Cisco – Switching to multiple context mode on a Cisco ASA 5585-X; what happens to running config

ciscocisco-asa

I might need to implement a change where an existing in production ASA 5585-X pair (single fail-over) would need to transition to multiple context mode to allow the addition of a new context.

For what I understand the running-config gets split into a system context config and an admin context config. I then can create a new context to do the work that I need done.

What i'm unsure about is if there will need to be other config changes needed to transition into a multiple context mode? Since this ASA pair is in production I was hoping for a direct migration to multiple context mode.

Side question: Would it be possible to do this migration in stages on the ASA pair to avoid needing to reboot both at the same time?

Best Answer

What i'm unsure about is if there will need to be other config changes needed to transition into a multiple context mode? Since this ASA pair is in production I was hoping for a direct migration to multiple context mode.

Config summary

I have made the transition from single context to multiple context mode several times on running firewall pairs. You are correct that multiple context mode creates the following contexts by default:

system context
admin context

After you configure mode multiple in single-context mode, the running configuration is saved as old_running.cfg on the flash disk (ref this CCO doc).

Features / Licensing:

If you can't test the exact changes on the same model of ASA ahead of time, the safest thing to do is asking for a maintenance window; feature support changes when you go into multiple context mode.

Also, depending on how many contexts you create, you may run into licensing issues. I had to convert a single layer2 firewall into multiple contexts (per-Vlan firewalls); this meant buying another 10-context license from Cisco because you don't get many licenses by default. Also, vlan mapping was a big issue to work around... ymmv.

Side question: Would it be possible to do this migration in stages on the ASA pair to avoid needing to reboot both at the same time?

Breaking a redundant pair

Yes, but as Ricky said you should just take half the pair down. Disconnect uplinks from the standby, and remove the redundancy config; then, migrate the standby unit first. When the standby comes up in multiple context mode, switch to the system context (changeto system) and:

create a new context in system context config mode: context FOO
assign a dedicated config location: config-url disk0:FOO.cfg
assign interfaces to the context: i.e. allocate GigabitEthernet0/1

Now changeto context FOO to start configuring. It is best to be on the console when you migrate. If interface names don't change between single and multiple context mode, you can copy / paste the config directly into the new context... be aware that some things (i.e. ssh timeout settings) go into the admin context and still others in the system context. It's not hard to work out after you get started... context-sensitive ? help alerts you to which pieces need to be in a given context.

After you have the former standby turned up, you cut services over to it and migrate the former primary. Redundancy still works in multiple context mode, but you must configure the state synchronization link(s) in the system context.

Related Solutions

Cisco ASA Transparent Mode Configuration – Layer2 DMZ with VLAN Translation

I don't have SUP7 to test, but it works on SUP6 and SUP32, I would presume SUP7 retains this functionality.

I've tested between JNPR M320 <-> SUP32, and 'vlan mapping JNPR SUP32' works just fine.

There is no need for QinQ, what the QinQ option does is it adds top tag to one particularly tag. So switchport vlan mapping 1042 dot1q-tunnel 42 would map incoming [1042] stack to [42 1042] stack. As opposed to switchport vlan mapping 1042 42 which maps incoming dot1q Vlan [1042] to dot1q Vlan [42].

JNPR M320 config:

{master}[edit interfaces ge-0/1/0 unit 1042]
user@m320# show 
vlan-id 1042;
family inet {
    address 10.42.42.1/24;
}
{master}[edit interfaces ge-0/1/0 unit 1042]
user@m320# run show interfaces ge-0/1/0               
Physical interface: ge-0/1/0, Enabled, Physical link is Up
  Interface index: 135, SNMP ifIndex: 506
  Description: B: SUP32 ge5/1
  Link-level type: Flexible-Ethernet, MTU: 9192, Speed: 1000mbps, BPDU Error: None,
  MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled,
  Auto-negotiation: Enabled, Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x4000
  CoS queues     : 8 supported, 8 maximum usable queues
  Current address: 00:12:1e:d5:90:7f, Hardware address: 00:12:1e:d5:90:7f
  Last flapped   : 2013-02-19 09:14:29 UTC (19w6d 21:12 ago)
  Input rate     : 4560 bps (5 pps)
  Output rate    : 6968 bps (4 pps)
  Active alarms  : None
  Active defects : None
  Interface transmit statistics: Disabled

SUP32 config:

SUP32#show run int giga5/1
Building configuration...

Current configuration : 365 bytes
!
interface GigabitEthernet5/1
 description F: M320 ge-0/1/0
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate
 switchport vlan mapping enable
 switchport vlan mapping 1042 42
 mtu 9216
 bandwidth 1000000
 speed nonegotiate
 no cdp enable
 spanning-tree portfast edge trunk
 spanning-tree bpdufilter enable
end

SUP32#show ru int vlan42
Building configuration...

Current configuration : 61 bytes
!
interface Vlan42
 ip address 10.42.42.2 255.255.255.0
end

SUP32#sh int GigabitEthernet5/1 vlan mapping  
State: enabled
Original VLAN Translated VLAN
------------- ---------------
  1042           42  

SUP32#sh int vlan42                           
Vlan42 is up, line protocol is up 
  Hardware is EtherSVI, address is 0005.ddee.6000 (bia 0005.ddee.6000)
  Internet address is 10.42.42.2/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:09, output 00:01:27, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  L2 Switched: ucast: 17 pkt, 1920 bytes - mcast: 0 pkt, 0 bytes
  L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast
  L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes
     38 packets input, 3432 bytes, 0 no buffer
     Received 21 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles 
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     26 packets output, 2420 bytes, 0 underruns
     0 output errors, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out

And

SUP32#ping 10.42.42.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.42.42.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SUP32#sh arp | i 10.42.42.1
Internet  10.42.42.1             12   0012.1ed5.907f  ARPA   Vlan42
SUP32#show mac address-table dynamic address 0012.1ed5.907f
Legend: * - primary entry
        age - seconds since last seen
        n/a - not available

  vlan   mac address     type    learn     age              ports
------+----------------+--------+-----+----------+--------------------------
Active Supervisor:
*  450  0012.1ed5.907f   dynamic  Yes          0   Gi5/1
*   50  0012.1ed5.907f   dynamic  Yes          0   Gi5/1
*   40  0012.1ed5.907f   dynamic  Yes          0   Gi5/1
*   42  0012.1ed5.907f   dynamic  Yes          5   Gi5/1


user@m320# run ping 10.42.42.2 count 2 
PING 10.42.42.2 (10.42.42.2): 56 data bytes
64 bytes from 10.42.42.2: icmp_seq=0 ttl=255 time=0.495 ms
64 bytes from 10.42.42.2: icmp_seq=1 ttl=255 time=0.651 ms

--- 10.42.42.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.495/0.573/0.651/0.078 ms

{master}[edit interfaces ge-0/1/0 unit 1042]
user@m320# run show arp no-resolve |match 10.42.42.2 
00:05:dd:ee:60:00 10.42.42.2      ge-0/1/0.1042        none

Cisco – Does L-ASA-SC-10= require a reboot

A reload is only required when changing encryption features or downgrading a permanent license. You shouldn't have to break your failover pair either. For a failover pair running >8.3(1), you only need a context license on the primary, and the secondary will inherit. Context licenses applied to both units in a failover pair will combine.