https://community.cisco.com/t5/network-security/asa-traffic-redirection-to-sourcefile-in-multiple-contexts/m-p/3214162#M926719 Hi,<BR /><BR />Can you verify that this is not happening?<BR />You cannot configure both inline tap monitor-only mode and normal inline mode at the same time on the<BR />ASA. Only one type of security policy is allowed. In multiple context mode, you cannot configure inline<BR />tap monitor-only mode for some contexts, and regular inline mode for others.<BR /><BR />On page 3:<BR /><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/firewall/asa-firewall-asdm/modules-sfr.pdf" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/firewall/asa-firewall-asdm/modules-sfr.pdf</A><BR /><BR />br, Micke<BR /> Thu, 09 Nov 2017 20:04:50 GMT mikael.lahtela 2017-11-09T20:04:50Z https://community.cisco.com/t5/network-security/asa-traffic-redirection-to-sourcefile-in-multiple-contexts/m-p/3213762#M926718 <P>Hi,</P> <P>&nbsp;</P> <P>I had issues configuring traffic redirection on ASA's configured with multiple contexts.</P> <P>I can create a new class-map within each context and enable monitor mode. However when I want I want to disable monitor mode and configure inline via ASDM I receive an error:</P> <P>[Error] sfr fail-open command failed.</P> <P>I am able to configure without errors via the admin context.</P> <P>&nbsp;</P> <P>ASA Ver 9.6.3(1)</P> <P>ASDM Ver 7.7.1(151)</P> <P>&nbsp;</P> <P>Documentation suggests that the redirection should be configured within each context.</P> <P>&nbsp;</P> <P>Any suggestions or clarification would be appreciated.</P> <P>&nbsp;</P> <P>Ian</P> <P>&nbsp;</P> Fri, 21 Feb 2020 14:41:56 GMT https://community.cisco.com/t5/network-security/asa-traffic-redirection-to-sourcefile-in-multiple-contexts/m-p/3213762#M926718 iwearing 2020-02-21T14:41:56Z https://community.cisco.com/t5/network-security/asa-traffic-redirection-to-sourcefile-in-multiple-contexts/m-p/3214162#M926719 Hi,<BR /><BR />Can you verify that this is not happening?<BR />You cannot configure both inline tap monitor-only mode and normal inline mode at the same time on the<BR />ASA. Only one type of security policy is allowed. In multiple context mode, you cannot configure inline<BR />tap monitor-only mode for some contexts, and regular inline mode for others.<BR /><BR />On page 3:<BR /><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/firewall/asa-firewall-asdm/modules-sfr.pdf" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/firewall/asa-firewall-asdm/modules-sfr.pdf</A><BR /><BR />br, Micke<BR /> Thu, 09 Nov 2017 20:04:50 GMT https://community.cisco.com/t5/network-security/asa-traffic-redirection-to-sourcefile-in-multiple-contexts/m-p/3214162#M926719 mikael.lahtela 2017-11-09T20:04:50Z https://community.cisco.com/t5/network-security/asa-traffic-redirection-to-sourcefile-in-multiple-contexts/m-p/3216324#M926720 Hi Micke,<BR /><BR />I deleted the redirection class map from both contexts.<BR /><BR />I created a new class map on one context only and the policy still fails when trying to apply online. I can still configure in monitor mode only..<BR /><BR />Br<BR /><BR />Ian<BR /> Tue, 14 Nov 2017 14:24:55 GMT https://community.cisco.com/t5/network-security/asa-traffic-redirection-to-sourcefile-in-multiple-contexts/m-p/3216324#M926720 iwearing 2017-11-14T14:24:55Z https://community.cisco.com/t5/network-security/asa-traffic-redirection-to-sourcefile-in-multiple-contexts/m-p/3216522#M926721 <P>This has been working for me:</P> <P>admin context:<BR />Nothing</P> <P>&nbsp;</P> <P>contextA:</P> <PRE>access-list contextA-inside_mpc extended permit ip any any ! class-map contextA-inside-class-sfr match access-list contextA-inside_mpc ! policy-map contextA-inside-policy class contextA-inside-class-sfr sfr fail-open !</PRE> <P>contextB:</P> <PRE>access-list contextB-inside_mpc extended permit ip any any ! class-map contextB-inside-class-sfr match access-list contextB-inside_mpc ! policy-map contextB-inside-policy class contextB-inside-class-sfr sfr fail-open</PRE> Tue, 14 Nov 2017 19:27:31 GMT https://community.cisco.com/t5/network-security/asa-traffic-redirection-to-sourcefile-in-multiple-contexts/m-p/3216522#M926721 mikael.lahtela 2017-11-14T19:27:31Z