I've perused the last few months of postings and did not see anything related to this issue. Please forgive me if I missed the subject in the archives....
I have an issue when trying to configure IDS inline pairs with an ASA in multi-context mode. The issue is that I simply cannot pass traffic over that interface pair when in multi-mode. The basic layout is like this:
R1 ---> ASA ---> IDS ---> R7 ---> IDS ---> R8
I have the addressing set up per the following list:
R1 E0/0: 10.1.1.1 (VLAN 11)
Context 1: ASA E0/1 (inside): 10.1.1.11 (VLAN 11)
Context 2: ASA E0/2: (inside)10.12.12.10 (VLAN 12)
Context 1: ASA E0/0.1 (outside): 22.214.171.124 (VLAN 100)
Context 2: ASAE0/0.1 (outside): 126.96.36.199 (VLAN 100)
R7 E0/0: 188.8.131.52 (VLAN 101)
R7 E1/0: 184.108.40.206 (VLAN 200)
R8 E0/0: 220.127.116.11 (VLAN 201)
As you can see, the outside interface is shared between contexts 1 & 2. All ports on the switches are set to access mode, in the corresponding vlans.
The IDS has two interface pairs:
Pair1: E1/0 & E1/1
Pair2: E1/2 & E1/3
Pair1 bridges vlans 100 & 101 between ASA Context 1 and R7. Pair2 bridges vlans 200 & 201 between R7 & R8. I am able to pass traffic over Pair2 from R7 to R8 & Visa Versa. I enabled signatures 2000 & 2004, which fire when I pass traffic over Pair2. When I attempt pings between the ASA contexts & R7, the signatures do not fire.
When configuring the ASA in multi-context mode, I've tried assigning mac addreses to interface E0/0.1 in each context via the 'mac-address auto' command, and manually in interface config mode. In both cases, I'm unable to pass traffic. However, if I re-configure the ASA in single mode, using 10.1.1.1 in vlan 11, traffic will pass between the ASA & R7... and the signatures fire appropriately.
Additionally, here are the mac addresses the ASA assigned to interface e0/0.1 in each context:
Context 1: 1200.0001.0200
Context 2: 1200.0001.0300
When I jump into the switch and look for these mac addresses in the mac address table, they do not show up:
SW1#sho mac-address-table | in 1200.0001.0200
SW1#sho mac-address-table | in 1200.0001.0300
SW1#sho mac-address-table | in Fa0/13 (switchport mode access, access vlan 100 - connected to ASA E0/0)
I am totally stumped on this. I'm actually losing sleep over this one. :/
Any help would be greatly appreciated.