Connecting the world…


Cisco ASA – Full recovery

While trying to perform a password recovery on a Cisco ASA, I noticed that the password recovery feature was disabled on the appliance. Without the password recovery feature enabled, you can recover the Cisco ASA, but the file system will be wiped completely.

During the boot of the Cisco ASA you need to press ESC to enter rommon and you will receive the following warning.

WARNING:  Password recovery and ROMMON command line access has been
disabled by your security policy.  Choosing YES below will cause ALL
configurations, passwords, images, and files systems to be erased.
ROMMON command line access will be re-enabled, and a new image must be downloaded via ROMMON.

Erase all file systems? y/n [n]: y

Permanently erase Disk0: and Disk1:? y/n [n]: y

All data from disk0: will be erased after which you will gain access to the rommon of the appliance. To perform the full recovery you need to enter the following commands:

rommon #0> interface <interface id>
rommon #1> address <IP address>
rommon #2> file <image name>
rommon #3> server <IP address TFTP server>
rommon #4> tftp

The new image will be loaded to the Cisco ASA appliance and the appliance will boot with its default configuration. After the Cisco ASA is booted you have the format disk0:. When you issue the show disk0: command before the format, you will notice that there is no free space on the disk. After the format you need to upload the appropriate ASA and ASDM image.

Be aware that after performing a full recovery the previous VPN-3DES-AES activation keys and other licenses will be lost. You can get a new activation key at

XMODEM recovery speed

Configuring switches and routers is regular work for me. But if I would like to configure a switch or a router, I have to be able to boot the specific device…. Today I had to configure some new Cisco Catalyst 3650(E) en 3750 switches. In total I had 16 switches to configure, but three of them didn’t have any IOS image in flash and weren’t able to boot.

I have never seen this before. The switches aren’t refurbished, at least that is what the customer told me. At first I didn’t see any problem, because I wanted to upload an image from rommon through TFTP. After accessing rommon, I noticed that the Catalyst 3560 en 3750 don’t support TFTP upload in rommon. This leaves an XMODEM transfer as the only available option.

The image I wanted to upload was approximately 10 MB and upload with XMODEM at a baud rate of 9600 bps isn’t really fast. I had only one laptop to use, so it would take a whole day to upload the correct image into the three switches. Because I had only one COM port, I wasn’t able to configure anything.

I wanted to speed up my XMODEM transfer to buy some time and I found a way. At the switch prompt I set the baud rate to 115200:

switch: set BAUD 115200

Next I reconfigured my terminal (TeraTerm) to use the new baud rate of 115200. I started the XMODEM recovery procedure:

switch: copy xmodem: flash:c3560-ipbasek9-mz.122-50.SE.bin

I was satisfied while looking at the transfer rate. I had some time to invite myself to a cappuccino and  chat a little with the customer. The image was transferred in approximately 30 minutes. The last step in the recovery was setting back the baud rate to 9600, reconfigure my terminal and boot the image:

switch: set BAUD 9600

switch: boot flash:c3560-ipbasek9-mz.122-50.SE.bin

It only took two hours upload the correct IOS image to the three switches. Now I am set to start the configuration.