Sunday, February 7, 2021

Cisco ASA 5506-X ROMMON Upgrade

I needed to upgrade the ROMMON firmware on a Cisco ASA 5506-X firewall (with SSD or Firepower module). This is a required step before converting the ASA to FTD. You can verify the ASA ROMMON version using the show module command. Notice the Fw Version is 1.1.15 and we needed to run at least 1.1.18.

ciscoasa# show module

 

Mod  Card Type                                    Model              Serial No.

---- -------------------------------------------- ------------------ -----------

   1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC   ASA5506            JAD24111234

 sfr Unknown                                      N/A                JAD24111234

 

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version    

---- --------------------------------- ------------ ------------ ---------------

   1 bc5a.5681.d595 to bc5a.5681.d59e  2.4          1.1.15       9.8(2)

 sfr bc5a.5681.d594 to bc5a.5681.d594  N/A          N/A         

 

Mod  SSM Application Name           Status           SSM Application Version

---- ------------------------------ ---------------- --------------------------

 

Mod  Status             Data Plane Status     Compatibility

---- ------------------ --------------------- -------------

   1 Up Sys             Not Applicable       

 sfr Init               Not Applicable       

 

 

Use the upgrade rommon <LOCATION:FILE NAME> privileged EXEC command to perform the ROMMON upgrade. The ASA will auto reload twice during the process.

 

ciscoasa# upgrade ?

 

  rommon  Perform an upgrade on rom-monitor

ciscoasa# upgrade rommon ?

 

  disk0:  Path and filename on disk0:

  disk1:  Path and filename on disk1:

  flash:  Path and filename on flash:

ciscoasa# upgrade rommon disk0:asa5500-firmware-1118.SPA

Verifying file integrity of disk0:/asa5500-firmware-1118.SPA

 

Computed Hash   SHA2: fb0bd87c814ddbd1340f5c05208f6254

                      7d2d330ef4b9fcc0eb3b42fdd5956fc8

                      c3af17a0d74a2b057e12dbb95408f562

                      c4886bb4c4592af87a722809208d5537

                     

Embedded Hash   SHA2: fb0bd87c814ddbd1340f5c05208f6254

                      7d2d330ef4b9fcc0eb3b42fdd5956fc8

                      c3af17a0d74a2b057e12dbb95408f562

                      c4886bb4c4592af87a722809208d5537

                     

 

Digital signature successfully validated

File Name                     : disk0:/asa5500-firmware-1118.SPA

Image type                    : Release

    Signer Information

        Common Name           : abraxas

        Organization Unit     : NCS_Kenton_ASA

        Organization Name     : CiscoSystems

    Certificate Serial Number : 5F619995

    Hash Algorithm            : SHA2 512

    Signature Algorithm       : 2048-bit RSA

    Key Version               : A

Verification successful.

Proceed with reload? [confirm]

ciscoasa#

 

 

***

*** --- START GRACEFUL SHUTDOWN ---

***

*** Message to all terminals:

***

***   Performing upgrade on rom-monitor.

Shutting down isakmp

Shutting down webvpn

Shutting down sw-module

Shutting down License Controller

Shutting down File system

 

 

***

*** --- SHUTDOWN NOW ---

***

*** Message to all terminals:

***

***   Performing upgrade on rom-monitor.

Process shutdown finished

Rebooting... (status 0x9)

..

INIT: Sending processes the TERM signal

Deconfiguring network interfaces... done.

Sending all processes the TERM signal...

Sending all processes the KILL signal...

Deactivating swap...

Unmounting local filesystems...

Rebooting... ΓΏ

Rom image verified correctly

 

 

Cisco Systems ROMMON, Version 1.1.15, RELEASE SOFTWARE

Copyright (c) 1994-2019  by Cisco Systems, Inc.

Compiled Sat 03/30/2019  7:00:46.51 by wchen64

 

 

Current image running: Boot ROM0

Last reset cause: PowerCycleRequest

DIMM Slot 0 : Present

INFO: Rommon upgrade state: ROMMON_UPG_START (1)

INFO: Reset code: 0x00002000

 

Firmware upgrade step 1...

Looking for file 'disk0:asa5500-firmware-1118.SPA'

Located 'asa5500-firmware-1118.SPA' @ cluster 870063.

 

###########################################################################################

Image base 0x7700a018, size 9241408

LFBFF signature verified.

Objtype: lfbff_object_rommon (0x800000 bytes @ 0x7700a238)

Objtype: lfbff_object_fpga (0xd0100 bytes @ 0x7780a258)

INFO: FPGA version in upgrade image: 0x0300

INFO: FPGA version currently active: 0x0300

FPGA: No need to do FPGA upgrade  !!!

 

INFO: Rommon version currently active: 1.1.15.

INFO: Rommon version in upgrade image: 1.1.18.

Active ROMMON: Preferred 0, selected 0, booted 0

Switching SPI access to standby rommon 1.

Please DO NOT reboot the unit, updating ROMMON...................

INFO: Duplicating machine state......

Reloading now as step 1 of the rommon upgrade process...

 

Toggling power on system board...

 

 

<ASA AUTO RELOAD>

 

 

Rom image verified correctly

 

 

Cisco Systems ROMMON, Version 1.1.15, RELEASE SOFTWARE

Copyright (c) 1994-2019  by Cisco Systems, Inc.

Compiled Sat 03/30/2019  7:00:46.51 by wchen64

 

 

Current image running: Boot ROM0

Last reset cause: RP-Reset

DIMM Slot 0 : Present

INFO: Rommon upgrade state: ROMMON_UPG_START (1)

INFO: Reset code: 0x00000008

Active ROMMON: Preferred 0, selected 0, booted 0

 

Firmware upgrade step 2...

Detected current rommon upgrade is available, continue rommon upgrade process

Rommon upgrade reset 0 in progress

Reloading now as step 2 of the rommon upgrade process...

 

 

<ASA AUTO RELOAD>

 

 

Rom image verified correctly

 

 

Cisco Systems ROMMON, Version 1.1.18, RELEASE SOFTWARE

Copyright (c) 1994-2020  by Cisco Systems, Inc.

Compiled Tue 09/15/2020 20:35:13.52 by wchen64

 

 

Current image running: *Upgrade in progress* Boot ROM0

Last reset cause: BootRomUpgrade

DIMM Slot 0 : Present

INFO: Rommon upgrade state: ROMMON_UPG_START (1)

INFO: Reset code: 0x00000010

PROM B: stopping boot timer

Active ROMMON: Preferred 1, selected 1, booted 0

Looking for file 'disk0:asa5500-firmware-1118.SPA'

Located 'asa5500-firmware-1118.SPA' @ cluster 870063.

 

 

###########################################################################################

 

Image base 0x77008018, size 9241408

LFBFF signature verified.

Objtype: lfbff_object_rommon (0x800000 bytes @ 0x77008238)

Objtype: lfbff_object_fpga (0xd0100 bytes @ 0x77808258)

INFO: Second time firmware update state: False

INFO: Rommon upgrade state: ROMMON_UPG_TEST

 

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

!! Please manually or auto boot ASAOS now to complete firmware upgrade !!

 

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

 

Platform ASA5506 with 4096 Mbytes of main memory

 

MAC Address: bc:5a:56:81:d5:95

 

 

Use BREAK or ESC to interrupt boot.

 

Use SPACE to begin boot immediately.

 

Boot in 10 seconds

 

 

<OUTPUT TRUNCATED>

 

 

Notice the ROMMON firmware version is now 1.1.18.

 

ciscoasa# show module

 

Mod  Card Type                                    Model              Serial No.

---- -------------------------------------------- ------------------ -----------

   1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC   ASA5506            JAD24111234

 sfr Unknown                                      N/A                JAD24111234

 

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version    

---- --------------------------------- ------------ ------------ ---------------

   1 bc5a.5681.d595 to bc5a.5681.d59e  2.4          1.1.18       9.8(2)

 sfr bc5a.5681.d594 to bc5a.5681.d594  N/A          N/A         

 

Mod  SSM Application Name           Status           SSM Application Version

---- ------------------------------ ---------------- --------------------------

 

Mod  Status             Data Plane Status     Compatibility

---- ------------------ --------------------- -------------

   1 Up Sys             Not Applicable       

 sfr Init               Not Applicable       

 

Posted by at No comments:
Subscribe to: Posts (Atom)