Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
220
Views
0
Helpful
0
Replies

ASA5525 Active/Standby pair lost config-url for multi context configuration.

Drew T
Level 1
Level 1

‎09-04-2020 06:31 AM

Hi folks,


I have an unusual one I need some help with. I have a pair of 5525's active/standby, and during an upgrade from 8.6 to 9.14 via 9.0(4); the recommended path from Cisco, i've noticed something strange in the config for contexts and it's causing issues (We can't failover, and until it's resolved, i'm stuck at 9.0(4) and I need to upgrade to 9.14).

The primary/standby failover configuration looks to be good:

 

firewall-1# sh fail
Failover On 
Failover unit Primary
Failover LAN Interface: Context_Failover GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 216 maximum
failover replication http
Version: Ours 9.0(4)42, Mate 9.0(4)42
Last Failover at: 02:03:50 UTC Jul 17 2020
	This host: Primary - Active 


firewall-1# failover exec standby sh fail
Failover On 
Failover unit Secondary
Failover LAN Interface: Context_Failover GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 216 maximum
failover replication http
Version: Ours 9.0(4)42, Mate 9.0(4)42
Last Failover at: 03:21:01 UTC Jun 22 2020
	This host: Secondary - Standby Ready

so the configuration *appears* to be synced correctly (and in the past before we started the upgrade, it was fine).

 

During the upgrade, the primary (when it was being upgraded whilst the secondary was active) appears to have had  two of the context files from disk0: zero byte'd, and has removed the configuration url from the contexts:

 

context CONTEXT-A
  allocate-interface GigabitEthernet0/0.100 
  config-url disk0:/CONTEXT-A
!

context CONTEXT-B  
  allocate-interface GigabitEthernet0/0.200 
!             
              
context CONTEXT-C
  allocate-interface GigabitEthernet0/0.300
!             
              
context CONTEXT-D
  allocate-interface GigabitEthernet0/0.400 
  config-url disk0:/CONTEXT-D
!


(you can see the ones either side are just fine though). This config is on the system context of both the primary and secondary in the show run, but the show start on the secondary does not have this:

 

firewall-1# failover exec standby show start

<snip>
context CONTEXT-A
  allocate-interface GigabitEthernet0/0.100 
  config-url disk0:/CONTEXT-A
!
              
context CONTEXT-D
  allocate-interface GigabitEthernet0/0.400 
  config-url disk0:/CONTEXT-D
!             

<snip>

The show start on the primary though is the same as the show run.

disk0: on the primary has the files but they're 0 bytes (unlike the ones either side which you can see are good)
firewall-1# dir disk0:

Directory of disk0:/

6      drwx  4096         14:22:16 Feb 17 2014  log
<snip>
86     -rwx  4055         23:02:32 Aug 06 2020  CONTEXT-A
87     -rwx  0            14:31:32 Apr 08 2020  CONTEXT-B
88     -rwx  0            13:51:08 Apr 08 2020  CONTEXT-C
90     -rwx  1802         23:02:32 Aug 06 2020  CONTEXT-D

but on the standby:

firewall-1# failover exec standby dir disk0:

Directory of disk0:/

11     drwx  4096         17:45:32 Feb 17 2014  log
<snip>
86     -rwx  4511         01:21:58 Aug 07 2020  CONTEXT-A
87     -rwx  10543        15:47:12 Aug 06 2020  CONTEXT-B
88     -rwx  14198        08:40:48 Jun 26 2020  CONTEXT-C
89     -rwx  2244         01:21:58 Aug 07 2020  CONTEXT-D

It's there and is fine. I can do a 'more disk0:CONTEXT-A' on the secondary/standby and the configuration is just fine.


And obviously, I cannot change to the context either:

firewall-1# change con CONTEXT-B
ERROR: Context hasn't been initialized with 'config-url'

So my question is two fold:

1) how is it still functioning on the primary/active:
firewall-1# change con CONTEXT-B
ERROR: Context hasn't been initialized with 'config-url'

and 2) how do I restore the config-url to the context on the primary, without wiping it away? I am more than happy to copy the context file over from the secondary/standby, but my understanding is that if I put the config-url statement into the context, it's going to blitz the configuration to zero, or am I mistaken?

I need to restore the two contexts and test a failover correctly before I can continue the upgrade to 9.14, and can't risk downtime.

Can anyone suggest a way to restore the correct configuration without outage?

Thanks so much

 

 

 

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents