Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
922
Views
5
Helpful
2
Replies

Ping from System Conext in Multi context ASA

Go to solution
mahesh18
Level 6
Level 6

‎06-23-2014 12:57 PM - edited ‎03-11-2019 09:22 PM

 

Hi Everyone,

ASA has 2 contexts HR which is admin and other context Sales.

When i ssh to HR(admin) and go to system context.

Ping works fine from system context to HR context interfaces and also to nei switch which is connected to context HR amd also to default route

of HR as shown below

 

ASA5510/HR# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
outside OUTSIDE 172.16.1.1 255.255.255.0 CONFIG
Ethernet0/1.26 HR 192.168.26.1 255.255.255.0

ASA5510#                                 ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA5510#                                 ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA5510#                                 ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA5510#                                 ping 172.16.1.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA5510#                                 ping 192.168.26.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.26.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA5510#                                 ping 192.168.26.2
 

But when i ping to context Sales interface it does not work.

      

ASA5510# ping 192.168.27.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.27.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA5510# changeto con
ASA5510# changeto context Sales
ASA5510/Sales# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
outside                  OUTSIDE                172.16.1.11     255.255.255.0   CONFIG
Ethernet0/1.27           Sales                  192.168.27.1    255.255.255.128 CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
outside                  OUTSIDE                172.16.1.11     255.255.255.0   CONFIG
Ethernet0/1.27           Sales                  192.168.27.1    255.255.255.128 CONFIG
 

Need to know if this is default behaviour?

How does ping traffic flow or work from system context to HR interfaces and to devices connected to context HR?

Regards

MAhesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎06-23-2014 01:31 PM

This is default behavior.  The system context has no interfaces assigned to it and therefore uses an interface in the allocated admin context instead.  Here is a quote for a Cisco document:

The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The system configuration does include a specialized failover interface for failover traffic only.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/contexts.html#wp1133678

This is why you are able to ping networks connected to the HR (admin) context and not the Sales context.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

2 Replies 2

Go to solution
Marius Gunnerud
VIP
VIP

‎06-23-2014 01:31 PM

This is default behavior.  The system context has no interfaces assigned to it and therefore uses an interface in the allocated admin context instead.  Here is a quote for a Cisco document:

The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The system configuration does include a specialized failover interface for failover traffic only.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/contexts.html#wp1133678

This is why you are able to ping networks connected to the HR (admin) context and not the Sales context.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Marius Gunnerud
VIP
VIP
In response to Marius Gunnerud

‎06-23-2014 01:32 PM

Keep in mind that the document I referenced is for ASA version 7.2, but the logic remains true for all multicontext ASA firewalls.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card