Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

Field Notice: FN - 62378 - ASA Hardware and Software Compatibility Issue Due to a Component Change


April 17, 2006

April 7, 2006

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Products Affected

Product

Comments

ASA5510-K8

ASA 5500 Series Adaptive Security Appliances

ASA5520-K8

ASA 5500 Series Adaptive Security Appliances

ASA5540-K8

ASA 5500 Series Adaptive Security Appliances

Problem Description

Some ASA units will produce an error message of No BIOS flash found followed by a reboot when loaded with incompatible software versions. See the Workaround/Solution section for detailed software/hardware compatibility information.

* ASA units which do not have the new boot flash installed will not have any software/hardware compatibility issues caused by this component change.

Background

A new boot flash has been introduced on ASA models shipping from Cisco as of April 5, 2006. This new boot flash requires a minimum software revision level. Units shipped with the new boot flash have the minimum software revision already installed. However, if such a unit has its software downgraded in the field, the ASA unit will produce an error message and enter into a reboot state. ASA units which do not have the new boot flash installed will not have any software/hardware compatibility issues caused by this component change. See the How to Identify Hardware Levels section of this Field Notice to identify if your ASA unit(s) has the new flash device installed.

Problem Symptoms

If an ASA unit with the new boot flash installed has its software downgraded to an incompatible software version, the ASA unit will produce an error message from the console before rebooting.

The failure occurs early in the operational image initialization process. The No BIOS flash found error message appears followed by a reboot. The following is an example of the error message:

Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(9)0) #0: Thu Feb 3 12:18:05 PST 2005

Platform ASA5520

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.

Launching BootLoader...
Boot configuration file contains 2 entries.


Loading disk0:/asa701-k8.bin... Booting...
############################################################
512MB RAM

Total NICs found: 7
mcwa i82557 Ethernet at irq 11 MAC: 000f.f775.5599
mcwa i82557 Ethernet at irq 5 MAC: 0000.0001.0001
No BIOS flash found.



Rebooting....


Booting system, please wait...

Workaround/Solution

Workaround:

If an affected ASA unit (the affected serial number range is provided in the How to Identify Hardware Levels section of this field notice) is downgraded, and the unit exhibits the symptoms described in this field notice, the following steps can be taken to recover from the reboot state, by loading a new image on the unit:

Step 1: Hit BREAK or ESC to interrupt the boot process, and enter ROMMON mode

Step 2: From ROMMON mode, TFTP a new image to the ASA unit, which supports the newer boot flash.

Below is an example of loading a new image from the tftp server.

rommon #0>
rommon #0> PORT=GigabitEthernet0/3
GigabitEthernet0/3
Link is UP
MAC Address: 000f.f775.585d

rommon #1> ADDRESS=10.10.10.83
rommon #2> SERVER=10.10.20.123
rommon #3> GATEWAY=10.10.10.1
rommon #4> IMAGE=auto/tftpboot/user/asa712-k8.bin
rommon #5> tftp
ROMMON Variable Settings:
ADDRESS=10.10.10.83
SERVER=10.10.20.123
GATEWAY=10.10.10.1
PORT=GigabitEthernet0/3
VLAN=untagged
IMAGE=auto/tftpboot/user/asa712-k8.bin
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=2
RETRY=20

tftp auto/tftpboot/user/asa712-k8.bin@10.10.20.123 via 10.10.10.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Solution:

Support for the new flash device is added into maintenance releases 7.1(2) and 7.0(5). It will also be included in the 7.2(1) release. For customers on the 7.0 train who cannot wait for the 7.0(5) release to be available, they may upgrade to the 7.0.4.12 (or later) interim release - which also includes support for this new boot flash. The ASA software can be found at the Cisco Adaptive Security Appliance Software Download (registered customers only) page.

For those who are required to certify software before deploying any software to the network based on customer's internal policy, please be advised to certify with a current version of the ASA software to aid in this transition if needed.

How To Identify Hardware Levels

The affected units can be identified by serial numbers. The serial numbers of the units can be found by entering the show version command in user EXEC mode using command line interface or it can be found at the back of the chassis in the upper right corner.

There are two groups of serial numbers that are affected by this problem. The following describes the details:

  1. The fist group of affected units' serial number format is JAB-XXXX-YYYY where the XXXX value greater than or equal to 1014. If XXXX equals 1014, then YYYY must also be greater than or equal to 00TP. Numbers are used first, followed by letters. In other words, the range of each digit is in ascending order [0-9][A-Z]. For example, 0011 is not affected whereas 00U3 is affected.

  2. All unit serial numbers that start with JSH are affected by this issue.

ASA units produced before April 5, 2006 will have serial numbers that do not fall in the above range and are not affected by this problem.

Revision History

Revision

Date

Comment

1.1

17-APR-2006

Updated the How to Identify Hardware Levels section.

1.0

07-APR-2006

Initial Public Release

NetPro Discussion Forums - Featured Conversations

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.