I needed to upgrade the ROMMON firmware on a Cisco ASA 5506-X firewall (with SSD or Firepower module). This is a required step before converting the ASA to FTD. You can verify the ASA ROMMON version using the show module command. Notice the Fw Version is 1.1.15 and we needed to run at least 1.1.18.
ciscoasa# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC ASA5506 JAD24111234
sfr Unknown N/A JAD24111234
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 bc5a.5681.d595 to bc5a.5681.d59e 2.4 1.1.15 9.8(2)
sfr bc5a.5681.d594 to bc5a.5681.d594 N/A N/A
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Init Not Applicable
Use the upgrade rommon <LOCATION:FILE NAME> privileged EXEC command to perform the ROMMON upgrade. The ASA will auto reload twice during the process.
ciscoasa# upgrade ?
rommon Perform an upgrade on rom-monitor
ciscoasa# upgrade rommon ?
disk0: Path and filename on disk0:
disk1: Path and filename on disk1:
flash: Path and filename on flash:
ciscoasa# upgrade rommon disk0:asa5500-firmware-1118.SPA
Verifying file integrity of disk0:/asa5500-firmware-1118.SPA
Computed Hash SHA2: fb0bd87c814ddbd1340f5c05208f6254
7d2d330ef4b9fcc0eb3b42fdd5956fc8
c3af17a0d74a2b057e12dbb95408f562
c4886bb4c4592af87a722809208d5537
Embedded Hash SHA2: fb0bd87c814ddbd1340f5c05208f6254
7d2d330ef4b9fcc0eb3b42fdd5956fc8
c3af17a0d74a2b057e12dbb95408f562
c4886bb4c4592af87a722809208d5537
Digital signature successfully validated
File Name : disk0:/asa5500-firmware-1118.SPA
Image type : Release
Signer Information
Common Name : abraxas
Organization Unit : NCS_Kenton_ASA
Organization Name : CiscoSystems
Certificate Serial Number : 5F619995
Hash Algorithm : SHA2 512
Signature Algorithm : 2048-bit RSA
Key Version : A
Verification successful.
Proceed with reload? [confirm]
ciscoasa#
***
*** --- START GRACEFUL SHUTDOWN ---
***
*** Message to all terminals:
***
*** Performing upgrade on rom-monitor.
Shutting down isakmp
Shutting down webvpn
Shutting down sw-module
Shutting down License Controller
Shutting down File system
***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
*** Performing upgrade on rom-monitor.
Process shutdown finished
Rebooting... (status 0x9)
..
INIT: Sending processes the TERM signal
Deconfiguring network interfaces... done.
Sending all processes the TERM signal...
Sending all processes the KILL signal...
Deactivating swap...
Unmounting local filesystems...
Rebooting... ΓΏ
Rom image verified correctly
Cisco Systems ROMMON, Version 1.1.15, RELEASE SOFTWARE
Copyright (c) 1994-2019 by Cisco Systems, Inc.
Compiled Sat 03/30/2019 7:00:46.51 by wchen64
Current image running: Boot ROM0
Last reset cause: PowerCycleRequest
DIMM Slot 0 : Present
INFO: Rommon upgrade state: ROMMON_UPG_START (1)
INFO: Reset code: 0x00002000
Firmware upgrade step 1...
Looking for file 'disk0:asa5500-firmware-1118.SPA'
Located 'asa5500-firmware-1118.SPA' @ cluster 870063.
###########################################################################################
Image base 0x7700a018, size 9241408
LFBFF signature verified.
Objtype: lfbff_object_rommon (0x800000 bytes @ 0x7700a238)
Objtype: lfbff_object_fpga (0xd0100 bytes @ 0x7780a258)
INFO: FPGA version in upgrade image: 0x0300
INFO: FPGA version currently active: 0x0300
FPGA: No need to do FPGA upgrade !!!
INFO: Rommon version currently active: 1.1.15.
INFO: Rommon version in upgrade image: 1.1.18.
Active ROMMON: Preferred 0, selected 0, booted 0
Switching SPI access to standby rommon 1.
Please DO NOT reboot the unit, updating ROMMON...................
INFO: Duplicating machine state......
Reloading now as step 1 of the rommon upgrade process...
Toggling power on system board...
<ASA AUTO RELOAD>
Rom image verified correctly
Cisco Systems ROMMON, Version 1.1.15, RELEASE SOFTWARE
Copyright (c) 1994-2019 by Cisco Systems, Inc.
Compiled Sat 03/30/2019 7:00:46.51 by wchen64
Current image running: Boot ROM0
Last reset cause: RP-Reset
DIMM Slot 0 : Present
INFO: Rommon upgrade state: ROMMON_UPG_START (1)
INFO: Reset code: 0x00000008
Active ROMMON: Preferred 0, selected 0, booted 0
Firmware upgrade step 2...
Detected current rommon upgrade is available, continue rommon upgrade process
Rommon upgrade reset 0 in progress
Reloading now as step 2 of the rommon upgrade process...
<ASA AUTO RELOAD>
Rom image verified correctly
Cisco Systems ROMMON, Version 1.1.18, RELEASE SOFTWARE
Copyright (c) 1994-2020 by Cisco Systems, Inc.
Compiled Tue 09/15/2020 20:35:13.52 by wchen64
Current image running: *Upgrade in progress* Boot ROM0
Last reset cause: BootRomUpgrade
DIMM Slot 0 : Present
INFO: Rommon upgrade state: ROMMON_UPG_START (1)
INFO: Reset code: 0x00000010
PROM B: stopping boot timer
Active ROMMON: Preferred 1, selected 1, booted 0
Looking for file 'disk0:asa5500-firmware-1118.SPA'
Located 'asa5500-firmware-1118.SPA' @ cluster 870063.
###########################################################################################
Image base 0x77008018, size 9241408
LFBFF signature verified.
Objtype: lfbff_object_rommon (0x800000 bytes @ 0x77008238)
Objtype: lfbff_object_fpga (0xd0100 bytes @ 0x77808258)
INFO: Second time firmware update state: False
INFO: Rommon upgrade state: ROMMON_UPG_TEST
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! Please manually or auto boot ASAOS now to complete firmware upgrade !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Platform ASA5506 with 4096 Mbytes of main memory
MAC Address: bc:5a:56:81:d5:95
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in 10 seconds
<OUTPUT TRUNCATED>
Notice the ROMMON firmware version is now 1.1.18.
ciscoasa# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC ASA5506 JAD24111234
sfr Unknown N/A JAD24111234
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 bc5a.5681.d595 to bc5a.5681.d59e 2.4 1.1.18 9.8(2)
sfr bc5a.5681.d594 to bc5a.5681.d594 N/A N/A
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Init Not Applicable
No comments:
Post a Comment