Cisco ASA 5505 recovery
- April 24th, 2013
- Write comment
I recently upgraded my ASA5505 to 9.1(1) and had heard while I was configuring my ASA5515-x that an interim release, 9.1(1)4 was available. When I started using the newer release a lot of my problems went away thankfully so I decided to upgrade to 9.1(1)4 on the ASA5505. Well sure enough, I encountered an error and instead of trying to debug it I fell back into my “Windows” experience and did a reload on the device instead.
It would POST no problems but got hung on “Bootloading” and stayed there. So I finally decided after an hour of powering it off & on to try and do a full recovery by using rommon. I already had the tftp server ready so how hard can it be to upload an IOS image to the device?? I mean seriously? WHAT COULD POSSIBLY GO WRONG…
I logged in to rommon and set the initial variables:
ADDRESS=192.168.1.1
SERVER=192.168.1.2
GATEWAY=192.168.1.2
IMAGE=asa911-4-k8.bin
PORT=Ethernet0/0
I then attempted to ping the tftp server which is on 192.168.1.2. No love. The tftp server couldn’t ping the ASA either. Well this isn’t going well at all! After about an hour of messing around w/ settings and verifying good link connectivity I finally just issues “tftp” on the ASA5505 and the image loaded! W00T! Now came the fun part! That image I loaded was only in memory and not installed on the compact flash card! In fact, it couldn’t see the compact flash card at all (which was the problem. Appears that my FAT file system went tits up!) So w/o thinking I issued “reload” again. And I was right back at “Bootloading…” screen. This go around, I issued the “erase flash:” command while inside the rommon. Downloaded the image again from the tftp server. Once again, the IOS image is loaded in memory. This time I issued “format flash:” and I now could configure my ASA5505 to once again download the image from my tftp server and write it to my compact flash. I also did some initial configuration and wrote to memory.
Next reboot, I was up and running minus a couple of important things:
1) I was missing my activation key. I thankfully had it over on Cisco’s website since I upgraded the device to Security Plus years ago so I fetched it from here: http://www.cisco.com/web/go/license and looked for my devices available licenses. Once found, I applied it in global config mode and issued another reload.
2) I uploaded my saved config which I had saved previously. Things weren’t working as I had expected. I had to log into interface config mode and issue my “no shut” commands to rectify that situation! 😛
3) I also needed to generate an RSA key pair for ssh with “crypto key generate rsa” in global config mode.
4) There was something else but of course I have forgotten that!
See the links below for other good reference material.
https://supportforums.cisco.com/thread/153353 ( no config-register in case you’re continously booting in rommon)
http://www.tech21century.com/using-the-rommon-to-load-a-new-image-on-cisco-asa-firewall/ (URL says it all.)
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_trouble.html#wp1076206 (using rommon)
http://www.gomjabbar.com/2011/07/17/recovering-a-license-activation-key-for-the-cisco-asa/ (again, URL speaks volumes)
http://evilrouters.net/2011/12/16/how-to-upgrade-license-cisco-asa-firewall/ (ditto)
http://www.gomjabbar.com/2011/07/31/cisco-asa-device-management-%E2%80%93-ssh-keys-and-fingerprints/ (ssh keys)