I've perused the last few months of postings and did not see anything related to this issue. Please forgive me if I missed the subject in the archives....
I have an issue when trying to configure IDS inline pairs with an ASA in multi-context mode. The issue is that I simply cannot pass traffic over that interface pair when in multi-mode. The basic layout is like this:
R1 ---> ASA ---> IDS ---> R7 ---> IDS ---> R8
I have the addressing set up per the following list:
As you can see, the outside interface is shared between contexts 1 & 2. All ports on the switches are set to access mode, in the corresponding vlans.
The IDS has two interface pairs:
Pair1: E1/0 & E1/1
Pair2: E1/2 & E1/3
Pair1 bridges vlans 100 & 101 between ASA Context 1 and R7. Pair2 bridges vlans 200 & 201 between R7 & R8. I am able to pass traffic over Pair2 from R7 to R8 & Visa Versa. I enabled signatures 2000 & 2004, which fire when I pass traffic over Pair2. When I attempt pings between the ASA contexts & R7, the signatures do not fire.
When configuring the ASA in multi-context mode, I've tried assigning mac addreses to interface E0/0.1 in each context via the 'mac-address auto' command, and manually in interface config mode. In both cases, I'm unable to pass traffic. However, if I re-configure the ASA in single mode, using 10.1.1.1 in vlan 11, traffic will pass between the ASA & R7... and the signatures fire appropriately.
Additionally, here are the mac addresses the ASA assigned to interface e0/0.1 in each context:
Context 1: 1200.0001.0200
Context 2: 1200.0001.0300
When I jump into the switch and look for these mac addresses in the mac address table, they do not show up:
SW1#sho mac-address-table | in 1200.0001.0200
SW1#sho mac-address-table | in 1200.0001.0300
SW1#sho mac-address-table | in Fa0/13 (switchport mode access, access vlan 100 - connected to ASA E0/0)
I am totally stumped on this. I'm actually losing sleep over this one. :/
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...