Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
867
Views
0
Helpful
3
Replies

ASA traffic redirection to Sourcefile in Multiple Contexts

iwearing
Level 1
Level 1

‎11-09-2017 01:41 AM - edited ‎02-21-2020 06:41 AM

Hi,

 

I had issues configuring traffic redirection on ASA's configured with multiple contexts.

I can create a new class-map within each context and enable monitor mode. However when I want I want to disable monitor mode and configure inline via ASDM I receive an error:

[Error] sfr fail-open command failed.

I am able to configure without errors via the admin context.

 

ASA Ver 9.6.3(1)

ASDM Ver 7.7.1(151)

 

Documentation suggests that the redirection should be configured within each context.

 

Any suggestions or clarification would be appreciated.

 

Ian

 

Labels:
0 Helpful
3 Replies 3

mikael.lahtela
Level 4
Level 4

‎11-09-2017 12:04 PM

Hi,

Can you verify that this is not happening?
You cannot configure both inline tap monitor-only mode and normal inline mode at the same time on the
ASA. Only one type of security policy is allowed. In multiple context mode, you cannot configure inline
tap monitor-only mode for some contexts, and regular inline mode for others.

On page 3:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/firewall/asa-firewall-asdm/modules-sfr.pdf

br, Micke
0 Helpful

iwearing
Level 1
Level 1
In response to mikael.lahtela

‎11-14-2017 06:24 AM

Hi Micke,

I deleted the redirection class map from both contexts.

I created a new class map on one context only and the policy still fails when trying to apply online. I can still configure in monitor mode only..

Br

Ian
0 Helpful

mikael.lahtela
Level 4
Level 4
In response to iwearing

‎11-14-2017 11:27 AM

This has been working for me:

admin context:
Nothing

 

contextA:

access-list contextA-inside_mpc extended permit ip any any
!
class-map contextA-inside-class-sfr
match access-list contextA-inside_mpc
!
policy-map contextA-inside-policy
class contextA-inside-class-sfr
sfr fail-open
!

contextB:

access-list contextB-inside_mpc extended permit ip any any
!
class-map contextB-inside-class-sfr
match access-list contextB-inside_mpc
!
policy-map contextB-inside-policy
class contextB-inside-class-sfr
sfr fail-open
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card