Verifying a MD5/SHA1 sums before system upgrade or install on ASA/IOS

In one of my previous blogs I stated that we should *always* verify if a download for some upgrade or installation package is correct. We can verify that by comparing MD5/SHA1 sums from the site we downloaded the software from, with a value  we have calculated.

For Windows, there are tons of apps that can calculate these sums, but I like plain old fciv or “File Checksum Integrity Verifier“. This can be downloaded from Microsoft site.

For Linux, we can just use command line utilities sha1sum and md5sum.

Ok, so far so good. We have our latest ASA/IOS image and we have verified the sum. Then we transfer the image to the device and do an upgrade/installation. But what if the image gets corrupted while transferring from a FTP/TFTP/SSH/HTTP and we boot the corrupted image? Slim chance that this is to happen over our LAN/WAN, but who can tell for sure?

Fortunately, we can verify the sum on the device itself. On the ASA for example, we could do:

verify /md5 disk0:/anyconnect-linux-3.1.04066-k9.pkg

Or we can even add what we expect the sum to be:

verify /md5 disk0:/anyconnect-linux-3.1.04066-k9.pkg 393c1cb6a8882914882a05512efabdd8

And if our computation ends with Verified we are ok:

ASA1/pri/act#
ASA1/pri/act# verify /md5 disk0:/anyconnect-linux-3.1.04066-k9.pkg 393c1cb6a8882914882a05512efabdd8
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
<lines omitted> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Done!
Verified (disk0:/anyconnect-linux-3.1.04066-k9.pkg) = 393c1cb6a8882914882a05512efabdd8
ASA1/pri/act#

But if we have %Error verifying we should not boot this image:

ASA1/pri/act#
ASA1/pri/act# verify /md5 disk0:/anyconnect-linux-3.1.04066-k9.pkg 393c1cb6a8882914882a05512efabdd8
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
<lines omitted> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Done!
%Error verifying disk0:/anyconnect-linux-3.1.04066-k9.pkg
Computed signature  = 393c1cb6a8882914882a05512efabdd8
Submitted signature = 393c1cb6a8882914882a05512efabdd1

I just changed one last character of expected sum to simulate a mismatch.

This also applies to routers and switchws, not just ASAs.

Thanks for reading.

Advertisements
This entry was posted in ASA, Cisco, IOS and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s