Cisco ASA recovery using ROMMON mode
Sadly enough, sometimes network equipment goes out of order. This, of course, happens when you’re least expecting it. In most cases that I’ve come across throughout my work, this is what happens: Cisco ASA is unexpectedly powered down or reloaded (due to planned or unplanned power outage, thunderstorm or work with electric equipment), and after reload, the interfaces, VPN tunnels and other services don’t come back up. We’re not going to examine the situation in which the device cannot turn on entirely and all the LED indicators are dead – in that case, a replacement for the device is the only viable option. Let’s focus on the situation when the Cisco ASA device is still operable, but does not perform a full load – i.e. the Cisco IOS operating system image can’t load properly. In this case, there is still a chance to reanimate the device, at least until you get a new one for replacement.
The first thing we need to do is connect to the firewall through a console cable. If the firewall does not respond to any commands and produces no output on the console screen, then you’ve reached the worst-case scenario – you can thank the device for its long and fruitful service and put it on a shelf. However, if you are seeing some activity on the console screen, it’s not that bad and you can try to understand what’s going on. The firewall may have entered into the special ROMMON mode (under normal circumstances, this mode is activated by pressing the ESC key during boot-up) or is in a cyclic reload that happens as it tries to load the operating system image.
The special ROMMON mode looks something like this:
Use ? for help.
Once you’re in this mode, you should try to force the device to start by entering the system command “boot“:
ROMMON #0> boot
Cisco ASA will try to load the operating system image that is located on the internal Flash memory. I can tell you right now that, in my years of practice, this has worked only once, when I got lucky and the device booted normally. Most of the times if the firewall does not load on its own, then it will not be able to load from the boot command under ROMMON mode.
In this case, let’s remember how Cisco devices work:
The operating system is located on some kind of nonvolatile memory and is loaded into RAM once, upon device boot-up. After that, the operating system works until the next reload. Flash memory is the most commonly used nonvolatile memory for storing the Cisco IOS (most likely you’re reading this article because it’s what went out of order), but you always have the option to specify some external resource that stores the IOS you need to load – for example, a TFTP server.
The task of recovering your firewall will come down to:
- installing a TFTP server on some workstation. Using a simple laptop will suffice.
- placing the relevant Cisco IOS on the TFTP server
- connecting one of the Cisco ASA interfaces directly to the workstation that has the TFTP server
- specifying that workstation as the IOS source and booting up the firewall with that image
In order to install TFTP server software, you simply need to download the install package, start the software, and copy the IOS image into the folder indicated in the software’s dialog box.
I suggest using the simple and free TFTPD. You can download it here.
The interface of the program is extremely straightforward and should not cause any difficulties.
Place the IOS file for your firewall into the C:\Program Files\Tftpd64 folder that is specified in the “Current Directory” field. It is strongly advised to use the same IOS that was on the device when it went out of order. Don’t use a newer version until you are sure that your firewall works fine.
Note how the TFTP server software interface works: if the IP address of the laptop’s NIC gets changed, the “Server interfaces” field will still hold the old information. Check this and reload the TFTP server program if the value in that field is incorrect. For our example, we will use the address 192.168.1.2
Next, we need to connect the laptop’s LAN interface to the Ethernet 0/0 interface of the firewall with a straight-through patch cord.
Inside the firewall’s console (ROMMON mode) enter the IP address (ADDRESS), port number (PORT), TFTP server address (SERVER) and the operating system image file (IMAGE) information.
When entering the commands in ROMMON mode, you have to enter them in full – no abbreviations or short versions are available.
rommon #1> ADDRESS=192.168.1.1
rommon #2> PORT=Ethernet0/0
rommon #3> SERVER=192.168.1.2
rommon #4> IMAGE=asa803-k8.bin
In this example the Cisco ASA firewall and the laptop with TFTP server software are directly connected to each other, so there is no need to specify the default gateway. However, if the corporate network is available, you can install the TFTP server on any network workstation and specify the default gateway (GATEWAY) and/or VLAN tag (VLAN) parameters in Cisco ASA‘s ROMMON:
rommon #5> GATEWAY=Х.Х.Х.Х
rommon #6> VLAN=Y
Enter the IP address for the default gateway of your network instead of X.X.X.X. Enter the VLAN tag for your VLAN instead of Y.
You can check the values that you entered using the “set” command:
rommon #7> set
The availability of the TFTP server is checked with the “ping server” command:
rommon #8> ping server
Once you’ve ensured that the workstation with TFTP server software and Cisco ASA firewall are connected and configured correctly, enter the command “tftp” to start the process of loading the IOS:
rommon #8> tftp
Even if your device loads successfully, I still suggest that you work on finding a replacement, since its reliability is now questionable.
To emphasize one more time: this article describes an emergency recovery of a Cisco ASA device and the success of the procedure depends on how badly the device’s components are damaged. Everything laid out in this article will 100% work if the hardware is intact.
This article was written by Alexey Yurchenko