08-31-2006 07:12 AM - edited 02-21-2020 01:08 AM
Anybody have any good tips on managing a pair of PIXs or ASAs in Active/Standby or Active/Active mode with contexts with CSM? The documentation tells you how to add contexts etc, but not how CSM handles existing Contexts on import. Does CSM manage all contexts via the admin context or does it need a routable connection to each context?
09-06-2006 07:23 AM
What is the version of software you are using in the devices ?.
09-07-2006 04:24 AM
I am using v7.2(1). One example scenerio. In CSM, you can import an ASA with multiple contexts by its admin context management address. However, if this ASA is part of an Active/Active setup, how does CSM manage the Contexts that are in Standby on this ASA?
09-08-2006 06:56 AM
Hi,
With CSM 3.x you have two ways of managing virtual contexts. You can either go via the admin context or you can go directly via SSL to the IP of the context. The way to decide this is to go to the device properties of a virtual FW and decide to fill in an ip address or not for the virtual FW..(there is an option for management IP address for that device).
Cisco recommends for virtual FW that are in failover mode to always connect to the IP address of the virtual FW directly (so not via the admin context). The reason for this is that CSM is not capable of checking (when the connection goes via the admin context) if that virtual FW is currently the active or the standby one. If the connection goes directly into the virtual FW, in case of a failover the standby context will take over the MAC and IP address and from a CSM perspective nothing is different..(we still connect to the same IP address).
To go into more details: with virtual FW's on Cisco FWSM and ASA's/Pix's we put every virtual FW in a failover group. When one virtual FW in that specific failover group is failing every other context in that failover group will also failover. The admin context if by default in failovergroup 1. So for every other context in failover group 1 there will never be a problem since if you go via the admin context CSM will hop from that one to another virtual FW and that one will also be active because the admin context is active. So to be more precise for every virtual FW in failover group 2..you HAVE TO setup connectivity directly to the IP of the virtual FW.
Hope this helps.
Erik Lenten
Technical Marketing Engineer
Security Management
09-11-2006 01:19 AM
Thanks, that was really useful information.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide