cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9929
Views
5
Helpful
7
Replies

ASA 5520 multiple context mode question

v_saru
Level 1
Level 1

Hi All,

I need to upgrade the version for ASA 5520 pair that runs in multi-context mode.

Here is my issue:

It seems to have the following contexts:

If I change to system context the copy tftp command is available. However, it cannot connect to any IP address. In the admin context, it can connect to all IP add, but the copy tftp: command is not available.

What am I missing?

Thank you in advance.

gw-fw-01# sh context
Context Name      Class      Interfaces           URL
*extgw            default    GigabitEthernet0/0,  disk0:/extgw
                             GigabitEthernet0/2,
                             GigabitEthernet0/2.100,110,
                             120,130,140,150-153,160,170,
                             GigabitEthernet0/3

Total active Security Contexts: 1

gw-fw-01# sh context detail
Context "system", is a system resource
  Config URL: startup-config
  Real Interfaces:
  Mapped Interfaces: GigabitEthernet0/0, GigabitEthernet0/1,
     GigabitEthernet0/2, GigabitEthernet0/2.100,
     GigabitEthernet0/2.110, GigabitEthernet0/2.120,
     GigabitEthernet0/2.130, GigabitEthernet0/2.140,
     GigabitEthernet0/2.150-153, GigabitEthernet0/2.160,
     GigabitEthernet0/2.170, GigabitEthernet0/3, Internal-Control0/0,
     Internal-Data0/0, Management0/0
  Class: default, Flags: 0x00000819, ID: 0

Context "extgw", has been created
  Config URL: disk0:/extgw
  Real Interfaces: GigabitEthernet0/0, GigabitEthernet0/2,
     GigabitEthernet0/2.100, GigabitEthernet0/2.110,
     GigabitEthernet0/2.120, GigabitEthernet0/2.130,
     GigabitEthernet0/2.140, GigabitEthernet0/2.150-153,
     GigabitEthernet0/2.160, GigabitEthernet0/2.170,
     GigabitEthernet0/3
  Mapped Interfaces: GigabitEthernet0/0, GigabitEthernet0/2,
     GigabitEthernet0/2.100, GigabitEthernet0/2.110,
     GigabitEthernet0/2.120, GigabitEthernet0/2.130,
     GigabitEthernet0/2.140, GigabitEthernet0/2.150-153,
     GigabitEthernet0/2.160, GigabitEthernet0/2.170,
     GigabitEthernet0/3
  Class: default, Flags: 0x00000813, ID: 2
             
Context "null", is a system resource
  Config URL: ... null ...
  Real Interfaces:
  Mapped Interfaces:
  Class: default, Flags: 0x00000809, ID: 257
gw-fw-01#

3 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

In multi context mode, you would need to perform the upgrade from the system context, and it will use the admin context ip address to connect to the tftp server.

Which interface is your tftp server connected to and what is the security level of the interface?

If it is the lowest security level, you would need to configure the following on the admin context: tftp-server test.cfg

Hope it helps.

View solution in original post

yes you are right, "extgw" is the admin context.

To perform the upgrade, you would need to do it from the system context, and since you are routing to the inside interface (assuming the inside interface is not the lowest security level interface), you should be able to perform "copy tftp flash" from the system context.

Are you getting any error message when you try to copy file from tftp server to flash via system context? if you do, can you share the output?

View solution in original post

Make sure that the the tftp server IP is reacheable from the admin context and that you do not have a firewall enabled on this tftp server. I'd suggest tftpd32.

If you have another routers or another firewall, just make sure there is no problem with this tftp server before trying it from this multiple context ASA.

Once, you verify connectivity, then issue "copy tftp flash:" command from the system space like you had tried before.

It it doesn't work then, wireshark the tftp server and see if it sends packets and if the ASA responds.

-KS

View solution in original post

7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

In multi context mode, you would need to perform the upgrade from the system context, and it will use the admin context ip address to connect to the tftp server.

Which interface is your tftp server connected to and what is the security level of the interface?

If it is the lowest security level, you would need to configure the following on the admin context: tftp-server test.cfg

Hope it helps.

Thank you Halijenn.

However, extgw seems to be the "admin context" based on the "show context" below and the tftp server is accessible from the "extgw" context. The tftp subnet is one of the LAN subnets and it is routed through inside interface

Do you mean I need to add the following tftp-server command in "extgw" context?

tftp-server inside x.x.x.x admin.cfg

gw-fw-01# sh context
Context Name      Class      Interfaces           URL
*extgw            default    GigabitEthernet0/0,  disk0:/extgw
                             GigabitEthernet0/2,
                             GigabitEthernet0/2.100,110,
                             120,130,140,150-153,160,170,
                             GigabitEthernet0/3

Total active Security Contexts: 1

gw-fw-01/extgw#
gw-fw-01/extgw# changeto system
gw-fw-01#
gw-fw-01# sh flash
-#- --length-- -----date/time------ path
  8 8312832    Aug 11 2007 09:07:58 asa722-k8.bin
11 1622       Nov 07 2005 03:59:48 old_running.cfg
12 1076       Nov 07 2005 03:59:50 admin.cfg
13 38897      Mar 06 2010 07:17:54 extgw
14 5623108    Aug 11 2007 09:13:04 asdm-522.bin
15 6746112    Aug 11 2007 08:56:50 asa711-k8.bin

42110976 bytes available (20770816 bytes used)

gw-fw-01#
gw-fw-01#

yes you are right, "extgw" is the admin context.

To perform the upgrade, you would need to do it from the system context, and since you are routing to the inside interface (assuming the inside interface is not the lowest security level interface), you should be able to perform "copy tftp flash" from the system context.

Are you getting any error message when you try to copy file from tftp server to flash via system context? if you do, can you share the output?

Make sure that the the tftp server IP is reacheable from the admin context and that you do not have a firewall enabled on this tftp server. I'd suggest tftpd32.

If you have another routers or another firewall, just make sure there is no problem with this tftp server before trying it from this multiple context ASA.

Once, you verify connectivity, then issue "copy tftp flash:" command from the system space like you had tried before.

It it doesn't work then, wireshark the tftp server and see if it sends packets and if the ASA responds.

-KS

Thanks Kusankar.

You are absolutely right. After I understood the "system" context can access the inside interface without added config, this is what I wanted to verify this morning.

It was the CheckPoint in the middle and after I updated the policy I was able to copy the bin file to flash.

Thanks again Halijenn;

You put me on the right track regarding reachability to "inside" interface from "system" context without any additional config.

I suspected it could be the CheckPoint blocking tftp and that is what it turned out to be.

I was able to copy the new bin file for upgrade.

cshannahan
Level 1
Level 1

Can you explain the test.cfg part of this?  My interface is the lowest security and I cannot TFTP from my system context?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: