Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA5520 multiple context revert back to single context

Hi all,

We have a redudant set of Cisco ASA5520's. This firewalls runs in multiple context mode.

No we want to make both "virtual" firewalls physical.

We already migrated on of the two firewalls to another physical set.

Now we would like to revert back the multiple context into single context mode, with keeping on of the two firewalls as the new running config.

We would like to do this with a minimum downtime.

Is this possible, can someone advise?

Kind regards,

Danny van der Aa

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

Cisco ASA5520 multiple context revert back to single context

The config will be saved as config.old when you change the mode of the firewall (this goes both ways I believe).  As Luis has mentioned it is a major change but if you have ASA's in a failover pair then doing this with little or no down time should be possible.

I would first go about this by taking the current Standby ASA and take a backup of the running configuration on it, and make any required changes to the configuration to suite your needs.  Most likely you will not have much need of what is in the system context, but take a backup of it anyway just be on the safe side.  Then change it to single mode with the command "mode single".  Now copy the configuration into the ASA.

Now, assuming that both ASAs have the same IP addresses assigned to its interfaces, remove the currently active ASA and then connect the ASA that is now in single mode back into the network.  You may have to clear the MAC address table on some servers depending on how old they are and how touchy they are.

Do the same for the second ASA and connect it back to the network.  Now, if you have kept the failover configuration, the ASAs will setup an Active/Standby failover in single mode and replicate the configuration.

Your down time should only be dependent on how fast you can remove the second ASA and add the first ASA back to the network.

--

Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
5 REPLIES
Cisco Employee

Cisco ASA5520 multiple context revert back to single context

Hi Danny,

Moving from Multiple mode to Single mode is a mayor change. The way the FW works will change completelly.

You should schedule a Window to perform this change.

HTH

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach us"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva "If you need PDI (Planning, Design, Implement) assistance feel free to reach us" http://www.cisco.com/web/partners/tools/pdihd.html
New Member

Cisco ASA5520 multiple context revert back to single context

We have a time window. We only would like to know if it is just a command.

Or that we have to restore the firewall to default and then restore the backup.

Silver

Cisco ASA5520 multiple context revert back to single context


look, the ASA has a .cfg file for each context configuration into flash, just extract the configuration from flash through ASDM or through copy command then move back to single mode, then copy whichever file you want on to the firewall that you made single and then the other configuration upload to the new firewall. Make sure you understand the interface allocation purpose of the multiple context and any interface setting that you defined into system context (sub-interface, vlan, etc) if you just allocated physical interfaces than there is not much to worry about.

I would suggest posting the configuration, maybe for Luis or myself that we work at TAC it would not take us much time to do this but if you are not accustomed then it could take you more then what you think.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
Silver

Cisco ASA5520 multiple context revert back to single context

??????

Value our effort and rate the assistance!

Value our effort and rate the assistance!
VIP Green

Cisco ASA5520 multiple context revert back to single context

The config will be saved as config.old when you change the mode of the firewall (this goes both ways I believe).  As Luis has mentioned it is a major change but if you have ASA's in a failover pair then doing this with little or no down time should be possible.

I would first go about this by taking the current Standby ASA and take a backup of the running configuration on it, and make any required changes to the configuration to suite your needs.  Most likely you will not have much need of what is in the system context, but take a backup of it anyway just be on the safe side.  Then change it to single mode with the command "mode single".  Now copy the configuration into the ASA.

Now, assuming that both ASAs have the same IP addresses assigned to its interfaces, remove the currently active ASA and then connect the ASA that is now in single mode back into the network.  You may have to clear the MAC address table on some servers depending on how old they are and how touchy they are.

Do the same for the second ASA and connect it back to the network.  Now, if you have kept the failover configuration, the ASAs will setup an Active/Standby failover in single mode and replicate the configuration.

Your down time should only be dependent on how fast you can remove the second ASA and add the first ASA back to the network.

--

Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
626
Views
0
Helpful
5
Replies