Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Ping from System Conext in Multi context ASA

 

Hi Everyone,

ASA has 2 contexts HR which is admin and other context Sales.

When i ssh to HR(admin) and go to system context.

Ping works fine from system context to HR context interfaces and also to nei switch which is connected to context HR amd also to default route

of HR as shown below

 

ASA5510/HR# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
outside OUTSIDE 172.16.1.1 255.255.255.0 CONFIG
Ethernet0/1.26 HR 192.168.26.1 255.255.255.0

ASA5510#                                 ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA5510#                                 ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA5510#                                 ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA5510#                                 ping 172.16.1.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA5510#                                 ping 192.168.26.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.26.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA5510#                                 ping 192.168.26.2
 

But when i ping to context Sales interface it does not work.

      

ASA5510# ping 192.168.27.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.27.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA5510# changeto con
ASA5510# changeto context Sales
ASA5510/Sales# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
outside                  OUTSIDE                172.16.1.11     255.255.255.0   CONFIG
Ethernet0/1.27           Sales                  192.168.27.1    255.255.255.128 CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
outside                  OUTSIDE                172.16.1.11     255.255.255.0   CONFIG
Ethernet0/1.27           Sales                  192.168.27.1    255.255.255.128 CONFIG
 

Need to know if this is default behaviour?

How does ping traffic flow or work from system context to HR interfaces and to devices connected to context HR?

Regards

MAhesh

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

This is default behavior. 

This is default behavior.  The system context has no interfaces assigned to it and therefore uses an interface in the allocated admin context instead.  Here is a quote for a Cisco document:

The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The system configuration does include a specialized failover interface for failover traffic only.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/contexts.html#wp1133678

This is why you are able to ping networks connected to the HR (admin) context and not the Sales context.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
2 REPLIES
VIP Green

This is default behavior. 

This is default behavior.  The system context has no interfaces assigned to it and therefore uses an interface in the allocated admin context instead.  Here is a quote for a Cisco document:

The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The system configuration does include a specialized failover interface for failover traffic only.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/contexts.html#wp1133678

This is why you are able to ping networks connected to the HR (admin) context and not the Sales context.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
VIP Green

Keep in mind that the

Keep in mind that the document I referenced is for ASA version 7.2, but the logic remains true for all multicontext ASA firewalls.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
86
Views
0
Helpful
2
Replies