ACE multi context

Can I have a context in ACE in transparent mode and another context in routed mode.

you can, but you can't use any of the "bridged" vlans in the routed context.
Gilles.

Similar Messages

Multi-context active-active etherchannel failover

Hi All,
Is there a way to monitor individual interfaces on a box doing multicontext etherchannel failover?
I can understand on an individual box you can add monitor-interface to the physical interface, but in multi context mode, there is only one interface (the logical etherchannel subinterface) pushed through from the system context to each of the other contexts. I've been looking around and can't work out how to get a context failover to fail if only one of the etherchannel fails.
If the other box has more active etherchannels then that's the one I want active, but can't see it at the moment.
Possibly missed something somewhere. Any ideas?
Thanks,
Gaz

monitor-interface will only work on "named" interfaces. So, what you are looking to do is not possible.
The member interfaces on a port-channel will not have "nameif" associated with them.
-Kureli

BVI doesn't show up in multi context ASA

I have an ASA 5585 in transparent mode, multi-context. It seems that the option to configure a BVI in one of the traffic contexts isn't there. In other words, while I see the option to configure a bridge group interface in the admin context, no such option comes up in the traffic context.
ciscoasa/admin(config)# interface ?
configure mode commands/options:
BVI         Bridge-Group Virtual Interface
Management Prefix of interface Management0/0
ciscoasa/admin(config)#
ciscoasa/admin(config)# changeto context dmz
ciscoasa/dmz(config)#
ciscoasa/dmz(config)# interface ?
configure mode commands/options:
Port-channel Prefix of interface Port-channel30.411, 30.412, 30.413, 30.414
ciscoasa/dmz(config)#
I thought that maybe I need to first allocate BVI interface(s) in the system context (in order to seem them in the traffic context) but that doesn't seem to be an option either.
ciscoasa/dmz(config)# ch system
ciscoasa(config)# interface ?
configure mode commands/options:
GigabitEthernet     GigabitEthernet IEEE 802.3z
Management          Management interface
Port-channel        Ethernet Channel of interfaces
Redundant           Redundant Interface
TenGigabitEthernet Ten GigabitEthernet
<cr>
ciscoasa(config)#
Has anyone seen this or know what the issue is? Thanks.

I think I figured it out. It seems that when you create a context, it is created in routed mode by default. So you have to explicitly go in and change it to transparent mode. Then the BVI interface shows up of course.

Add multi context asa to mars

when I try to add a multi context asa to MARS, I get error
Error occured during PIX multicontext discovery. More detailed info may be available under View Error button of individual context devices.
If you can not find detailed error info, please make sure 'hostname.domain-name' for each context device is unique"
So this mean I should change host name of each context in the ASA differrent to add to MARS ?
thank you,
Duyen

Hi duyendaica,
I try to answer, maybe you just need to add domain-name configuration in every context, not to change the hostname.
Thanks

Multi Context IPSec VPN limitations

Hello,
We are looking to deploy mult-context IPSec lan to lan VPNs on ASA 9.x now that the functionality is available and I'm trying to understand if there are limitations to the number of tunnels that can be deployed per context? The below link may seem to indicate that there is a limit of 5 "IPSec sessions" per context but I can't see any reference to such limitations anywhere else.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1147166
Does anybody know if there is a hard limit of number of IPSec connections per context or is it down to the general capabilities of the hardware (i.e. we're looking initially to deploy on 5520 so we'd get a throughput capability of 225Mb based on the datasheet -obviously depending on crypto parameters)?
Thanks

Hey found the updated document
http://www.cisco.com/en/US/docs/security/asa/command-reference/l1.html#wp1697181
Ok, this is the real document:
By default, all security contexts have unlimited access to the resources of the ASA, except where maximum limits per context are enforced; the only exception is VPN resources, which are disabled by default. If you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context. For VPN resources, you must configure resource management to allow any VPN tunnels.
vpn burst other
Concurrent
N/A
The Other VPN session amount for your model minus the sum of the sessions assigned to all contexts for vpn other.
The number of site-to-site VPN sessions allowed beyond the amount assigned to a context withvpn other. For example, if your model supports 5000 sessions, and you assign 4000 sessions across all contexts with vpn other, then the remaining 1000 sessions are available for vpn burst other. Unlike vpn other, which guarantees the sessions to the context, vpn burst othercan be oversubscribed; the burst pool is available to all contexts on a first-come, first-served basis.
vpn other
Concurrent
N/A
See the "Supported Feature Licenses Per Model" section in the CLI configuration guide for the Other VPN sessions available for your model.
Site-to-site VPN sessions. You cannot oversubscribe this resource; all context assignments combined cannot exceed the model limit. The sessions you assign for this resource are guaranteed to the context.
Value our effort and rate the assistance!

Adding FWSM multi context in CSM

Hi friends,
Just wanted to know that when adding FWSM multi-context in CSM 3.1, do i need to add all contexts separately in CSM or just adding the admin context will do the needful?
It seems to me that all security policies (ACL's) appear in CSM only after i import each context individually. But i have 22.
Just wanted to know if it is possible to add it in an easier way.
Thanks and Regards
Gautam

Hi, i have a similar problem: I have two context and system context, the CSM uses ACS to authenticate the devices, when I try to add the CSM tells me that the isn't authorized, but if configure in the ACS as a client, the CSM tells me that the device isn't authorized, I think that i need to add the system context as aaa client also, but this context haven't ip address by definition, how can I solve the problem?
Regards
Sergio

Will up coming 9.0 release support multicast in multi-context mode?

I understand that in 8.4 multicast is not support in multi-context mode. How about the up-and-coming release of 9.0?

No, multicast is still not supported on multi context mode in the upcoming 9.0 release.
However, IPSec LAN-to-LAN VPN is supported on multi context mode.

Wwan 3G/4G 4G LTE HWIC VPN (with dynamic ip)Configuration assistance to multi context asa

Hello All
I have a customer that has several sites all over the world and they want to use 3G and possibly 4G (where available) as a backup vpn solution.
I need some assistance/ guidance in configuring the cellular radio and configuring the vpn (dynamic ip)to work over the wwan.
Countries involved are France, Spain, Australia, Thailand and Malaysia.
I understand that I will need the APN credentials from the service provider. Is this normally the same for 3g and 4g?
Do I get chat scripts from them too?
My vpn gateway in the HQ is a Cisco multi-context asa so I can't configure remote access as its not supported yet. Can I possibly use the 1921 router(4lte hwic installed) at the sites as a hardware client?
I have seen the following urls. One has the 3g router as a "remote access" vpn but I guess this won't work in my scenario.
The other is between ios router and asa which I think will work. I don't need nat on the 3g/4g router as all traffic will be using the vpn.
http://www.networking-forum.com/blog/?p=708 . Will I need this for all the sub-interfaces I configure on the router
interface Vlan1
description LAN
ip address 10.0.0.14 255.255.255.240
no ip redirects
no ip proxy-arp
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ASA inside <--is this needed per interface????
Remote access reference in config:
group-policy 3GPolicy attributes
vpn-tunnel-protocol IPSec
password-storage enable
nem enable
tunnel-group 3GRAGroup type remote-access <---Remote access config
tunnel-group 3GRAGroup general-attributes
authorization-server-group LOCAL
default-group-policy 3GPolicy
tunnel-group 3GRAGroup ipsec-attributes
pre-shared-key **Same key as the ASA profile on the 881**
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html
Anyone got a helpful configuration and guide?
Thanks
Feisal

ASA X-series firewalls difference & multi context features

Does anyone have a quick guide to show the feature differences between the X and regular ASA series firewalls?
And does this still hold true WRT multi-context ASA in the X-series?
No multi-context.....
- If you need to provide VPN services such as remote access or site-to-site VPN tunnels.
- If you need to use dynamic routing protocols. With multiple context mode, you can use only static routes.
- If you need to use QoS.
- If you need to support multicast routing.
- If you need to provide Threat Detection.
tia,
Will

A few changes in the new ASA version 9.0 (supported on both ASA and ASA-X series):
http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp586890
In multiple context mode, it does support the following:
- Site to site VPN tunnels only.
- Dynamic routing protocols: EIGRP and OSPFv2 only.
- QoS is not supported.
- Multicast routing is not supported.
- Thread Detection is not supported
Here is the unsupported feature on multiple context as off Version 9.0:
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_contexts.html#wp1382237

ACE system stability with multi-context

Question... if the ACE module is configured with multiple contexts, and one of the contexts hits its max resource limitations for a given resource thereby resulting in dropping excess resources, will this cost the entire ACE system, or is it limited only to the one context?
For example, if a context configured for a max of 3000 connections/second receives 300000000 connections/second due to a virus outbreak/DoS attack, will this attack affect other contexts, or will the dropping of the excess connections be seamless to other contexts? Also, does the ACE drop the excess traffic in hardware, or must it be examined by a cpu?
Thanks!!
-Lee

Generally, the individual contexts operate independently from one another. So if one context reaches it's upper defined limit, that affects only that context.
The ACE has hardware-based support for many of it's operations, and to the best of my knowledge, connection processing is handled by one of its 16 ME's (MicroEngine). I've never seen a benchmark test that shows how e.g a DoS-attacks affects the entire module, nor have I tried it myself, but maybe someone else here at the forum can provide you with some information on that.
BTW, try and check out theese to links. The first one describes the ACE hardware architecture, including the ME's and how they're used for processing traffic. The other one is a test conducted by Miercom on the ACE module, maybe this can provide you with some information on how the ACE handles a sudden increase in traffic during an attack.
http://www.cisco.com/en/US/customer/prod/collateral/modules/ps2706/ps6906/White_Paper_Connection_Handling_within_the_Cisco_Application_Control_Engine_Module_Hardware.html
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/prod_brochure0900aecd806d1c90.pdf
hth
/Ulrich

ACE - Inter-context traffic flow.

Experts ,
Could you please guide me for a traffic-flow mentioned below ?
Connection flow:
client IP 192.168.240.220 == VLAN721=[VIP 10.106.108.137] ===VLAN 537[Server 10.106.24.133]<=={User context test1}
[Server 10.106.24.133]=== VLAN 739==[VIP 10.106.112.59] =====VLAN343 [Server 10.106.3.8] <= {User Context test2}
There are two context test1 & test2 on the same ACE box resides in a CAT6k .. Just curious to know how to redirect the server (10.106.24.133) context test1   to VIP (10.106.112.59) context test 2 which are not in a shared vlan ..
context test 1
rserver redirect OASIS-SSO-STG2_OOS_REDIRECT
webhost-redirection https://eportal-stg.publix.com/content/Associate/OutagePag
inservice
rserver host SITMA21
ip address 10.106.24.133
probe PING
inservice
rserver host SITMA22
ip address 10.106.24.138
probe PING
inservice
serverfarm host L17SVWOASIS03_FARM
description oasis-sso-stg2 server farm
failaction purge
probe TCP-80
rserver SITMA21 80
    inservice
rserver SITMA22 80
serverfarm redirect OASIS-SSO-STG2_OOS_REDIRECT_FARM
rserver OASIS-SSO-STG2_OOS_REDIRECT
    inservice
sticky ip-netmask 255.255.255.255 address both L17SVWOASIS03_STICKY
serverfarm L17SVWOASIS03_FARM backup OASIS-SSO-STG2_OOS_REDIRECT_FARM
timeout 10
replicate sticky
Need to know , when the redirection will takes place here .... i feel that only if the serverfarm (L17SVWOASIS03_FARM ) goes down , then the redirect server comes into picture as per the configs attached..
If that is the case then
rserver redirect OASIS-SSO-STG2_OOS_REDIRECT
webhost-redirection https://eportal-stg.publix.com/content/Associate/OutagePag
inservice
The highligted URL should be the VIP of the context test2 i.e 10.106.112.59 is it right ? in this the case how send this request to the VIP , since both are in different vlan ? is it should be done with PBR (policy based routing) via CAT6k ? could anyone please share the configs?
Or this can done with a default route to the VIP on the contexts?

Configs
=====
CSS - Context 1
============
probe tcp qaahmapp1-ssl-475_PROBE
port 475
interval 5
passdetect interval 5
connection term forced
rserver host HS_PROD.sanovia_447-ssl-a
ip address 10.99.0.13
inservice
rserver host HS_PROD.sanovia_447-ssl-b
ip address 10.99.0.14
inservice
serverfarm host sanovia.qaahm.ssl
probe qaahmapp1-ssl-475_PROBE
rserver HS_PROD.sanovia_447-ssl-a 475
    conn-limit max 4000000 min 4000000
    inservice
rserver HS_PROD.sanovia_447-ssl-b 475
    conn-limit max 4000000 min 4000000
    inservice
parameter-map type http cisco_avs_parametermap
case-insensitive
persistence-rebalance
parsing non-strict
action-list type optimization http cisco_avs_bandwidth_and_latency
delta
flashforward
action-list type optimization http cisco_avs_img_latency
flashforward-object
action-list type optimization http cisco_avs_obj_latency
flashforward-object
class-map type http loadbalance match-all cisco_avs_bandwidth_and_latency
2 match http url .*
class-map type http loadbalance match-any cisco_avs_img_latency
2 match http url .*jpg
3 match http url .*jpeg
4 match http url .*jpe
5 match http url .*png
class-map type http loadbalance match-any cisco_avs_obj_latency
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
class-map match-all sanovia.qaahm.ssl_CLASS
2 match virtual-address 10.99.1.76 tcp eq https
policy-map type loadbalance first-match sanovia.qaahm.ssl_CLASS-l7slb
class class-default
    serverfarm sanovia.qaahm.ssl
    insert-http x-forward header-value "%is"
policy-map type optimization http first-match sanovia.qaahm.ssl_CLASS-l7opt
class cisco_avs_obj_latency
    action cisco_avs_obj_latency
class cisco_avs_img_latency
    action cisco_avs_img_latency
class cisco_avs_bandwidth_and_latency
    action cisco_avs_bandwidth_and_latency
policy-map multi-match POLICY
class sanovia.qaahm.ssl_CLASS
    loadbalance vip inservice
    loadbalance policy sanovia.qaahm.ssl_CLASS-l7slb
    optimize http policy sanovia.qaahm.ssl_CLASS-l7opt
    loadbalance vip icmp-reply active
    nat dynamic 2 vlan 20
    appl-parameter http advanced-options cisco_avs_parametermap
interface vlan 20
ip address 10.99.1.240 255.255.255.0
alias 10.99.1.241 255.255.255.0
nat-pool 1 10.99.1.221 10.99.1.221 netmask 255.255.255.255 pat
nat-pool 2 10.99.1.220 10.99.1.220 netmask 255.255.255.255 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 10.99.1.1
========================================================================================
SCA - Context 2
============
crypto chaingroup GoDaddy
cert cisco-sample-cert
probe tcp AHM_QA-PROBE
port 8080
interval 5
passdetect interval 5
connection term forced
rserver host AHM_QA
ip address 10.99.1.76
conn-limit max 4000000 min 4000000
inservice
serverfarm host AHM_QA
rserver AHM_QA 8080
    conn-limit max 4000000 min 4000000
    probe AHM_QA-PROBE
    inservice
parameter-map type ssl sanovia-ssl-parms
description This is where you tweak your SSL parms, cert, etc.
cipher RSA_WITH_RC4_128_MD5 priority 4
cipher RSA_WITH_RC4_128_SHA priority 5
cipher RSA_WITH_DES_CBC_SHA priority 3
cipher RSA_WITH_3DES_EDE_CBC_SHA priority 6
cipher RSA_WITH_AES_128_CBC_SHA priority 7
cipher RSA_WITH_AES_256_CBC_SHA priority 8
ssl-proxy service sanovia-ssl-proxy
key cisco-sample-key
cert cisco-sample-cert
chaingroup GoDaddy
ssl advanced-options sanovia-ssl-parms
class-map match-any AHM_QA-CLASS
2 match virtual-address 10.99.0.13 tcp eq 475
3 match virtual-address 10.99.0.14 tcp eq 475
policy-map type loadbalance first-match AHM_QA-CLASS-l7slb
class class-default
    serverfarm AHM_QA
policy-map multi-match POLICY
class AHM_QA-CLASS
    loadbalance vip inservice
    loadbalance policy AHM_QA-CLASS-l7slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 10
    ssl-proxy server sanovia-ssl-proxy
interface vlan 10
ip address 10.99.0.17 255.255.255.0
peer ip address 10.99.0.11 255.255.255.0
nat-pool 1 10.99.0.13 10.99.0.13 netmask 255.255.255.255 pat
service-policy input POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 10.99.0.1
========================================================================================
CSS - Context 1 ( another VIP)
=======================
rserver host qaahmapp1-8080
ip address 10.99.1.217
conn-limit max 4000000 min 4000000
inservice
serverfarm host sanovia.qaahm.postssl
rserver qaahmapp1-8080 8080
    conn-limit max 4000000 min 4000000
    inservice
parameter-map type http HTTP_PARAMETER_MAP
persistence-rebalance
sticky http-cookie ACE_Cookie qanovia.qaahm.postssl-STICKY
cookie insert
serverfarm sanovia.qaahm.postssl
timeout 45
replicate sticky
class-map match-all sanovia.qaahm.postssl_CLASS
2 match virtual-address 10.99.1.76 tcp eq 8080
policy-map type loadbalance first-match sanovia.qaahm.postssl_CLASS-l7slb
class class-default
    sticky-serverfarm qanovia.qaahm.postssl-STICKY
policy-map multi-match POLICY
class sanovia.qaahm.postssl_CLASS
    loadbalance vip inservice
    loadbalance policy sanovia.qaahm.postssl_CLASS-l7slb
    loadbalance vip icmp-reply active
    nat dynamic 2 vlan 20
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
interface vlan 20
ip address 10.99.1.240 255.255.255.0
alias 10.99.1.241 255.255.255.0
nat-pool 1 10.99.1.221 10.99.1.221 netmask 255.255.255.255 pat
nat-pool 2 10.99.1.220 10.99.1.220 netmask 255.255.255.255 pat
no shutdown
=============================================================================
I have configured two vlans in CAT6k i.e vlan 10 & vlan 20 with the following ip's as mentioned in the route of ACE
10.99.0.1 & 10.99.1.1
Also configured only the final rserver 10.99.1.217 under vlan 20 .... this made all the vip and rserver up .. but still couldnt get the required page... there is small confusion in the first context as the vip is shown as https , but i dont see any cert and key in the customer config , so i made it as http for my test... but the second context vip is https , where i have added the certs n key as requied....
Let me know if i am missing anything here.... Many thanks in advance...
thanks
Martin

ACE Module Context Up to 8 Chain Groups

Hi
I have and ACE with 8 chain groups, each with 8 certificates, what I need to do if I need another certificate?
This because the information in the document
The ACE supports the following certificate chain group capabilities:
•A chain group can contain up to eight certificate chains.
•Each context on the ACE can contain up to eight chain groups.
•The maximum size of a chain group is 16 KB.
thanks for your help.

I do not need to match a specific URL. The application on the server does however. The server admin reports that connection is being refused as there is no URL included to match.
When setting this up as a one-arm config with source NAT everything works fine. Unfortunately, it is a requirement of the application that the client IP remain intact.

FWSM user and administrator multi-contexts authentication under ACS radius

Hi,
Im preparing the setup of an ACS radius server for FWSM-related authentication operations.
FWSMs will be in release 2.2, inserted in Catalyst 6500 (MSFC IOS), in routed mode, in multi-switch active / standby setup, with multiple contexts configured.
User and administrator access management will be performed thanks to a radius ACS server.
I intend to install ACS onto an armored windows 2000 server SP4 , using a local database.
PDM 4.0 is needed in order to manage multiple-contexts on FWSMs.
Are there any points I should be aware about such a configuration, especially regarding the user and administrator authentication access management setup ?
The fact is that administrators will have to be defined and restricted to their own context, without privileges onto other contexts. Do you have feedback about such a setup or relevant information to point to me ?
Many thanks in advance for your attention.
Best regards,
Arnaud

Each of the contexts will behave like individual firewalls for your purposes here. So, they each get a AAA config, and you could put them into their own groups for access control. Protect the Admin context especially well, it controls system resources for the others. Depending on how many FWSMs you have, you may want to look into the Pix MC, which is similar to PDM, but works for multiple FWSMs. It is a part of CiscoWorks VMS.
-Paul

CRM ACE User Context Update

Hi all,
How do we update the user context of active ace users automatically. Currently the user context is getting expired after the default time of 16 hours and after that when the users search on orders produces zero results. When I go to ACE_UPDATE and update the user context then again it works fine.
Is there a way to do it automatically.
Thanks.
Neha.
Edited by: Neha Kapoor on May 22, 2009 1:04 AM

Hi Neha,
This is due to some missing authorization with users when ACE try to do a user context refresh or calculates actor again. Please put a trace on user when this automatic refresh happens (after 16 hours in your case and when user login).
Ideally, user should have required auth. be able to execute the AFU method of his/her ACE classes.
Hope this helps.
Regards,
Satender

ACE Virtual context -TACACS authentication issue

Hello All,
I have configured four context in ACE module.
I am trying to authenticate individual context through ACS.
Admin context authentication is working perfectly fine , and it is assigning the role of Admin for all the ACS users.
But when i am trying to authenticate other context , authentication part is working fine. but the user is not able to do any action other than show commands.
when i checked the user-account ( show user-account), it is given the role of Network-Admin .
Admin Context Output:
user:parvees.m
        roles: Admin
        domain: default-domain
        Context: Admin
Context ABC output
user:parvees.m
        roles: Network-Admin
        domain: default-domain
        Context: ABC
Any help is highly appreciated.
regards,
Parvees

Hi
ACS shell following command has been added and it worked for me
shell:ABC ="Admin default-domain"
this has been repeated for all the domains... and it worked fine
regards,
Parvees

ACE multi context

Similar Messages

Maybe you are looking for