topic Admin context on active device is faulty in Network Security

Admin context on active device is faulty

shinda_77 — Sat, 24 Oct 2020 09:19:18 GMT

I have situation, that on the active device of FMMS the admin context is faulty and it has hell lot configuration missing, can not login to it. On the Secondary Device firewall Admin context is fine.
--------------------------------
The version is:
On the active device it says:

-- From System Context:
FWSM Firewall Version 4.1(6) <system>
Detected an old ASDM version.
You will need to upgrade it before using ASDM.
......................................................

on the Secondary device:
FWSM Firewall Version 4.1(6) <system>
Device Manager Version 6.2(2)F
---------------------------------------------

On the actual 6500 device the version:

Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(33)SXJ1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Wed 22-Jun-11 18:03 by prod_rel_team

ROM: System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1)

=======================================================================

I tried to failover from primary to secondary from system context .. with command "no failver active" on Primary.

but it does not make different yes on System context it changes but other contexts it does not.
So idea is that the faulty context can become secondary and can sync with secondary one which will be 'active' after failover. Then we can change back to the original stage.

Anyway several tries has not resulted in success.

Please if some one can help.

Please note this is in Prod, cant try just anything.

need a solution so that i can write the CIP and can request CRQ.

Regards

Shinda

Re: Admin context on active device is faulty

balaji.bandi — Sat, 24 Oct 2020 10:48:28 GMT

Looks like the configuration not synched with secondary as per the information.

have you done any upgrade?

You will need to upgrade it before using ASDM.

FWSM is the end of life way decade back, i know some people still using it depends on requirement. if you have out of the box config backup.

i only suggest pulling the module and insert back. (but its risk - other than that i do not see any option ?)

Re: Admin context on active device is faulty

shinda_77 — Sun, 25 Oct 2020 05:29:31 GMT

Hello BB,

thanks for your reply,

we don't use ASDM so, not worried about it.
meantime the best is to fix the admin context on Active.

if it was other contact we would rebuilt it, but admin we cant delete and rebuild.

So only solution is restarting the device? no way we fix by synchronizing ?

Thanks again

Re: Admin context on active device is faulty

Aref Alsouqi — Sun, 25 Oct 2020 14:49:23 GMT

How were you able to see that there are some missing configs on the admin context config file? did you try to move into the admin context with the command changeto context admin and it failed?. One thing you might try would be to copy the admin context config file from the standby unit (disk0:/admin.cfg unless you changed it from its default) to the primary unit.

Re: Admin context on active device is faulty

shinda_77 — Mon, 26 Oct 2020 00:50:53 GMT

Hi,

Thanks a lot Aref,

we can go by the actual 6500 device with command:

'session slot 6 p 1'

we can change to "changeto context admin"

but cant run any command even 'sh run"

from the system context we can do with command:

"more disk0:/admin.cfg "
this shows us more like "sh run" of the context and here i can see that this context is missing hell lot of configuration as compared to secondary admin context. more importantly reletated user login, tacacs etc.

is there way we can edit "disk0:/admin.cfg" like copy it from secondary device ?

how can we do this ?

Regards

Shinda Singh

Re: Admin context on active device is faulty

Aref Alsouqi — Mon, 26 Oct 2020 00:59:57 GMT

You welcome. How about if you transfer the admin.cfg file from the secondary to a tftp server, and then you copy it from the tftp server to the primary?

Re: Admin context on active device is faulty

shinda_77 — Mon, 26 Oct 2020 05:11:50 GMT

Hi Aref,

that is what I want to know how can we copy ?
is it possible ?
please if you can send me some links or url i can go through the steps.

Regards

Shinda Singh

Re: Admin context on active device is faulty

Aref Alsouqi — Mon, 26 Oct 2020 19:10:43 GMT

Setup a tftp server, then go into the context admin on the standby unit, and use the command copy run tftp:, it will prompt you to confirm the source file name, hit enter, then it will ask you to type in the tftp server IP address, and will ask you to confirm the destination file name, here type admin.cfg. Once that is done, go to the primary unit admin context, and the do the reverse with the command copy tftp: run, confirm the details, and save the config. That should work.

Re: Admin context on active device is faulty

shinda_77 — Tue, 27 Oct 2020 00:42:37 GMT

Hi Aref,
I will try and let you know

issue is when I login to 'admin' context on primary, I can only do by 6500 device with command "session slot 7 p 1" and then using credentials. It takes me to system context and I can change to admin from here. but being in it I cant run any command ?

it gives error as below:

admin/7/act# sh run
Command authorization failed
-----------------
so that is the issue , if i can run tftp commands:

Regards

Re: Admin context on active device is faulty

Aref Alsouqi — Wed, 28 Oct 2020 09:21:51 GMT

What aaa configuration have you applied to the admin context? also, for what purpose are you using the admin context? only management or as an actual context for users?