[c-nsp] ASAs and multiple context mode...

Jeff Kell jeff-kell at utc.edu
Wed Apr 23 17:05:26 EDT 2008 

Have an interesting issue, and no "testbed" available to evaluate my 
options, curious if anyone has "been there, done that"...

Have a pair of ASAs running multiple contexts in active/active failover 
mode.  They are basically multiple contexts with an "inside" and 
"outside" interface. 

The "insides" are grouped into trunks (G0/0 and G0/2), as well as the 
"outsides" (G0/1 and G0/3).

We have load sharing by dividing the contexts across the pairs of 
available trunks (physical interfaces).

They are further load shared by dividing the context failover groups 
across the two ASAs.

Due to changing usage patterns, I need to move one of the contexts feeds 
from G0/0 over to G0/2 (as well as the outside from G0/1 to G0/3).

On paper, this is just a minor change of interface descriptions and 
context allocations in the sytem context.

In practice, you have to delete the old physical and virtual interface 
definitions and add in the new ones.  When the old one is "deleted", the 
ASA feels the need to delete all references to that interface in all of 
the child contexts for you, and really spoil the party.

The "relevant" config change in the system context is from:

> admin-context admin
> context admin
>   description Primary channel context
>   allocate-interface GigabitEthernet0/0.48 legacy_inside visible
>   allocate-interface GigabitEthernet0/1.40 legacy_outside visible
>   config-url disk0:/admin.cfg
>   join-failover-group 1

into

> admin-context admin
> context admin
>   description Primary channel context
>   allocate-interface GigabitEthernet0/2.48 legacy_inside visible
>   allocate-interface GigabitEthernet0/3.40 legacy_outside visible
>   config-url disk0:/admin.cfg
>   join-failover-group 1

If this were IOS, I'd just copy straight to startup-config and reload, 
but the ASA's don't seem to want to play that game.

Any suggestions, other than a big fat ugly cut-and-paste party to save 
and re-enter the context configurations after making this change?


Thanks,

Jeff

More information about the cisco-nsp mailing list