If you run a configure factory-default command on your ASA, this will tell the ASA to overwrite its running config with a factory default configuration. Specifically, the ASA will wipe the existing running config and then execute a series of commands that will get the ASA to the factory default configuration. The factory default does not include a boot system [image] config. This means that the ASA will boot up using the first image file that it finds on disk. If that first image file is a different version of the OS than the one that is currently loaded, you may get errors during boot because the factory default config generated by the current OS may contain lines of config that the other OS does not understand. The command set usually differs between versions of the ASA OS.
For example, I had an ASA running Version 8.4(1). I ran configure factory-default and this is the screen output, showing the series of commands that were automatically executed by the configure factory-default command.
ciscoasa(config)# configure factory-default WARNING: The boot system configuration will be cleared. The first image found in disk0:/ will be used to boot the system on the next reload. Verify there is a valid image on disk0:/ or the system will not boot. Begin to apply factory-default configuration: Clear all configuration WARNING: DHCPD bindings cleared on interface 'inside', address pool removed Executing command: interface Ethernet 0/0 Executing command: switchport access vlan 2 Executing command: no shutdown Executing command: exit Executing command: interface Ethernet 0/1 Executing command: switchport access vlan 1 Executing command: no shutdown Executing command: exit Executing command: interface Ethernet 0/2 Executing command: switchport access vlan 1 Executing command: no shutdown Executing command: exit Executing command: interface Ethernet 0/3 Executing command: switchport access vlan 1 Executing command: no shutdown Executing command: exit Executing command: interface Ethernet 0/4 Executing command: switchport access vlan 1 Executing command: no shutdown Executing command: exit Executing command: interface Ethernet 0/5 Executing command: switchport access vlan 1 Executing command: no shutdown Executing command: exit Executing command: interface Ethernet 0/6 Executing command: switchport access vlan 1 Executing command: no shutdown Executing command: exit Executing command: interface Ethernet 0/7 Executing command: switchport access vlan 1 Executing command: no shutdown Executing command: exit Executing command: interface vlan2 Executing command: nameif outside INFO: Security level for "outside" set to 0 by default. Executing command: no shutdown Executing command: ip address dhcp setroute Executing command: exit Executing command: interface vlan1 Executing command: nameif inside INFO: Security level for "inside" set to 100 by default. Executing command: ip address 192.168.1.1 255.255.255.0 Executing command: security-level 100 Executing command: allow-ssc-mgmt ERROR: SSC card is not available Executing command: no shutdown Executing command: exit Executing command: object network obj_any Executing command: subnet 0.0.0.0 0.0.0.0 Executing command: nat (inside,outside) dynamic interface Executing command: exit Executing command: http server enable Executing command: http 192.168.1.0 255.255.255.0 inside Executing command: dhcpd address 192.168.1.5-192.168.1.36 inside Executing command: dhcpd auto_config outside Executing command: dhcpd enable inside Executing command: logging asdm informational Factory-default configuration is completed ciscoasa(config)# reload System config has been modified. Save? [Y]es/[N]o: y
Then I bounced the ASA. It loaded the first boot image on the disk, which happened to be ASA Version 7.2(2). This is part of the output during the boot process:
Configuration Compatibility Warning: The version 8.4(1)0 configuration may contain syntax that is not backward compatible with the 7.2(2) image that is loaded. *** Output from config line 4, "ASA Version 8.4(1) " subnet 0.0.0.0 0.0.0.0 ^ ERROR: % Invalid input detected at '^' marker. *** Output from config line 40, " subnet 0.0.0.0 0.0.0.0" nat (inside,outside) dynamic interface ^ ERROR: % Invalid input detected at '^' marker. *** Output from config line 50, " nat (inside,outside) dy..." timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute ^ ERROR: % Invalid input detected at '^' marker. *** Output from config line 55, "timeout sip-provisional-..." timeout tcp-proxy-reassembly 0:01:00 ^ ERROR: % Invalid input detected at '^' marker. *** Output from config line 56, "timeout tcp-proxy-reasse..." dynamic-access-policy-record DfltAccessPolicy ^ ERROR: % Invalid input detected at '^' marker. *** Output from config line 57, "dynamic-access-policy-re..." snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart ^ ERROR: % Invalid input detected at '^' marker. *** Output from config line 62, "snmp-server enable traps..." threat-detection basic-threat ^ ERROR: % Invalid input detected at '^' marker. *** Output from config line 72, "threat-detection basic-t..." threat-detection statistics access-list ^ ERROR: % Invalid input detected at '^' marker. *** Output from config line 73, "threat-detection statist..." no threat-detection statistics tcp-intercept ^ ERROR: % Invalid input detected at '^' marker. *** Output from config line 74, "no threat-detection stat..." . inspect ip-options ^ ERROR: % Invalid input detected at '^' marker. *** Output from config line 101, " inspect ip-options "
The ASA just ignores the lines that it does not understand. If you compare the startup config and the running config, you will find that the lines which coughed up errors during boot are missing from the running config.
In my example, the factory default config generated by the ASA Version 8.4(1) included these lines which were not understood by the 7.2(2) Version of the OS:
object network obj_any subnet 0.0.0.0 0.0.0.0 ! object network obj_any nat (inside,outside) dynamic interface ! timeout sip-provisional-media 0:02:00 timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy ! snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn ! policy-map global_policy class inspection_default inspect ip-options
When I run the configure factory-default command from ASA Version 7.2(2), the series of commands that are executed is slightly different:
ciscoasa# conf t ciscoasa(config)# configure factory-default WARNING: The boot system configuration will be cleared. The first image found in disk0:/ will be used to boot the system on the next reload. Verify there is a valid image on disk0:/ or the system will not boot. Begin to apply factory-default configuration: Clear all configuration WARNING: DHCPD bindings cleared on interface 'inside', address pool removed Executing command: interface Ethernet 0/0 Executing command: switchport access vlan 2 Executing command: no shutdown Executing command: exit Executing command: interface Ethernet 0/1 Executing command: switchport access vlan 1 Executing command: no shutdown Executing command: exit Executing command: interface Ethernet 0/2 Executing command: switchport access vlan 1 Executing command: no shutdown Executing command: exit Executing command: interface Ethernet 0/3 Executing command: switchport access vlan 1 Executing command: no shutdown Executing command: exit Executing command: interface Ethernet 0/4 Executing command: switchport access vlan 1 Executing command: no shutdown Executing command: exit Executing command: interface Ethernet 0/5 Executing command: switchport access vlan 1 Executing command: no shutdown Executing command: exit Executing command: interface Ethernet 0/6 Executing command: switchport access vlan 1 Executing command: no shutdown Executing command: exit Executing command: interface Ethernet 0/7 Executing command: switchport access vlan 1 Executing command: no shutdown Executing command: exit Executing command: interface vlan2 Executing command: nameif outside INFO: Security level for "outside" set to 0 by default. Executing command: no shutdown Executing command: ip address dhcp setroute Executing command: exit Executing command: interface vlan1 Executing command: nameif inside INFO: Security level for "inside" set to 100 by default. Executing command: ip address 192.168.1.1 255.255.255.0 Executing command: security-level 100 Executing command: no shutdown Executing command: exit Executing command: global (outside) 1 interface INFO: outside interface address added to PAT pool Executing command: nat (inside) 1 0 0 Executing command: http server enable Executing command: http 192.168.1.0 255.255.255.0 inside Executing command: dhcpd address 192.168.1.2-192.168.1.33 inside Executing command: dhcpd auto_config outside Executing command: dhcpd enable inside Executing command: logging asdm informational Factory-default configuration is completed ciscoasa(config)#
Now if I save the factory default config from the ASA Version 7.2(2), and then specify a boot system image of ASA Version 8.4(1), the next time the ASA reloads, it will boot up with the ASA Version 8.4(1), with the factory default config generated by ASA Version 7.2(2).
These commands are in the startup config, so every time you boot up in a different OS, these commands will be loaded (and the ASA will cough up an error for each line that the loaded OS does not understand.)
To remove the errors, you can do one of 2 things:
- Get the ASA to load the desired image during boot, and then do a copy run start. This will overwrite the startup config (generated from the configure factory-default under the other OS) with the running config. (Only the commands that are understandable to the loaded OS will have been loaded into the running config). Or,
- Get the ASA to load the desired image during boot, and then do a configure factory-default and save. This will generate a startup config under the desired OS, with only the commands that the desired OS knows about.
Additional Information:
Configure factory-default command in the Cisco ASA 8.4 Command Reference.
Boot command in the Cisco ASA 8.4 Command Reference.