Solved

Need HELP!!! Cisco ASA 5505 Comes up with Romon mode after rebooting it

Posted on 2011-03-01
23
2,665 Views
Last Modified: 2013-11-08
By mistake the flash is wiped.
Trying to tftp the ios back on the ASA 5505,
everything works fine,
the ASA reboots after completing the upload.
then i did a  
ciscoasa# sh flash
--#-- --lenght-- ------date/time----                       path
11     2048         Mar 01 2011 00:53:20              coredumpinfo
12     43             Mar 01 2011 00:53:20              coredumpinfo/coredump.cfg
3       2048         Mar 01 2011 00:53:20              log
10     2048         Mar 01 2011 00:53:20              crypto_archive

and

ciscoasa#sh boot

BOOT variable=
Current BOOT variable=
CONFIG_FILE variable=
Current CONFIG_FILE variable=
ciscoasa#

these were the results.
I reboot the ASA manually and it is back in Rommon mode

does anybody can help me

thx
0
Comment
Question by:Torsten78
  • 15
  • 4
  • 4
23 Comments
 
LVL 4

Expert Comment

by:RobertParten
ID: 35008022
Are you interacting via the console?
0
 

Author Comment

by:Torsten78
ID: 35008078
yes I`m.in the moment I can`t make a screenshoot because it`s on the other pc
0
 

Author Comment

by:Torsten78
ID: 35008130
the problem is, to get the ios asa822-k8.bin file into the flash disk0:
0
 
LVL 4

Expert Comment

by:RobertParten
ID: 35008224
Assign an IP address to an Ethernet Interface and then TFTP the image, is this what you are trying to do? Ensure you can reach the TFTP server once you assign an IP address to that interface.
0
 

Author Comment

by:Torsten78
ID: 35008373
That´s what I did after the ios was lost:

after the bootup seqence,

rommon# 1> address 192.168.1.6 (e0/7 interface on ASA 5505 and conected)
rommon#2> server 192.168.1.5 (tftp server on my computer, ping works fine)
rommon#3> gateway 192.168.1.5
rommon#4> file asa822-k8.bin
rommon#5> tftpdnld

everything works fine,
the ASA reboots, looks good
as soon I do a sh flash or boot I get no entries

and as soon I restart the asa 5505 I´m back in the rommon mode
0
 
LVL 4

Expert Comment

by:RobertParten
ID: 35008495
Check your registry
0
 

Author Comment

by:Torsten78
ID: 35008578
ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(2)

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "tftp://192.168.1.5/asa822-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 22 mins 16 secs

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Int: Internal-Data0/0    : address is 588d.096d.d59e, irq 11
 1: Ext: Ethernet0/0         : address is 588d.096d.d596, irq 255
 2: Ext: Ethernet0/1         : address is 588d.096d.d597, irq 255
 3: Ext: Ethernet0/2         : address is 588d.096d.d598, irq 255
 4: Ext: Ethernet0/3         : address is 588d.096d.d599, irq 255
 5: Ext: Ethernet0/4         : address is 588d.096d.d59a, irq 255
 6: Ext: Ethernet0/5         : address is 588d.096d.d59b, irq 255
 7: Ext: Ethernet0/6         : address is 588d.096d.d59c, irq 255
 8: Ext: Ethernet0/7         : address is 588d.096d.d59d, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.

Serial Number: JMX1450Z0AT
Running Activation Key: 0x2406c07e 0x888b5b39 0x7cb261b8 0x8858848c 0x4c24178b
Configuration register is 0x1
Configuration has not been modified since last system restart.

ciscoasa# sh flash
--#--  --length--  -----date/time------  path
   11  2048        Mar 01 2011 00:53:20  coredumpinfo
   12  43          Mar 01 2011 00:53:20  coredumpinfo/coredump.cfg
    3  2048        Mar 01 2011 02:00:44  log
   10  2048        Mar 01 2011 02:00:54  crypto_archive

127135744 bytes total (126846976 bytes free)
ciscoasa# sh boot

BOOT variable =
Current BOOT variable =
CONFIG_FILE variable =
Current CONFIG_FILE variable =
ciscoasa#
0
 

Author Comment

by:Torsten78
ID: 35008585
these are the print outs

which registry
0
 

Author Comment

by:Torsten78
ID: 35008590
I hope this might help
0
 
LVL 4

Expert Comment

by:RobertParten
ID: 35008734
Are you writing from RAM to FLASH memory before rebooting?
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 35009126
He's trying to load the Bin file to flash.  

The complete process to upload through rommon looks like this:
rommon #1> ADDRESS=10.10.10.83
rommon #2> SERVER=10.10.20.123
rommon #3> GATEWAY=10.10.10.1
rommon #4> IMAGE=auto/tftpboot/user/asa712-k8.bin
rommon #5> tftp
ROMMON Variable Settings:
ADDRESS=10.10.10.83
SERVER=10.10.20.123
GATEWAY=10.10.10.1
PORT=GigabitEthernet0/3
VLAN=untagged
IMAGE=auto/tftpboot/user/asa712-k8.bin
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=2
RETRY=20

tftp auto/tftpboot/user/asa712-k8.bin@10.10.20.123 via 10.10.10.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


After the tftp is completed list the flash: contents and see if the bin file is listed.     If it isn't, then make sure you saw the !!!!  while transferring the bin.  The !!! is the happy xfer sign.      

If you are sure you are getting the xfer done, and the file is not listed, you should be able to issue a "format flash:" command and ERASE the contents of flash.   if there is anything on flash that you need this will ERASE IT ALL.    Make sure you have a backup of your config and such.  

Then try the XFER again .


0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:Torsten78
ID: 35009265
the xfer looks good , it looks the same like yours MikeKane:

rommon #1> ADDRESS=10.10.10.83
rommon #2> SERVER=10.10.20.123
rommon #3> GATEWAY=10.10.10.1
rommon #4> IMAGE=auto/tftpboot/user/asa712-k8.bin
rommon #5> tftp
ROMMON Variable Settings:
ADDRESS=10.10.10.83
SERVER=10.10.20.123
GATEWAY=10.10.10.1
PORT=GigabitEthernet0/3
VLAN=untagged
IMAGE=auto/tftpboot/user/asa712-k8.bin
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=2
RETRY=20

tftp auto/tftpboot/user/asa712-k8.bin@10.10.20.123 via 10.10.10.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

do you think I should completely erase the flash and xfer the file again???

thx all for your help!!!
0
 

Author Comment

by:Torsten78
ID: 35009290
the good thing is, this is a spare one, there are no config`s and such things on it!

0
 
LVL 33

Expert Comment

by:MikeKane
ID: 35010072
If its a spare, then go ahead and format and retry the transfer.     If the file is NOT listed after the transfer is complete, then you might want to open a tac case...  
0
 

Author Comment

by:Torsten78
ID: 35011351
I´ll try it tomorrow, see if it works. I´ll let you know about the result!

thx for help
0
 

Author Comment

by:Torsten78
ID: 35015817
this is what I got this morning, after I did the format flash:

Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008

Platform ASA5505

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.

Launching BootLoader...
Boot configuration file contains 1 entry.

Cannot find disk0:/asa822-k8.bin

Error 15: File not found

unable to boot an image


Default configuration file contains 1 entry.

Searching / for images to boot.

No images in /
Error 15: File not found

unable to boot an image


Failsafe booting engaged.
Default configuration file contains 1 entry.

Searching / for images to boot.

No images in /
Error 15: File not found

unable to boot an image



CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45

Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
 00  01  00   1022   2080  Host Bridge
 00  01  02   1022   2082  Chipset En/Decrypt 11
 00  0C  00   1148   4320  Ethernet           11
 00  0D  00   177D   0003  Network En/Decrypt 10
 00  0F  00   1022   2090  ISA Bridge
 00  0F  02   1022   2092  IDE Controller
 00  0F  03   1022   2093  Audio              10
 00  0F  04   1022   2094  Serial Bus         9
 00  0F  05   1022   2095  Serial Bus         9

Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008

Platform ASA5505

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.

Ethernet0/0
MAC Address: 588d.096d.d59e
Link is DOWN

Use ? for help.
rommon #0> address 192.168.1.1
rommon #1> server 192.168.1.5
rommon #2> gateway 192.168.1.5
rommon #3> ping 192.168.1.5
Sending 20, 100-byte ICMP Echoes to 192.168.1.5, timeout is 4 seconds:
???????
Success rate is 0 percent (0/20)
rommon #4> int e0/7
Ethernet0/7
MAC Address: 588d.096d.d59e
Link is UP
rommon #5> ping 192.168.1.5
Sending 20, 100-byte ICMP Echoes to 192.168.1.5, timeout is 4 seconds:
?!!!!!!!!!!!!!!!!!!!
Success rate is 95 percent (19/20)
rommon #6> file asa822-k8.bin
rommon #7> tftpdnld
ROMMON Variable Settings:
  ADDRESS=192.168.1.1
  SERVER=192.168.1.5
  GATEWAY=192.168.1.5
  PORT=Ethernet0/7
  VLAN=untagged
  IMAGE=asa822-k8.bin
  CONFIG=
  LINKTIMEOUT=20
  PKTTIMEOUT=4
  RETRY=20

tftp asa822-k8.bin@192.168.1.5 via 192.168.1.5
!!!!!!!!!!!!!!!!!!!
Received 16459776 bytes

Launching TFTP Image...

Cisco Security Appliance admin loader (3.0) #0: Mon Jan 11 14:23:33 MST 2010
Platform ASA5505
Loading...
Àdosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 28 files, 14/62078 clusters
dosfsck(/dev/hda1) returned 0
Set 'tap0' persistent and owned by uid 0
IO memory 39583744 bytes

Processor memory 385978368, Reserved memory: 62914560 (DSOs: 0 + kernel: 6291456
0)

Total SSMs found: 0

Total NICs found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: 588d.096d.d59d
88E6095 rev 2 Ethernet @ index 07 MAC: 588d.096d.d59c
88E6095 rev 2 Ethernet @ index 06 MAC: 588d.096d.d59b
88E6095 rev 2 Ethernet @ index 05 MAC: 588d.096d.d59a
88E6095 rev 2 Ethernet @ index 04 MAC: 588d.096d.d599
88E6095 rev 2 Ethernet @ index 03 MAC: 588d.096d.d598
88E6095 rev 2 Ethernet @ index 02 MAC: 588d.096d.d597
88E6095 rev 2 Ethernet @ index 01 MAC: 588d.096d.d596
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 588d.096d.d59e

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04

Cisco Adaptive Security Appliance Software Version 8.2(2)

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************

Copyright (c) 1996-2010 by Cisco Systems, Inc.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

WARNING: BOOT variable added, but unable to find disk0:/asa822-k8.bin
*** Output from config line 39, "boot system disk0:/asa82..."

Cryptochecksum (unchanged): 1642b171 f04d7e82 636421ed 0ca8cbb5
The flash device is in use by another task.
Type help or '?' for a list of available commands.
ciscoasa>
ciscoasa> en
Password:
ciscoasa# sh flash
--#--  --length--  -----date/time------  path
    2  2048        Mar 02 2011 00:59:32  log
    9  2048        Mar 02 2011 00:59:40  crypto_archive
   10  2048        Mar 02 2011 00:59:42  coredumpinfo
   11  43          Mar 02 2011 00:59:42  coredumpinfo/coredump.cfg

127135744 bytes total (126846976 bytes free)
ciscoasa# sh boot

BOOT variable = disk0:/asa822-k8.bin
Current BOOT variable = disk0:/asa822-k8.bin
CONFIG_FILE variable =
Current CONFIG_FILE variable =
ciscoasa#
0
 

Author Comment

by:Torsten78
ID: 35015825
any ideas???
0
 

Author Comment

by:Torsten78
ID: 35016149
I formated disk0: and tried to copy the asa back on from tftp to disk0:

ciscoasa# sh flash
--#--  --length--  -----date/time------  path
    2  2048        Mar 02 2011 00:59:32  log
    9  2048        Mar 02 2011 00:59:40  crypto_archive
   10  2048        Mar 02 2011 00:59:42  coredumpinfo
   11  43          Mar 02 2011 00:59:42  coredumpinfo/coredump.cfg

127135744 bytes total (126846976 bytes free)
ciscoasa# sh boot

BOOT variable = disk0:/asa822-k8.bin
Current BOOT variable = disk0:/asa822-k8.bin
CONFIG_FILE variable =
Current CONFIG_FILE variable =
ciscoasa#

ciscoasa# format disk0:

Format operation may take a while. Continue? [confirm]

Format operation will destroy all data in "disk0:".  Continue? [confirm]
Initializing partition - done!
mkdosfs 2.11 (12 Mar 2005)

System tables written to disk

Format of disk0 complete
ciscoasa# sh flash
--#--  --length--  -----date/time------  path
No files in directory

127135744 bytes total (127123456 bytes free)
ciscoasa# copy tftp: disk0:

Address or name of remote host []? 

?Bad address or host name
%Error parsing filename ()
ciscoasa# conf t
ciscoasa(config)# int vlan 1
ciscoasa(config-if)# ip address 192.168.1.1
ciscoasa(config-if)# no shut
ciscoasa(config-if)# 
ciscoasa# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
No route to host 192.168.1.1

Success rate is 0 percent (0/1)
ciscoasa# conf t
ciscoasa(config)# int e 0/7
ciscoasa(config-if)# no shut
ciscoasa(config-if)# 
ciscoasa# sh int vlan 1
Interface Vlan1 "", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        Available but not configured via nameif
        MAC address 588d.096d.d59e, MTU not set
        IP address 192.168.1.1, subnet mask 255.255.255.0
ciscoasa# sh int e0/7
Interface Ethernet0/7 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        Available but not configured via nameif
        MAC address 588d.096d.d59d, MTU not set
        IP address unassigned
        32157 packets input, 18068454 bytes, 0 no buffer
        Received 6 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        0 switch ingress policy drops
        32152 packets output, 2057753 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        0 rate limit drops
        0 switch egress policy drops
ciscoasa# copy tftp: disk0:

Address or name of remote host []? 192.168.1.5

Source filename []? asa822-k8.bin

Destination filename [asa822-k8.bin]?

Accessing tftp://192.168.1.5/asa822-k8.bin...
%Error opening tftp://192.168.1.5/asa822-k8.bin (No such device)

still doesn´t work .....frustrating
0
 

Author Comment

by:Torsten78
ID: 35016459
I think this is my problem:

IMPORTANT:This procedure only loads into RAM, so once it is booted and has an IP address, you have to copy from tftp again to flash. If you don't do this step, next time you power off you'll have to start over again with the procedure above.

but I can´t load the file after from the tftp-server, I configure the vlan, the the port is up and is physically  connected but as soon i try
ciscoasa# copy tftp: disk0:
it comes up with:
Address or name of remote host []? 192.168.1.5 (tftp-server running at)

Source filename []? asa822-k8.bin

Destination filename [asa822-k8.bin]? (hit enter)

Accessing tftp://192.168.1.5/asa822-k8.bin...
%Error opening tftp://192.168.1.5/asa822-k8.bin (No such device)
ciscoasa#
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 35017931
Ok, now I see.     Then then once the ASA loads, check that you can ping 192.168.1.5 before the TFTP.      Do you get a result?     After the ASA is loaded, can 192.168.1.5 ping the ASA IP?       The ASA config may use different interfaces, or have ACLs, or have something else in the config which may interfere with traffic to that host.    

Also do a SHOW LOGGING to look at the buffer log and see if any packets were dropped and for what reason.    

0
 

Author Comment

by:Torsten78
ID: 35019166
i have no idea whats wrong,

in the rommon mode I can ping the tftp server 192.168.1.5, I´m able to upload the asa file, after I reboot the asa i configure the vlan, the interface, but I can´t ping the tftp server, not even the own interface the asa comes up with : no route to host

i really have no clue what it could be???????????????????????????????????????????

I changed the tftp server, changed from putty  to hyper terminal back to putty and so on

I`m finished for today, see what tomorrow comes

Thx for your help
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 35019763
On the ASA, once it is booted, do a show run and post.    The interface assigned to 'inside' will be the one to use to connect to TFTP.    

0
 

Author Closing Comment

by:Torsten78
ID: 35081390
sometimes it´s so easy!

after I configured the vlan as inside tftp worked well, and the asa is back to normal!

thx for helping me
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now