Multiple context mode and Active Active

Hi Everyone,
ASA in multiple context  mode works as active active mode.
ASA has 2 contexts admin and  x.
We have 2  physical ASA say ASA1 and ASA2 .
Under system context we have hostname ASA
When i ssh to ASA1 it brings the ASA/admin mode.
sh failover shows
sh failover shows
This host:    Primary
This host:    Primary
When i try to login to ASA 2 it brings me to ASA/x prompt.
sh failover shows
  This context: Active
Peer context: Standby Ready
Need to  know is there any way that i can login to other physical ASA?
i hope my question makes sense.
Message was edited by: mahesh parmar

Hi Mahesh,
To it seems that you are logging to different contexts in these 2 cases.
Normally an admin always logs to the "admin" context IP address owned either by the primary IP address for the Active unit or the secondary IP address for the Standby unit.
So what I would suggest you do first is that you go to the context "admin" and issue the command "show run interface"
Then go to the context "x" and issue the command "show run interface"
Now check the IP addresses on the interfaces.
Especially the interface on the "admin" context should contain an IP address for both of the ASA units. Check the interface IP address which originally lead you to the "admin" context.
For example
ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2
If the above were true you would connecto the IP address 10.10.10.1 when you wanted to connect to the Active unit and use the IP address 10.10.10.2 when you wanted to connect to the current Standby unit
- Jouni

Similar Messages

  • Remote Access VPN Support in Multiple Context Mode (9.1(2))?

    Hi Guys,
    I am currently running two Cisco ASA5520 (ASA Version: 9.1(2)) firewalls in Active/Standby failover and was contemplating the option of migrating my remote access VPN to these firewalls. However seeing that the new IOS now support mixed multiple context mode and dynamic routing. Is it safe to ask whether or not Remote Access VPN is now support in this IOS upgrade?
    Multiple Context Mode New Features:
    Site-to-Site VPN in multiple context mode | Site-to-site VPN tunnels are now supported in multiple context mode.
    New resource type for site-to-site VPN tunnels | New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context.
    Dynamic routing in Security Contexts | EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
    New resource type for routing table entries | A new resource class, routes, was created to set the maximum number of routing table entries in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class.
    Mixed firewall mode support in multiple context mode | You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode. We modified the following command: firewall transparent. You cannot set the firewall mode in ASDM; you must use the command-line interface. Also available in Version 8.5(1).
    Regards,
    Leon

    Hey Leon,
    According to the ASA 9.1 Configuration Guide, Remote Access VPN is not yet supported with version 9.1(2). Only Site-to-Site VPN support in multiple context was introduced with release ASA 9.0(x). This was mentioned in the 9.0(x) release notes.
    Regards,
    Dennis

  • ASDM_HANDLER problem on multiple context mode

    Hello,
    Has any anybody seen this error?
    On the firewall multiple context I used to jump from one context to another, but now when I log in to the admin context and I try to jump to another context I receive this error. Could no find any bug on release notes for that.

    Hi,
    I have not personally seen this error before. Though I don't use ASDM that much anyway. We used to have FWSMs in multiple context mode and now have ASAs running multiple context mode and I have never seen this.
    Have you checked the situation (as the error message suggests) from the CLI of the ASA to see if there is a lot of ASDM sessions in the "admin" context of the unit?
    show asdm sessions
    - Jouni

  • Botnet Filter with multiple Context Mode

    We used the Botnet Filter in Single Context Mode for a long Time. Now we converted to multiple Context Mode and the Database is no longer updated. In the system Context I can See the update settings but when I try to update the result is always "no DNS server". Since the system context has no interfaces there are no DNS settings etc.
    How should be the Botnet Filter configured in Multiple Context Mode?
    Thanks for any response in advance.

    sh run | grep dns
    dns domain-lookup T-COM
    dns domain-lookup COLT
    dns server-group DefaultDNS
    policy-map type inspect dns preset_dns_map
    inspect dns preset_dns_map
    ping update-manifests.ironport.com
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 204.15.82.17, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 160/162/170 ms
    ping updates.ironport.com
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 80.239.221.64, timeout is 2 seconds:
    ASA Version 8.4(2)
    hostname DE-VM-TER-FW-02
    enable password 8Ry2Yj8765U24 encrypted
    passwd 2KFQnb6IdI.2KY75 encrypted
    names
    interface GigabitEthernet0/0.3207
    nameif TR_v207
    security-level 50
    ip address 10.28.6.60 255.255.255.248
    interface GigabitEthernet0/0.3208
    nameif TR_v208
    security-level 70
    ip address 10.28.6.68 255.255.255.248
    interface GigabitEthernet0/0.3209
    nameif TR_v209
    security-level 80
    ip address 10.28.6.76 255.255.255.248
    interface GigabitEthernet0/0.3210
    nameif TR_v210
    security-level 90
    ip address 10.28.6.84 255.255.255.248
    interface GigabitEthernet0/1
    nameif COLT
    security-level 0
    ip address 217.111.58.46 255.255.255.240
    interface GigabitEthernet0/3
    nameif T-COM
    security-level 0
    ip address 194.25.250.94 255.255.255.240
    dns domain-lookup T-COM
    dns domain-lookup COLT
    dns server-group DefaultDNS
    name-server 8.8.8.8
    object network COLT_dynamic_NAT
    subnet 0.0.0.0 0.0.0.0
    object network T-COM_dynamiy_NAT
    subnet 0.0.0.0 0.0.0.0
    object-group network DM_INLINE_NETWORK_1
    network-object 10.0.0.0 255.0.0.0
    network-object 172.16.0.0 255.240.0.0
    network-object 192.168.0.0 255.255.0.0
    access-list COLT_access_in extended deny ip any any
    access-list T-COM_access_in extended permit tcp any object DEUAG01-actsync eq https
    access-list T-COM_access_in extended permit tcp any object DEUAG01-portal eq https
    access-list T-COM_access_in extended deny ip any any
    access-list TR_3208_access_in extended deny ip any object-group DM_INLINE_NETWORK_1
    access-list TR_3208_access_in extended permit ip any any
    access-list TR_3208_access_in extended permit icmp any any
    access-list TR_v207_access_in extended deny ip any any
    access-list TR_v210_access_in extended deny ip any any
    access-list TR_v209_access_in extended deny ip any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu TR_v208 1500
    mtu T-COM 1500
    mtu COLT 1500
    mtu TR_v207 1500
    mtu TR_v210 1500
    mtu TR_v209 1500
    ip verify reverse-path interface T-COM
    ip verify reverse-path interface COLT
    ipv6 access-list TR_v207_access_ipv6_in deny ip any any
    ipv6 access-list TR_v208_access_ipv6_in deny ip any any
    ipv6 access-list TR_v209_access_ipv6_in deny ip any any
    ipv6 access-list TR_v210_access_ipv6_in deny ip any any
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    object network COLT_dynamic_NAT
    nat (any,COLT) dynamic interface
    object network T-COM_dynamiy_NAT
    nat (any,T-COM) dynamic interface
    access-group TR_3208_access_in in interface TR_v208
    access-group TR_v208_access_ipv6_in in interface TR_v208
    access-group T-COM_access_in in interface T-COM
    access-group COLT_access_in in interface COLT
    access-group TR_v207_access_in in interface TR_v207
    access-group TR_v207_access_ipv6_in in interface TR_v207
    access-group TR_v210_access_in in interface TR_v210
    access-group TR_v210_access_ipv6_in in interface TR_v210
    access-group TR_v209_access_in in interface TR_v209
    access-group TR_v209_access_ipv6_in in interface TR_v209
    route T-COM 0.0.0.0 0.0.0.0 194.25.250.81 1
    route COLT 0.0.0.0 0.0.0.0 217.111.58.33 20
    route TR_v208 10.28.24.0 255.255.255.0 10.28.6.65 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    user-identity default-domain LOCAL
    no snmp-server location
    no snmp-server contact
    telnet timeout 5
    ssh timeout 5
    no threat-detection statistics tcp-intercept
    dynamic-filter use-database
    dynamic-filter enable interface T-COM
    dynamic-filter enable interface COLT
    dynamic-filter drop blacklist interface T-COM
    dynamic-filter drop blacklist interface COLT
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect dns preset_dns_map dynamic-filter-snoop
    service-policy global_policy global
    Cryptochecksum:7bbe975fb39e189e99d8878787a0037
    : end
    System Context
    dynamic-filter updater-client enable
    ​ Can't resolve update-manifests.ironport.com, make sure dns nameserver is configured

  • Active/standby in multiple context mode

    is active/standby configuration possible in multilple context mode? i cannot find an article regarding this matter.

    Hello John,
    It is available
    Actually the ones you need are the regular  ones (documents) as the ASA will trigger failover if one of the context fail
    Important Notes
    For multiple context mode, the ASA can fail over the entire unit (including all contexts) but cannot fail over individual contexts separately.
    . Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover.
    VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for
    Active/Standby Failover configurations in single context configurations.
    With this I think you are ready to start configuring it:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml
    Julio

  • Are VPN Clients supported in multiple context mode?

    Hi,
    Recently our company has bought two Cisco ASA 5515-X firewalls for at our datacenter. I am new on configuring a Cisco ASA but sofar things are looking good. I have configured them both with HA (active/active) in multiple context mode. Currently they host two security contexts.
    I want to configure VPN Client functionallity for Remote Access. As far as I know they come with two user licenses. But there is no VPN Client wizard available and I can't find a way to enable it.
    - Is VPN Client supported in Multiple Context mode?
    - What is AnyWhere Essentials vs Premium Peers?
    Boudewijn
    Here is some additional output fromt he current configuration:
    Cisco Adaptive Security Appliance Software Version 9.1(2) <context>
    Device Manager Version 7.1(3)
    Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
                                 Boot microcode        : CNPx-MC-BOOT-2.00
                                 SSL/IKE microcode     : CNPx-MC-SSL-PLUS-T020
                                 IPSec microcode       : CNPx-MC-IPSEC-MAIN-0024
                                 Number of accelerators: 1
    Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
    Licensed features for this platform:
    Maximum Physical Interfaces       : Unlimited      perpetual
    Maximum VLANs                     : 100            perpetual
    Inside Hosts                      : Unlimited      perpetual
    Failover                          : Active/Active  perpetual
    Encryption-DES                    : Enabled        perpetual
    Encryption-3DES-AES               : Enabled        perpetual
    Security Contexts                 : 2              perpetual
    GTP/GPRS                          : Disabled       perpetual
    AnyConnect Premium Peers          : 2              perpetual
    AnyConnect Essentials             : Disabled       perpetual
    Other VPN Peers                   : 250            perpetual
    Total VPN Peers                   : 250            perpetual
    Shared License                    : Disabled       perpetual
    AnyConnect for Mobile             : Disabled       perpetual
    AnyConnect for Cisco VPN Phone    : Disabled       perpetual
    Advanced Endpoint Assessment      : Disabled       perpetual
    UC Phone Proxy Sessions           : 2              perpetual
    Total UC Proxy Sessions           : 2              perpetual
    Botnet Traffic Filter             : Disabled       perpetual
    Intercompany Media Engine         : Disabled       perpetual
    IPS Module                        : Disabled       perpetual
    Cluster                           : Disabled       perpetual
    This platform has an ASA 5515 Security Plus license.

    Hi,
    No form of VPN Client is supported when you are using an ASA in Multiple Context mode.
    The only type of VPN supported in the newer 9.x softwares is L2L VPN / Site to Site VPN
    This might answer the VPN Licensing related question
    http://packetpushers.net/cisco-asa-licensing-explained/
    I never seem to remember it exactly myself even.
    - Jouni

  • Explain about transparent mode, single mode, multiple context mode

    You can explain about the differents of transparent mode, single mode, multiple context mode in ASA 5500? Thank you very much.

    Great question. Hope the below helps:
    Transparent Mode: In this mode, the ASA will filter traffic without requiring L3 on the ASA. This means that in your config you will not put IPs on the interfaces to be used for traffic filtering. Thus, filtering is transparent to the traffic as the traffic isn't directly routed to the firewall. Think of it like you have a server plugged into a switch. In transparent mode, you place the ASA between the server and the switch and no configuration change is required to the server. In routed mode, you place the ASA in the same physical location between the server and switch, but have to change the server to use the ASA as a default gateway.
    Single Mode: Default mode of an ASA. The ASA acts as a single firewall and all interfaces are provisioned to be managed through a single firewall configuration.
    Multiple Context Mode: The ASA is split into multiple virtual configurations. With the ASA now virtualized, you provision the physical interfaces on the ASA to the virtual firewall configured. Each context has it's own configuration seperate from the rest of the firewall. Multi-context is meant for enterprises to invest in a single piece of hardware and scale it for use as multiple security devices.
    Hope this helps. Let me know if you have anymore questions!
    -Mike
    http://cs-mars.blogspot.com

  • SSLVPN/webvpn in multiple context mode?

    We already know that ASA 9.0 supports site-to-site VPN in multiple context mode. But remote access VPN isn't supported. Obviously, SSL-VPN is a very important feature for most multi-tenant deployment scenarios where each context acts as a border firewall towards the Internet for each tenant. The alternative to terminate all tenant remote-access VPNs in one context means that each tenant would have to be routable from the ASA, which of course isn't a reasonable requirement in most cases.
    So, what I'd like to do is to deploy an ASA cluster, and provide remote access VPNs for each tenant, where the connectivity for each remote access group can be addressed with whatever IP address space, and that goes into it's own VRF in the back-end.
    As far as I can tell, this isn't doable with the ASA, since multiple context mode prohibits the use of remote access VPN, and I can't think of any other work-around than either having individual firewalls running in single context mode for each tenant, or demand that all tenants are interoperable routing-wise and configure a separate ip address pool in a single context mode for each tenant.
    Essentially, there's no good way to implement this with multiple virtual firewalls, using cisco firewalls? Or am I missing something?

    If you set up a pair of single-context ASAs for VPN termination, configure a group policy per customer and use the 'Restrict access to VLAN' feature, you could separate customers' traffic and still just use one FW pair for all customers. This pair would connect to the same switch infrastructure as your multi-context edge firewall and thus allow a consolidated solution.
    Sent from Cisco Technical Support iPad App

  • Dynamic Routing Protocol Support in Cisco ASA Multiple Context Mode

                       Dear Experts,
    Wold like to know whether dynamic Routing Protocol Support in Cisco ASA Firewall Multiple Context Mode. If yes then please provide OS version and Hardware Model of Cisco ASA Firewall. Appreciate the quick response.  Thanks.

    Hi,
    Check out this document for the information
    http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116
    Its lists the following for software level 9.0(1)
    Multiple   Context Mode Features
    Dynamic routing in Security   Contexts
    EIGRP and OSPFv2 dynamic   routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing   are not supported.
    Seems to me you would need some 9.x version to support the above mentioned Dynamic Routing Protocols.
    I don't think its related to the hardware model of the ASA other than that it requires a model that supports Multiple Context Mode. To my understanding the only model that doesnt support that is ASA5505 of the whole ASA5500 and ASA5500-X series.
    Hope this helps
    - Jouni

  • Support IPSec VPN Client in ASA Multiple Context Mode

    I've looked at under "Cisco ASA Series CLI Configuration Guide, 9.0" on "Configuring Multiple Context Mode", it says
    "IPsec sessions—5 sessions. (The maximum per context.) ".  Does it mean in ASA Multiple Contest Mode support IPSec VPN Client? I just want to confirm it because I can't seem find any doc that clearly spell it out.  I'll appreciate anyone who can clarify it.
    Thank Jason.
    ( Please direct me to the right group if I'm not for the first time I post it in the Cisco support forum)

    This is from the v9.3 config-guide:
    Unsupported Features
    Multiple context mode does not support the following features:
    Remote access VPN. (Site-to-site VPN is supported.)

  • ASA in multi context mode and AAA based on context

    Hello, running ASA5520 in multicontext mode, and would like to apply AAA in separate contexts; eg. context A and B should have AAA authentication and context C not.
    I am familliar how to setup AAA in single firewall mode but not sure about correct procedure when setting up AAA in multicontext mode.
    Is it possibe to configure individual contexts for AAA?
    Thanks

    Hi,
    Yes, it is possible to setup AAA in individual contexts. The procedure is going to be exaclty the same as when the firewall is in single context mode.
    Just be careful while configuring command authorization on a firewall in multiple context.
    http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1060011
    Hope it helps.
    Thanks,
    Amitashwa

  • HT201365 Once my phone is in Lost Mode and the Activation Lock is on, what will the person who stole my phone be able to do with it? If they bring it anywhere to activate it will Apple confiscate it?

    My phone was stolen and I am just curious how this Lost Mode/Activation Lock works! I know they can't get into my phone currently, and it's off. I tracked the location to an apartment complex before they shut it off, but it didn't give the apartment number, I am hoping they turn it on again soon so I can go back and play the noise, however if I can't I am hoping they will be stupid enough to try to bring it into apple and use it or bring it into verizon. Will Apple or Verizon take the phone for me and return it to me or let them walk out with it? Any background information on similar situations or any feedback would be amazing, I feel naked without my phone.

    They won't be able to use the phone, and Apple won't be able to reactivate it for them. Only you can unlock the phone, so it's useless to them. I would doubt that Apple would be able to identify and return the phone if they are stupid enough to take it in, but I don't know for certain.

  • Multiple context mode, how to download the packet capture file

    Hi guys,
    Is there a way to download the packet capture file from a specific context? I know that I used to use https://<ASA_IP>/admin/capture/<capture> to download it if it is just one context. 
    The ASA uses mgmt 0/0 for management and it is connected in a separate OOB network. Only this network has TFTP servers for uploading the capture file. The context in question is in transparent mode. Its IP doesn't have access to any TFTP server.
    Thanks!
    Difan

    Hello Difan,
                         Please refer the following document.
    https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios
    Also what version of the ASA code are you using?
    Regards,
    Jai Ganesh K

  • Does VPN works in Firewall Active Active failover mode?

    i want to clarify these two things!
    1. Does VPN works in failover mode in Active/Active mode?
    2. What about in Failover mode Active/Pasive?
    Regards!

    Hi,
    Using an Active/Active Failover means that the Firewalls will be in Multiple Context mode. In other words virtual firewalls.
    This means that you can ONLY use IPsec L2L VPN connections on the virtual firewalls if you are running 9.x software level on the firewalls. Any form of Client and Clientless VPN isnt supported in Multiple Context Mode at the moment.
    Now with Active/Standby we have to make a distinction (if that was the word).
    IF you run a normal Active/Standby Failover pair of ASAs that IS NOT in Multiple Context mode YOU CAN use any type of VPN the ASAs support.
    IF you run a a pair of ASAs in Multiple Context Mode and in Active/Standby Mode you will naturally run into the limitation of VPN support in Multiple Context Mode and WILL NOT be able to use any other VPNs other than IPsec L2L VPN connections provided you are running 9.x software that supports it.
    Hope this helps
    - Jouni

  • Can IPS and AntiBot work in Active - Active Mode

    Hi,
    When we propose two firewalls in Active - Active mode with IPS module and Anti-Bot Licences, will the firewall along with IPS and Anti-Bot work in Active - Active mode? If not, how do the other OEM's claim that they are able to run their UTM in Active- Actvie Mode.

    Hi,
    I haven't seen any type of limitation with IPS and Botnet Traffic filtering on Multiple context mode; so it should work  fine.
    Luis

Maybe you are looking for

  • Need help - session and lost attribute...

    Hi, We store some attributes in the session. In the web.xml we have session-timeout 20. (it's in minutes). If user use IE 5.5, and is inactive more than 1 minute, and then he send new request from browser (IE 5.5 or 5.0) to application running under

  • Berkeley DB Java Edition (JE) and JRuby Interoperability

    I finally got around to doing a quick test of calling Berkeley DB Java Edition (JE) from JRuby (JRuby is a 100% pure-Java implementation of Ruby). Before we get to JE and JRuby you probably want to know the answer to this question: "Why you would wan

  • How do I get started with PXI timing?

    I'm working in a lab that is trying to start to use a National Instruments PXI/VXI hybrid system.  I currently know very little about timing and triggering.  Basically all I know is that the timers we are using (PXI-6653) generate a square wave at 10

  • Problem visualizing a view of a z component

    Hi guys, I have created a new component and i have added it a view. When i try to preview it i'm gettin these exceptions. Clase excepción: CX_BSP_WD_RUNTIME_ERROR - La vista ZBP_DAT/ERPMat no se ha podido vincular Método: CL_BSP_WD_VIEW_CONTROLLER=>B

  • How do I achieve this effect?

    I have my kids picture with black background. I am trying to achieve this. What would be the basic steps to do this? I can post my picture somewhere if that helps. http://www.betterphoto.com/gallery/dynoGallDetail.asp?photoID=6367054