Cisco ASA Firewall Upgrade/TFTP Error: No Cfg structure found in downloaded image file

While assisting a colleague this morning he indicated that each time he tried to upgrade his Cisco ASA 5525-X to ASA OS 9.6.3 he was receiving an error that stated: “No Cfg structure found in downloaded image file” Now, while I am usually quick to diagnose the root causes of issues, this is one that had me scratching my head. That was, until I asked him to run the ‘show version’ command to see what his current ASA OS image was. Yes, it was the ominous 9.1.1 release that requires an ‘interim’ upgrade to 9.1.2 before you can just directly go to the more recent versions of ASA OS.   You can see the output from ‘show flash’ in the image below and it was also defined in the ‘boot system disk0:’ command to boot to ASA OS 9.1.1.

Now, you might be wondering why 9.1.1 (and, ironically, a few other 8.x and 9.x releases are listed as possibly having the same problem as reported in Cisco bug report CSCuh25271) would have this issue and generate this message.  Well, it relates to another ASA OS bug, specifically CSCua9901 that results in the switch, during the TFTP of the newer image like a 9.6.3, failing to upload the image and then rebooting.  We were also seeing this behavior as well.  So, you had to get to an image that fixed the TFTP bug, in our case it is 9.1.2, and THEN you could put the new 9.6.3 image on there.

After a quick search of this document on the Cisco website, I quickly noticed that, at least in our case, you cannot go directly from 9.1.1 to anything other than 9.1.2 – in other words, we needed to upgrade to 9.1.2 FIRST as an interim step and then upgrade to 9.6.3 and everything worked like a champ!

So, if you are seeing the same error message, be sure to check out the document link above and see if you are required to upgrade to an interim release before taking the big plunge to a later release!  Hope this helps someone out there on the wire!