Cisco ASA license gone!?
Today I experienced a failure during an upgrade of an ASA5505 which resulted in my Cisco ASA license disappearing. The ASA complained about error writing to flash.
%Error opening disk0:/.private/startup-config (Read-only file system) Error executing command [FAILED]
After searching on the Cisco site, they recommend fixing it by formatting the flash.
BUT!!! They didn’t warn you about the consequences of formatting the flash. My Cisco ASA license went missing right after the reboot!
So here’s what I encountered and how the problem was resolved.
First of all, when you experience this message, it means that the flash file system has encountered some issues and that it is mounted as read only. This causes the ASA to be unable to write anything to flash which includes your startup-config. A copy run start will result in the above error message.
First thing you should try is to reboot the device. This should fix the issue 90% of the time. However, if you listened to Cisco and formatted your flash, you’ll notice that doesn’t fix the issue. You are still unable to write anything to disk and now you are forced to reboot.
The file system still appears to be loaded with the current files. Upon rebooting, you will then notice that your files have disappeared and will be unable to boot up and will be stuck with this output.
You are now forced to boot up using rommon and load the image via tftp.
Step1: Connect to the ASA firewall using a console cable.
Step2: Power off the appliance and then power it on.
Step3: When the appliance starts, press the Escape key on your keyboard to force the appliance to enter ROMMON mode.
Step4: In ROMMON mode, configure all necessary settings for connecting to the TFTP server to load the new image. You need to connect a PC with TFTP server on a firewall port (e.g Ethernet0/0). Then enter the following commands on the ASA.
rommon #1> ADDRESS=192.168.1.10 rommon #2> SERVER=192.168.1.1 rommon #3> GATEWAY=192.168.1.1 rommon #4> IMAGE=asa800-232-k8.bin rommon #5> PORT=Ethernet0/0 rommon #6> tftp
Once that’s complete and you have now loaded the image, you can proceed to recover and load the saved configuration file.
However, that’s not the end of the story. When you format the flash, it also ERASES your Cisco ASA LICENSE KEY! This causes the ASA to default to the base level license which restricts your device to a limited number of devices, vlans and a restricted DMZ (providing you are using an ASA5505 – varies depending on setup). When you try to copy and paste your config again on to the screen you will be unable to activate more than 3 vlans.
Issue a “sh ver” will confirm that.
Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 3, DMZ Restricted Inside Hosts : 50 Failover : Disabled VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers : 10 WebVPN Peers : 2 Dual ISPs : Disabled VLAN Trunk Ports : 0 This platform has a Base license.
How to recover your Cisco ASA license? Answer: Cisco Website!
So what next? You don’t remember your license key and you’re stuck in a data center scrambling to figure out what to do.
Fear not! Cisco has a license key generator/recovery tool right on their website.
Visit http://www.cisco.com/go/license to retrieve your license
Under Licenses not requiring a PAK, select click here for available licenses.
Then under security products select Cisco ASA 3DES/AES license
Once that’s done, fill in your device serial number which can be found by issuing the sh ver command and submit the form. Cisco will send you an email with your Cisco ASA license almost instantaneously!
Then enter the activation key using the following command:
pix(config)# activation-key 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e
The activation key is of course different for each device and is based on the device’s serial number.
Once that’s done verify that your license is no updated by issuing a sh ver.
I hope this never happens again! Remember to reboot your device next time you run into a flash problem! This should fix it majority of the time!