Cisco ASA Firepower – TFTP %ERROR: Signature not valid for file disk0:/cisco-asa-fp2k.9.x.x.x.SPA

Short and simple. If you are running Firepower 2100 or 4100 on ASA image either stand alone or context mode you have to install new IOS from FXOS/FCM (Firepower Management Center) GUI. You can’t upgrade ASA code from ASA CLI unfortunately.

Anything chassis related on Firepower appliances is managed via FCM now. I.e even Port-Channel configuration you would have to do it via FCM.

One clue that something is not right is when you try to see current boot options.

Here is snippet from the system context on 2100:

asa/act/pri# sh boot

BOOT variable =
Current BOOT variable =
CONFIG_FILE variable =
Current CONFIG_FILE variable =

As you can see there is no boot var so even if you try to push the image into disk0 you’ll get similar error:

Verifying file disk0:/cisco-asa-fp2k.9.12.3.12.SPA...
%ERROR: Signature not valid for file disk0:/cisco-asa-fp2k.9.12.3.12.SPA.

To get this going to go your FCM UI page and login

firepower 2100 - %ERROR: Signature not valid for file disk0:

From there we will go to upper right corner and click on System > Updates

firepower 2100 - %ERROR: Signature not valid for file disk0:

Next is to upload an image via Upload Image > Browse > Upload

firepower 2100 - %ERROR: Signature not valid for file disk0:

Once SPA is uploaded we can proceed with pushing the firmware to the chassis. Make sure its done during a maintenance windows since it is disruptive.

firepower 2100 - %ERROR: Signature not valid for file disk0:

firepower 2100 - %ERROR: Signature not valid for file disk0:

That is it. If you are running ha just failover the appliances and do the same thing for the other one.

Regards,
Bart

Add a Comment

Your email address will not be published. Required fields are marked *