Loading a Boot Image onto the Cisco ASA 5505 in ROMMON Mode

There’s a 128 MB Compact Flash card that came pre-installed on my Cisco ASA 5505. I’ve swapped it out for a 8GB Kingston card. Completely blank, FAT32 filesystem.

8 GB Kingston Compact Flash Card

8 GB Kingston Compact Flash Card

I power on the ASA and it cycles endlessly through the boot process because it cannot find a boot image. I hook up my laptop to the Ethernet0/1 port of the ASA. Laptop has an IP address of 10.0.0.1 and I’ve enabled the TFTP server on that interface.

In the console session, I hit the ESCAPE key to get into ROMMON mode. So, what can you do in ROMMON mode if you do not have a boot image on flash?

You can erase the flash memory using the erase command. Although the Command Reference says that you can use the flash: argument, I found that the ASA 5505 only allowed me to use the disk0: argument or the all argument.

Fair warning, this will erase everything on the flash card; all your images, configs and license files, so back these up if you can. Also, the time required to erase an 8 GB flash drive is not inconsiderable. (Took about an hour for me.) As the console output starts writing dots on screen to denote progress, you foolishly expect it to be done in a couple of minutes, but no, the entire screen is soon full of dots. If you keep staring at the screen, you quickly lose any point of reference because previous commands are pushed offscreen by the cursor toddling from left to right, leaving dots in its wake. Like a reverse PacMan. Computer progress bars: the postmodern lava lamps of our generation. This one is so Lo Tek, it’s the sort of thing that keyboard cowboys in an early William Gibson novel would have onscreen on their Ono-Sendais as they break into some appropriately-sinister construct.


rommon #0> erase disk0:

About to erase the selected device, this will erase
all files including configuration, and images.
Continue with erase? y/n [n]: y

Erasing Disk0:
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
...........................................................
--REDACTED--
rommon #1>

The help command will show you all the commands that are available in ROMMON mode, but you are probably gonna want to do just one thing: boot from an image that resides on a TFTP server.

So, you configure an IP address for an interface on the ASA and tell it what the TFTP server’s IP address is and where to find the boot image.


rommon #0> ADDRESS=10.0.0.2
rommon #1> SERVER=10.0.0.1
rommon #2> IMAGE=asa841-k8.bin
rommon #3> PORT=Ethernet0/1
Ethernet0/1
MAC Address: XXXX.XXXX.XXXX
Link is UP

The set command displays all configured variable settings.

rommon #4> set
ROMMON Variable Settings:
 ADDRESS=10.0.0.2
 SERVER=10.0.0.1
 GATEWAY=0.0.0.0
 PORT=Ethernet0/1
 VLAN=untagged
 IMAGE=asa841-k8.bin
 CONFIG=
 LINKTIMEOUT=20
 PKTTIMEOUT=4
 RETRY=20

Do a test ping to check if you can reach the TFTP server.

rommon #5> ping server
Sending 20, 100-byte ICMP Echoes to server 10.0.0.1, timeout is 4 seconds:
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (20/20)

And now we load the image using the tftp command.

tftp asa841-k8.bin@10.0.0.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
--REDACTED--
Received 24938496 bytes

Launching TFTP Image...

Cisco Security Appliance admin loader (3.0) #0: Mon Jan 31 02:12:27 MST 2011
Platform ASA5505

Loading...
--REDACTED--
ciscoasa>

Now you are in the ASA prompt. There is no password because there is no config. If you reload at this point, you are back in the neverending boot cycle because no boot image has been copied onto the flash drive. As soon as the ASA reloads, it is back to square one. The ASA is Guy Pearce in Memento, but with fewer tattoos.

A dir /recursive command shows that a log file and 3 directories have been generated but there is no boot image saved on the flash drive. Now that you have an ASA with nothing configured on it, you can configure IP addresses and other settings and copy a boot image from the TFTP server to the local flash drive.

ciscoasa# dir /recursive

Directory of disk0:/*

2255   -rw-  196          01:12:30 May 20 2011  upgrade_startup_errors_201105200112.log
Directory of disk0:/coredumpinfo

2254   -rw-  59           01:12:30 May 20 2011  coredump.cfg

Directory of disk0:/crypto_archive

No files in directory

Directory of disk0:/log

No files in directory

0 bytes total (0 bytes free)

Additional Information:

Erase command in the Cisco ASA 8.4 Command Reference.

Dir command in the Cisco ASA 8.4 Command Reference.

Using the ROM Monitor to Load a Software Image.

This entry was posted in geek, mecha and tagged , , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.
  • http://twitter.com/mikkel_sorensen Mikkel Sørensen

    Thanks, this article really saved my bacon, after I in my lack of ASA knowledge invoked the erase command and accidentally erased my flash (thought it would erase my config….which it did, I guess ;-))

  • gomjabbar

    LOL. Machines take everything so literally.

  • Fausto

    I have problem with asa5505. I did all steps. I am stuck after downloading the imagine from TFTP server…..after download…asa start rebooting itself to load the image……but it never load imagine for example ciscoasa>
    where exactly is the problem? Hardware or software?

  • Mikkel Sørensen

    Hi Fausto

    I’m not trying to be an expert here, but I have learned a lot from my mistake…

    Have you enabled to image as boot image?

    ciscoasa# config t
    ciscoasa(config)# boot system flash:/asa821-k8.bin

    don’t forget to write memory and reload

    the ASA should now boot the image and not go back into ROMMON (this happened to me a lot)

    /Mikkel

  • khan

    i followed your steps, got reply:

    boot system flash:/asa845-k8.bin
    INFO: Converting flash:/asa845-k8.bin to disk0:/asa845-k8.bin
    WARNING : BOOT variable added, but unable to find disk0:/asa845-k8.bin

    after reload nothing changed. its behaving like previous.

Switch to our mobile site