Cisco ASA hangs after loading image

[nabz0r Veteran]

Hi guys,

 

Long story short, few days ago I couldn't ssh to my firewall so I thought I can restart and it should work but after the restart it started hanging and I couldn't do anything, so I got into rommon mode and erased everything from flash thinking the image is probably corrupted and I can restore a new image from tftp and then copy my configuration and everything will be fine again, BUT I was never more wrong. lol

 

Now I can transfer the image but when it tries to load the image it just hangs and nothing happens. I thought of trying another flash but the same thing and if it had another hardware problem it wouldnt boot into rommon mode, or I am wrong here? So I thought of posting here and probably some of you know what the problem might be as I am clueless and I need my firewall back :(

[sc302 Veteran]

May have to go inside and take a look around, you may have some damage to the board or power supply causing issues (similar to a computer with exploded capacitors).  If this is the case, hopefully you have a backup config and can get a new on in there quick/have smartnet on it.

[nabz0r Veteran]

I actually opened it but didn't find anything wrong or there was not much to look at. Nope, there is smartnet on it so either I fix this or buy another one. :(

 

As for backup I have backed it up when I upgraded to 2.1 which now supports BGP, not that I will ever be using it at home. :D

[sc302 Veteran]

What happens if you do the break sequence and load reload the default firmware.  did you fill the memory of the box by having too many firmware revisions on it?

[nabz0r Veteran]

No there was only the one I was using and I don't usually keep the old firmwares, which in my case now was a big mistake. I should have had two images in case one is corrupted it could boot from the other one, but you learn from your mistakes. There is nothing in the flash now as I wiped it out so it doesn't boot. I just tried to change the RAM but still having the same problems.

 

Here is the output:

tftp asa903-k8.bin@10.2.2.150 via 10.2.2.150
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (the rest is cut)

Launching TFTP Image...

[sc302 Veteran]

you know it can take 15 minutes right?

[nabz0r Veteran]

The other day I left it for more than 10 hours and nothing happened and no I didn't know that actually.

 

EDIT: I got this now after 30 min:

i2c_read_byte_w_wait() error, slot = 0x0, device = 0xa0, address = 0 byte count = 1. Reason: I2C_HOST_BUSY_ERROR
platform_init_from_idprom: i2c_error 5

Cisco Security Appliance admin loader (3.0) #0: Fri Jul 19 16:38:00 PDT 2013

Edit 1: I found this and I guess I have to look for a replacement. :(

https://supportforums.cisco.com/discussion/11000121/my-asa-5505-dead

[sc302 Veteran]

btw smartnet may be cheaper then buying a new one.  3 year is about 1/2 the price of a new one, 1 year maybe 100 usd..if using a 5505. 

[nabz0r Veteran]

You are right and I can buy a used one too for that. Anyway, I found this and it seems this is only for 10 users and mine has security plus which means I will pay more for the smartnet. :/

 

http://www.ithsc.com/ciscohardwaremaintenance/SMARTnet-8x5xNBD-CON-SNT-AS5BUNK9-153-p-154968.html

[sc302 Veteran]

All you can do is price it out and see. At the very least you will have another on with support if you go the smart net route. If you buy used you will not have any support.

[nabz0r Veteran]

Yeah. We have a used one at the office 5510 that we don't use now. I will talk to my boss and see if I can have it or borrow it (forever) lol

[n_K]

Let me get this right, it's about one year old and it's dead already?
There is no excuse for that other than incredibly ###### poor build quality or cheap-as-crap parts.

RMA it and get a refund if you can. That'd stop me ever using cisco again.

[sc302 Veteran]

there aren't many failures with cisco asa's.  this isn't the norm.  I have had more cisco switches fail than the firewalls I have put in. 

[neufuse Veteran]

  On 12/06/2014 at 18:43, n_K said:

Let me get this right, it's about one year old and it's dead already?

There is no excuse for that other than incredibly ###### poor build quality or cheap-as-crap parts.

RMA it and get a refund if you can. That'd stop me ever using cisco again.

wow talk about a way to over react to something that could be a simple flaw any hardware device could have... could be as simple as a tftp boot loader issue... which they can't fix on site without the right equipment... consumer level devices can usually fix that stuff with JTAG's but at the cisco and other enterprise level tis a lot harder to do

[n_K]

  On 12/06/2014 at 19:02, neufuse said:

wow talk about a way to over react to something that could be a simple flaw any hardware device could have... could be as simple as a tftp boot loader issue... which they can't fix on site without the right equipment... consumer level devices can usually fix that stuff with JTAG's but at the cisco and other enterprise level tis a lot harder to do

It's not though, the error indicates there's an I2C problem (2 wire data transfer bus) with what looks like an ID ROM... There is no excuse for a read only ROM via I2C to die within even 20 years. Dieing within a single year is outright ridiculous.

[neufuse Veteran]

  On 12/06/2014 at 19:30, n_K said:

It's not though, the error indicates there's an I2C problem (2 wire data transfer bus) with what looks like an ID ROM... There is no excuse for a read only ROM via I2C to die within even 20 years. Dieing within a single year is outright ridiculous.

If you are reading in the cisco forums for device owners with active subscriptions, this is not an issue with a ROM, and it can happen with a corrupted boot loader which is also upgraded during some firmware upgrades

[neufuse Veteran]

Have you tried going back a few versions via RomMon? People seem to be hinting at going way back and trying that as working for them

 

also resetting any passwords that linger in cache via rommon seems to help for some users who get locked up

 

Seems like it's erase the flash, clear any disks, reload an old old image via romMon then boom it strangely works

[nabz0r Veteran]

I have used this for the last 4 years at least and specially this one was used by a customer of ours, and when they upgraded we got this back so I was allowed to take it home to use it.

 

I have tried several images old and new but no sucess. Erased the flash and almost did everything else but I didn't have any luck. I have posted in Cisco so let's see if they have other tricks, etc. In the mean while I am going to get another one from a close friend of mine and I don't have to pay for it. Yay :D

[+John Teacake MVC]

These are my notes for this kind of thing....

 

  Quote

Recover from a Damaged or Broken IOS, Using the Console Cable:

flash_init

load_helper

dir flash:

boot flash:c2950-i6k2l2q4-mz.121-22.EA13.bin

clear

 

 

In bold is whatever is in your Flash Mem but you said you wiped it. You might be SOL

[nabz0r Veteran]

Correct me if I am wrong but I think those commands doesn't work on ASA, but I will give it a try and let you know. :)

[+John Teacake MVC]

You may be right, They are just IOS commands however. 

[AStaUK]

Without a Cisco support contract where did you get the image, have you tried comparing the MD5 hash for you image against those provided on the Cisco site?

[nabz0r Veteran]

I bought it from some guy. The image is not the problem here as I posted earlier this is a hardware problem:

https://supportforums.cisco.com/discussion/11000121/my-asa-5505-dead

[nabz0r Veteran]

I got my friends ASA now and going to configure it.

 

I just want to write this simple steps for those who are looking for how to upload IOS image from Rommon, here is how you do it:

 

1. Reload ASA

2. Hit Esc

3. ADDRESS=10.1.1.1 (hit enter)

4. SERVER=10.1.1.10 (this should be your computer's IP)

5. GATEWAY= 10.1.1.0 (computer's IP)

6. IMAGE=asaxxx-xxx.bin (The image you want to use)

7. tftpdnld

Hit enter, the ASA will start uploading the image from the TFTP server which should be in your PC. After that it will load the image and you are done.

8. Reload (ASA will start reloading)

After this, you have a working ASA with a new image.

 

If you forgot your password do the following:

1. Reload ASA

2. Hit Esc

3. confreg 0x41 (see what is  your current configuration registrey and write it down somewhere as you are going to need it later when on and it usually is 0x1 = 0x00000001)

4. reset (it will restart)

Login you wont be needing any password as you just reset it.

5. Copy startup-config running-config

6. Change your password

7. Config registrey 0x1 or whatever your registery was before changing it.

8. Reload and login with the password you just changed, you are done!

 

Hope this helps someone. :)