Cisco ASA Firepower – TFTP %ERROR: Signature not valid for file disk0:/cisco-asa-fp2k.9.x.x.x.SPA

Short and simple. If you are running Firepower 2100 or 4100 on ASA image either stand alone or context mode you have to install new IOS from FXOS/FCM (Firepower Management Center) GUI. You can’t upgrade ASA code from ASA CLI unfortunately.

Anything chassis related on Firepower appliances is managed via FCM now. I.e even Port-Channel configuration you would have to do it via FCM.

One clue that something is not right is when you try to see current boot options.

Here is snippet from the system context on fp2100:

asa/act/pri# sh boot

BOOT variable = 
Current BOOT variable = 
CONFIG_FILE variable = 
Current CONFIG_FILE variable =

As you can see there is no boot var so even if you try to push the image into disk0 you’ll get similar error:

Verifying file disk0:/cisco-asa-fp2k.9.12.3.12.SPA...
%ERROR: Signature not valid for file disk0:/cisco-asa-fp2k.9.12.3.12.SPA.

To get this going access your FCM UI page and login.

From there we will go to upper right corner and click on System > Updates

Next is to upload an image via Upload Image > Browse > Upload

Once SPA is uploaded we can proceed with pushing the firmware to the chassis. Make sure its done during a maintenance windows since it is disruptive. NOTE: No more .bin file. You need to ensure to download .SPA otherwise you may brick the device.

That is it. If you are running ha just failover the appliances and do the same thing for the other one.

Regards,
Bart