are you sure its on the asa ?
do a copy tftp flash of the file.
or a'm i making a mistake ?Shoulddn't the file be on the asa
( it's bin a while since i worked with the asa
0
 
LVL 2

Expert Comment

by:texasjpm
ID: 22909641
Damalano is correct you need to run the commands below
copy tftp: disk0:
Address or name of remote host []? <TFTP Server IP>
Source filename []? ASA804-k8.bin
Destination filename [ASA804-k8.bin]? <Hit Enter>

this should copy the bin to the asa. Then do the same thing for the asdm-615.bin

After the files are copied run these commands.

conf t
boot system disk0:/asa804-k8.bin
boot system disk0:/asa802-k8.bin
asdm image disk0:/asdm-615.bin
write mem
reload noconfirm
0
 

Author Comment

by:mti-adminz
ID: 22910262
This is correct.  The image is gone.  Everything is gone in fact.  Images, license information, config. They have all dissappeared.  after doing the upgrade.  We copied the new software image to the units, and verified that it copied correctly.  Then ran a job later that night that ran the following commands, which resulted in the further following output:
Commands:
conf t
no boot system disk0:/asa802-k8.bin
boot system disk0:/asa804-k8.bin
boot system disk0:/asa802-k8.bin
asdm image disk0:/asdm-615.bin
write mem
reload noconfirm

Output:
conf t

MTI-FW-19(config)#
no boot system disk0:/asa802-k8.bin

MTI-FW-19(config)#
boot system disk0:/asa804-k8.bin
WARNING: BOOT variable added, but unable to find disk0:/asa804-k8.bin

MTI-FW-19(config)#
boot system disk0:/asa802-k8.bin

MTI-FW-19(config)#
asdm image disk0:/asdm-615.bin
Device Manager image set, but unable to find disk0:/asdm-615.bin

MTI-FW-19(config)#
write mem
Building configuration...
Cryptochecksum: 7dc91bd6 cb2d6e42 e6dcf5d4 77adb608

%Error writing disk0:/.private/startup-config (I/O error)
Error executing command
[FAILED]

MTI-FW-19(config)#
reload noconfirm

MTI-FW-19(config)#



Now when booting a device we simply get to "Launching BootLoader..."  and the box hangs.  I am able to boot into Romon and using the tftpdnld command I can boot to the 8.0.4 image off a tftp server.  I then see the output I provided earlier.  I can copy a config onto the device and write it to mem, and then copy the 8.0.4 image to flash.  I run the same commands that you provided to set a boot image, but when the device reloads it still hangs at: "Launching BootLoader..."
Working with cisco tac I have tried formatting flash and fixing the file systems by using their directions:
############################################################
1) formate the flash

2) Repair the filesystem

3) copy the old image 8.0.2 to flash and then set boot variable for IOS.

Now ,reload the device and check if it comes up fine.

commands are below,

format {disk0: | disk1: | flash:}

fsck [/no confirm]{disk0: | disk1: | flash:}
##############################################################

After doing this I copy the images down again, set the boot image etc...  and reboot.  But it still hangs at "Launching BootLoader..."
0
 

Accepted Solution

by:
mti-adminz earned 0 total points
ID: 22910314
I realize from the output that I have provided it is saying that it couldn't find the image in flash, however the copy of the images from our http server worked without flaw.  In fact i have compaired the logged output with another 5505 where the upgrade was successful and the images listed the same bytes copied etc on each unit, which leads me to think that there was no corruption in the copy process.

Again I have had 5 out of approx. 85 units fail in the exact same manner.

This is a very strange issue. However Cisco is going to replace the units now, as they are covered by our smartnet contract, and they can not seem to resolve this issue.  Possibly bad flash memory in the devices.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
#Citrix #Netscaler #MSSQL #Load Balance
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question