Introduction
Single context and multiple context modes with the ASA device package version 1.2 or later. You can partition a single physical ASA into multiple virtual firewalls, known as security/virtual contexts. Each context acts as an independent device with its own security policy, interfaces, and management IP address. The Application Policy Infrastructure Controller (APIC) does not create the ASA contexts; they must be predefined. Allocate-interface on the system context, firewall configuration on a virtual context, and the Cisco Application Centric Infrastructure (ACI) fabric policy are done by the APIC. The APIC needs to communicate with the system context and each virtual context.
You can refer the following TechZone article to understand how to create L4-L7 devices for each ASA context.
Problem
The following fault appeared on creating L4-L7 device for user context
F0324: Cluster configuration resulted in *Major script error : Device parameter error for multi-context ASA : The context specified by cluster IP address 10.66.88.21 is not admin context. It must be admin context.* for ctx-abegeorg on cluster ctx-abegeorg in tenant abegeorg
Condition
>>> Management interface configuration in admin context
ASAFab3/admin# show interface
Interface Management0/0 "mgmt", is up, line protocol is up
MAC address 84b2.6191.8929, MTU 1500
IP address 10.66.88.21, subnet mask 255.255.255.224
Traffic Statistics for "mgmt":
597810 packets input, 218334365 bytes
180524 packets output, 73942117 bytes
328223 packets dropped
Management-only interface. Blocked 0 through-the-device packets
ASAFab3/admin#
>>> Management interface configuration in user context
ASAFab3/ctx-abegeorg(config)# show interface
Interface Management0/0 "abegeorg-management", is up, line protocol is up
MAC address 84b2.6191.8929, MTU 1500
IP address 10.66.88.23, subnet mask 255.255.255.224
Traffic Statistics for "abegeorg-management":
61 packets input, 22686 bytes
25 packets output, 1932 bytes
36 packets dropped
Management-only interface. Blocked 0 through-the-device packets
ASAFab3/ctx-abegeorg(config)#
Root Cause
The following are the device package logs from /data/devicescript/CISCO.ASA.1.2/logs/debug.log
2018-01-09 10:44:24.423398 INFO Thread-14 107281 [10.66.88.21, 6680] GET https://10.66.88.21:443/admin/exec/changeto%20context%20ctx-abegeorg/show%20ip%20address%20management%20%7C%20begin%20Current%20IP%20Address%3A Time=0.006241 seconds
2018-01-09 10:44:24.423510 INFO Thread-14 107282 [10.66.88.21, 6680] asa_ip_2_context_map:
{}
2018-01-09 10:44:24.424160 INFO Thread-14 107283 [10.66.88.21, 6680] [Result of clusterAudit]
{'faults': [([],
70,
'No user context from the ASA device addressed by 10.66.88.21 is found in the cluster member devices. There must be one.')],
'state': 2}
2018-01-09 10:44:24.424496 DEBUG Thread-14 107285 [10.66.88.21, 6680] Result: {'faults': [([], 70, 'No user context from the ASA device addressed by 10.66.88.21 is found in the cluster member devices. There must be one.')], 'state': 2}
2018-01-09 10:44:24.424541 DEBUG Thread-14 107286 [10.66.88.21, 6680] Faults: [([], 70, 'No user context from the ASA device addressed by 10.66.88.21 is found in the cluster member devices. There must be one.')]
2018-01-09 10:44:24.424580 DEBUG Thread-14 107287 [10.66.88.21, 6680] fault, destinations: [], set([])
2018-01-09 10:44:24.424807 DEBUG Thread-14 107288 [10.66.88.21, 6680] Send num: 6692, type: 210, len: 170
(END)
>>> The asa-device-pkg-1.2.8.9/utils/utils.py, which uses interface "management" specifically
def get_ip2context_name_map(device):
'@return the mapping of management IP address to context name'
def get_asa_context_names(device):
'@return the names of all the context in the ASA device'
result, error = query_asa(device, "show run context | grep ^context", "system", hide_exception=False)
return map(lambda line: line.split()[1], result.strip().split('\n'))
def get_man_ip_address(device, context_name):
'@return the ip address of the management interface in the given context'
config, error = query_asa(device, "show ip address management | begin Current IP Address:",
context_name, hide_exception=False)
>>> In this case, the management interface configured different "eg. mgmt". Hence, the following error returns on script and fault appears.
ASAFab3/admin# show ip address management | begin Current IP Address:
show ip address management | begin Current IP Address:
^
ERROR: % Invalid input detected at '^' marker.
ASAFab3/admin#
Solution
>>> Change the management interface name to "management"
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.66.88.21 255.255.255.224
!
Caution: Changing the management interface will reset the interface. Hence, move the admin context to a different user context using "admin-context <user context>" for temporrary device management while the management interface in the admin context is being resolved.
Additional Reference
Having nameif of the management interface (it does not have to be management0/0) as 'management' is one of the basic per-requisites of setting up ASA to work with the ASA device package.
It is not only used in multi-context mode ASA to determine the context name, it is also used in other places, for example in the case of failover configuration, it is used to determine the management interface to setup management standby IP address.
More importantly, it is used to differentiate data interfaces from management interface(s). During serviceAudit operation, any interface of nameif starting 'management' string is considered 'untouchable'; for non-management interface (interface whose nameif does not start with 'management', serviceAudit operation shall clean up its configuration if it is has no configuration on APIC.
Hence, it is highly recommended to configure nameif "management" for the management interface.
