I'm not sure if this is expected behavior or not. I want to make sure I didn't configure something wrong.
We're running two ASA Service Modules in Active/Active. Here's the setup
ASA1 - Primary Active
ASA2 - Secondary Standby
ASA1 - Context X Primary Active - Context Y Secondary Standby
ASA2 - Context X Secondary Standby - Context Y Primary Active
If I login to ASA2 and run any commands in Context Y, it runs them with the "failover exec" prepended. Does that sound right? Even though ASA2 is Standby from an "admin" context point of view, shouldn't Context Y be primary and active? I can confirm that it is active from the "show failover" perspective.
From a device standpoint, you have an active device and a standby device, regardless of how the contexts are configured. With the ASA, all configuration is done on the primary device (not context) and replicated to the secondary device. That explains the behavior you are seeing.
I was mistaken, at least for version 3.2 according to this: http://www.cisco.com/c/en/us/td/docs/security/fwsm/fwsm32/configuration/guide/fwsm_cfg/fail_f.html#wp1048998. The config is sync'd from the active context to the standby context.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...