cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2085
Views
0
Helpful
3
Replies

Reverting to Single Context Mode (ASA 5525)

lucas.jereska
Level 1
Level 1

We're currently running Active/Active on our ASA 5525 pair (it's been this way since I took over our network) with multiple context mode.  My plan is to revert back to single context mode and switch to Active/Standby, but I'm not exactly sure what this process will entail.

 

As things stand right now we've got:

 

System Context

Admin Context

Context 1 (This has the config I'd ultimately like to use in single context mode)

Context 2

 

I know I'll need to issue a mode single command, but what exactly happens to the above contexts when I do this?  We're a 24/7 operation so I want to get a sense of what I'll be dealing with when I ultimately make this change.

3 Replies 3

pieterh
VIP
VIP

basically the separate configs are merged to a single one.

 

but why this action?

may it be an option to just move all contexts to the same failover group?

pieterh - Thanks for the response.  There are a few reasons for moving back to single-context for us:

 

1.  It's a standard organizationally unless dictated otherwise for some specific reason.

 

2.  There are (at least from what I've been told) some issues with newer versions of FireSIGHT when you're in an Active/Active setup.

 

3.  IP SLA isn't available in multi-context mode and I'd like to get this configured in conjunction with policy based routing on the firewall.

 

So if the separate configs are merged, would I simply need to delete Context 2 prior to going to single mode?

I don't think it matters, but yes a simple configuration will make a simple migration

 

what Iwould do is 

- break the failover pair (redundancy loss but not loss of service )

  and disconnect (what was) the secondary

- test the migration on the secondary (offline)

then if the resulting config looks good

- migrate the primary (maintenance window because of reload)

- re-establish the failover pair

 

other posts also suggest a similar process even without breaking failover, but just disconnect the secondary.

Review Cisco Networking for a $25 gift card