Active-Active firewall Admin context

yong khang NG · ‎05-14-2012

Hi all,

My problem statement was:

my box is ASA 5585x, since this model have G0/0 - 0/7 sufficient interface, so i no need to do sub-interface for the context.

My question:

a. is it cumpulsary must have the admin context on A-A deployment?

Somehow i read on http://www.techrepublic.com/blog/networking/understand-the-pros-and-cons-of-using-cisco-asa-multiple-context-mode/1413

it mention that "The Admin Context is not restricted and can be used as any other security context."

Can i just exclude this admin context?

b. Refer to my config snipet, can i just allocate management interface to the admin context, instead of allocate it to any inside/outside interface?

c. Is it a good practice not to use the same interface to do LAN failover and stateful failover? I facing the problem of "ghost image" when i enable the multiple mode and both LAN/stateful failover on same interface.

thanks

Noel

P.S: Config snipet

admin-context admin

context admin

allocate-interface Management0/0

config-url disk0:/admin.cfg

join-failover-group 1

!

context public-internet

allocate-interface GigabitEthernet0/0

allocate-interface GigabitEthernet0/1

config-url disk0:/public-intenet.cfg

join-failover-group 2

!

context secure-voice

allocate-interface GigabitEthernet0/2

allocate-interface GigabitEthernet0/3

allocate-interface GigabitEthernet0/4

config-url disk0:/secure-voice.cfg

join-failover-group 1

varrao · ‎05-14-2012

Hi Yong,

Admin context is always created, although you can just use it for management purpose, its not an issue.

For the lan failover and stateful failover, you can follow these recommendations:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1077627

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

yong khang NG · ‎05-14-2012

Hi Varun,

Thanks for reply.

Appearnatly my ASA 5585x box facing "ghost image" on the home screen, where it cannot display the real time traffic at the panel.

My concern come to split my previous LAN/State failover interface to seperate interface then, just hope it can solve the problem.

I am now using ASDM 6.47, according to cisco statement it's been solve on this issue, but it seems still happen on my case.

Any command can let me troubleshoot on this?

Thanks

Noel

varrao · ‎05-14-2012

Can you share a screen shot of the issue that you are facing?

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

yong khang NG · ‎05-14-2012

Hi Varun,

A similar thread was ask over partner communities forum, but so far no reply on it.

You may found the previse problem statement on following URL

https://communities.cisco.com/message/95329#95329

thanks

noel

yong khang NG · ‎05-14-2012

few amendment

a. the ASDM now loading with ASDM-647.bin

b. please check the photo snapshot, i am pressing home tab but the image still stay at monitoring page. The experience somehow will make the whole ASDM client hang and need to restart it.

thanks

Noel

varrao · ‎05-14-2012

Hi,

I just checked about this bug, and it seems that this bug has now been fixed in the ASDM image 6.4.7.53, so you can upgrade the ASDM to this version to get past this bug.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao