Cisco ASA Firepower – TFTP %ERROR: Signature not valid for file disk0:/cisco-asa-fp2k.9.x.x.x.SPA
May 28, 2020
Short and simple. If you are running Firepower 2100 or 4100 on ASA image either stand alone or context mode you have to install new IOS from FXOS/FCM (Firepower Management Center) GUI. You can’t upgrade ASA code from ASA CLI unfortunately.
Anything chassis related on Firepower appliances is managed via FCM now. I.e even Port-Channel configuration you would have to do it via FCM.
One clue that something is not right is when you try to see current boot options.
Here is snippet from the system context on 2100:
asa/act/pri# sh boot
BOOT variable =
Current BOOT variable =
CONFIG_FILE variable =
Current CONFIG_FILE variable =
As you can see there is no boot var so even if you try to push the image into disk0 you’ll get similar error:
Verifying file disk0:/cisco-asa-fp2k.9.12.3.12.SPA...
%ERROR: Signature not valid for file disk0:/cisco-asa-fp2k.9.12.3.12.SPA.
To get this going to go your FCM UI page and login
From there we will go to upper right corner and click on System > Updates
Next is to upload an image via Upload Image > Browse > Upload
Once SPA is uploaded we can proceed with pushing the firmware to the chassis. Make sure its done during a maintenance windows since it is disruptive.
That is it. If you are running ha just failover the appliances and do the same thing for the other one.
Regards,
Bart
About The Author
Bart Dworzanczyk
Bart is passionate about new technologies and their impact on our lives. He does not believe in titles or amount of certifications but positive attitude and motivation. Simply the guy that make things happen. You can reach him via Linkedin or meet him on CSGO. Currently focusing on architecting and designing custom-build hybrid cloud solutions around IaaS, DRaaS, BaaS realm.