08
- July
2011
Posted By : Gom Jabbar
Configure factory-default command on different versions of the Cisco ASA OS

If you run  a configure factory-default command on your ASA, this will tell the ASA to overwrite its running config with a factory default configuration. Specifically, the ASA will wipe the existing running config and then execute a series of commands that will get the ASA to the factory default configuration. The factory default does not include a boot system [image] config. This means that the ASA will boot up using the first image file that it finds on disk. If that first image file is a different version of the OS than the one that is currently loaded,  you may get errors during boot because the factory default config generated by the current OS may contain lines of config that the other OS does not understand. The command set usually differs between versions of the ASA OS.

For example, I had an ASA running Version 8.4(1). I ran configure factory-default and this is the screen output, showing the series of commands that were automatically executed by the configure factory-default command.


ciscoasa(config)# configure factory-default

WARNING: The boot system configuration will be cleared.
The first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will
not boot.

Begin to apply factory-default configuration:
Clear all configuration
WARNING: DHCPD bindings cleared on interface 'inside', address pool removed
Executing command: interface Ethernet 0/0
Executing command: switchport access vlan 2
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/1
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/2
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/3
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/4
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/5
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/6
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/7
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface vlan2
Executing command: nameif outside
INFO: Security level for "outside" set to 0 by default.
Executing command: no shutdown
Executing command: ip address dhcp setroute
Executing command: exit
Executing command: interface vlan1
Executing command: nameif inside
INFO: Security level for "inside" set to 100 by default.
Executing command: ip address 192.168.1.1 255.255.255.0
Executing command: security-level 100
Executing command: allow-ssc-mgmt
ERROR: SSC card is not available
Executing command: no shutdown
Executing command: exit
Executing command: object network obj_any
Executing command: subnet 0.0.0.0 0.0.0.0
Executing command: nat (inside,outside) dynamic interface
Executing command: exit
Executing command: http server enable
Executing command: http 192.168.1.0 255.255.255.0 inside
Executing command: dhcpd address 192.168.1.5-192.168.1.36 inside
Executing command: dhcpd auto_config outside
Executing command: dhcpd enable inside
Executing command: logging asdm informational
Factory-default configuration is completed
ciscoasa(config)# reload
System config has been modified. Save? [Y]es/[N]o: y

Then I bounced the ASA. It loaded the first boot image on the disk, which happened to be ASA Version 7.2(2). This is part of the output during the boot process:

Configuration Compatibility Warning:
The version 8.4(1)0 configuration may contain syntax that is
not backward compatible with the 7.2(2) image that is loaded.

*** Output from config line 4, "ASA Version 8.4(1) "

subnet 0.0.0.0 0.0.0.0
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 40, " subnet 0.0.0.0 0.0.0.0"

nat (inside,outside) dynamic interface
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 50, " nat (inside,outside) dy..."

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 55, "timeout sip-provisional-..."

timeout tcp-proxy-reassembly 0:01:00
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 56, "timeout tcp-proxy-reasse..."

dynamic-access-policy-record DfltAccessPolicy
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 57, "dynamic-access-policy-re..."

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart                                                                       ^

ERROR: % Invalid input detected at '^' marker.
*** Output from config line 62, "snmp-server enable traps..."

threat-detection basic-threat
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 72, "threat-detection basic-t..."

threat-detection statistics access-list
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 73, "threat-detection statist..."

no threat-detection statistics tcp-intercept
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 74, "no threat-detection stat..."
.
inspect ip-options
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 101, "  inspect ip-options "

The ASA just ignores the lines that it does not understand. If you compare the startup config and the running config, you will find that the lines which coughed up errors during boot are missing from the running config.

In my example, the factory default config generated by the ASA Version 8.4(1) included these lines which were not understood by the 7.2(2) Version of the OS:

object network obj_any
subnet 0.0.0.0 0.0.0.0
!
object network obj_any
nat (inside,outside) dynamic interface
!
timeout sip-provisional-media 0:02:00
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
!
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
policy-map global_policy
class inspection_default
inspect ip-options

When I run the configure factory-default command from ASA Version 7.2(2), the series of commands that are executed is slightly different:

ciscoasa# conf t
ciscoasa(config)# configure factory-default

WARNING: The boot system configuration will be cleared.
The first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will
not boot.

Begin to apply factory-default configuration:
Clear all configuration
WARNING: DHCPD bindings cleared on interface 'inside', address pool removed
Executing command: interface Ethernet 0/0
Executing command: switchport access vlan 2
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/1
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/2
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/3
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/4
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/5
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/6
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/7
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface vlan2
Executing command: nameif outside
INFO: Security level for "outside" set to 0 by default.
Executing command: no shutdown
Executing command: ip address dhcp setroute
Executing command: exit
Executing command: interface vlan1
Executing command: nameif inside
INFO: Security level for "inside" set to 100 by default.
Executing command: ip address 192.168.1.1 255.255.255.0
Executing command: security-level 100
Executing command: no shutdown
Executing command: exit
Executing command: global (outside) 1 interface
INFO: outside interface address added to PAT pool
Executing command: nat (inside) 1 0 0
Executing command: http server enable
Executing command: http 192.168.1.0 255.255.255.0 inside
Executing command: dhcpd address 192.168.1.2-192.168.1.33 inside
Executing command: dhcpd auto_config outside
Executing command: dhcpd enable inside
Executing command: logging asdm informational
Factory-default configuration is completed
ciscoasa(config)#

Now if I save the factory default config from the ASA Version 7.2(2), and then specify a boot system image of ASA Version 8.4(1), the next time the ASA reloads, it will boot up with the ASA Version 8.4(1), with the factory default config generated by ASA Version 7.2(2).

These commands are in the startup config, so every time you boot up in a different OS, these commands will be loaded (and the ASA will cough up an error for each line that the loaded OS does not understand.)

To remove the errors, you can do one of 2 things:

  1. Get the ASA to load the desired image during boot, and then do a copy run start. This will overwrite the startup config (generated from the configure factory-default under the other OS) with the running config. (Only the commands that are understandable to the loaded OS will have been loaded into the running config). Or,
  2. Get the ASA to load the desired image during boot, and then do a configure factory-default and save. This will generate a startup config under the desired OS, with only the commands that the desired OS knows about.

Additional Information:

Configure factory-default command in the Cisco ASA 8.4 Command Reference.

Boot command in the Cisco ASA 8.4 Command Reference.