I had issues configuring traffic redirection on ASA's configured with multiple contexts.
I can create a new class-map within each context and enable monitor mode. However when I want I want to disable monitor mode and configure inline via ASDM I receive an error:
[Error] sfr fail-open command failed.
I am able to configure without errors via the admin context.
ASA Ver 9.6.3(1)
ASDM Ver 7.7.1(151)
Documentation suggests that the redirection should be configured within each context.
Any suggestions or clarification would be appreciated.
This has been working for me:
access-list contextA-inside_mpc extended permit ip any any ! class-map contextA-inside-class-sfr match access-list contextA-inside_mpc ! policy-map contextA-inside-policy class contextA-inside-class-sfr sfr fail-open !
access-list contextB-inside_mpc extended permit ip any any ! class-map contextB-inside-class-sfr match access-list contextB-inside_mpc ! policy-map contextB-inside-policy class contextB-inside-class-sfr sfr fail-open