cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
576
Views
0
Helpful
3
Replies
Beginner

ASA traffic redirection to Sourcefile in Multiple Contexts

Hi,

 

I had issues configuring traffic redirection on ASA's configured with multiple contexts.

I can create a new class-map within each context and enable monitor mode. However when I want I want to disable monitor mode and configure inline via ASDM I receive an error:

[Error] sfr fail-open command failed.

I am able to configure without errors via the admin context.

 

ASA Ver 9.6.3(1)

ASDM Ver 7.7.1(151)

 

Documentation suggests that the redirection should be configured within each context.

 

Any suggestions or clarification would be appreciated.

 

Ian

 

3 REPLIES 3
Enthusiast

Re: ASA traffic redirection to Sourcefile in Multiple Contexts

Hi,

Can you verify that this is not happening?
You cannot configure both inline tap monitor-only mode and normal inline mode at the same time on the
ASA. Only one type of security policy is allowed. In multiple context mode, you cannot configure inline
tap monitor-only mode for some contexts, and regular inline mode for others.

On page 3:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/firewall/asa-firewall-asdm/modules-sfr.pdf

br, Micke
Highlighted
Beginner

Re: ASA traffic redirection to Sourcefile in Multiple Contexts

Hi Micke,

I deleted the redirection class map from both contexts.

I created a new class map on one context only and the policy still fails when trying to apply online. I can still configure in monitor mode only..

Br

Ian
Enthusiast

Re: ASA traffic redirection to Sourcefile in Multiple Contexts

This has been working for me:

admin context:
Nothing

 

contextA:

access-list contextA-inside_mpc extended permit ip any any
!
class-map contextA-inside-class-sfr
match access-list contextA-inside_mpc
!
policy-map contextA-inside-policy
class contextA-inside-class-sfr
sfr fail-open
!

contextB:

access-list contextB-inside_mpc extended permit ip any any
!
class-map contextB-inside-class-sfr
match access-list contextB-inside_mpc
!
policy-map contextB-inside-policy
class contextB-inside-class-sfr
sfr fail-open