Yes, but I believe they would be in the active/standby but I might be wrong

Hi,

Well if you can use CLI then this can be checked by going to the System Context configuration space and issuing the command

show run context

It should show if Security Contexts are configured to different Failover Groups.

Or you might be able to check this with command

show run failover

But wether its a Active/Standby or Active/Active you would have to configure new interfaces on the System Context first

You for example check the configuration of GigabitEthernet0/2 in the System Context

show run interface GigabitEthernet0/2

If it doesnt have any configurations you could for example do

Configuring Interfaces in System Context

interface GigabitEthernet0/2

description DMZ Trunk

interface GigabitEthernet0/2.100

description DMZ1

vlan 100

interface GigabitEthernet0/2.200

description DMZ2

vlan 200

Adding Subinterfaces Under the Security Context

context CONTEXT-NAME

allocate-interface GigabitEthernet0/2.100

allocate-interface GigabitEthernet0/2.200

Moving to under the Security Context

changeto context CONTEXT-NAME

Configuring the Subinterfaces under Security Context

interface GigabitEthernet0/2.100

description DMZ1

nameif dmz1

security-level 50

ip add 172.16.30.1 255.255.255.0 standby 172.16.30.2

interface GigabitEthernet0/2.200

description DMZ2

nameif dmz2

security-level 50

ip add 172.16.33.1 255.255.255.0 standby 172.16.33.2

I would suggest going through the setup though and not just configuring these in the ASA.

The above should give you an example of adding the interfaces in a Multiple Context mode ASA

Hope this helps

- Jouni

Hi,

Thank you for the reply.

I cannot change the context to system - it does not allow me

Haddad/2# changeto system

Command not valid in current execution space

Haddad/2#

Any suggestions here? Thanks in advance

Hi,

Does the following command produce any output

show run prompt

It would seem to me that you would be under some Security Context as "Haddad/2" cant be a "hostname" of ASA.

- Jouni

I get this:

Haddad/2# sho run prompt

                    ^

ERROR: % Invalid input detected at '^' marker.

Haddad/2# sho run prompt

                    ^

ERROR: % Invalid input detected at '^' marker.

"^" is under prompt

Well this is strange.

For example the command

prompt

The only configuration mode under which this cant be used is under a Security Context

Yet you cant even change to the System Context space?

I guess we would need to see the firewall configuration because I am not sure what the problem is. If you cant even create an subinterface of a physical interface that the ASA holds then it would point to a situation that you are under a Security Context which doesnt allow creating an interface.

- Jouni

If I do show context I get the following:

Haddad/2# sho context

Context Name      Class      Interfaces           URL

2                default    GigabitEthernet0/0,  disk0:/context2.cfg

                             GigabitEthernet0/1,

                             GigabitEthernet0/2

Haddad/2#

So it looks like there is a context on this device nammed "2." I still cannot change to system though. If I go to the failover device I change contexts with no problem:

Haddad/admin# sho context

Context Name      Class      Interfaces           URL

*admin            default    GigabitEthernet0/0,  disk0:/admin.cfg

                             GigabitEthernet0/1,

                             GigabitEthernet0/2

Haddad/admin# change

Haddad/admin# changeto sys

Haddad/admin# changeto system

Haddad# change to admin

               ^

ERROR: % Invalid input detected at '^' marker.

Haddad# changeto admin

                 ^

ERROR: % Invalid input detected at '^' marker.

Haddad# changeto conte

Haddad# changeto context admin

Haddad/admin#

Haddad/2# sho context
Context Name      Class      Interfaces           URL
2                default    GigabitEthernet0/0,  disk0:/context2.cfg
                             GigabitEthernet0/1,
                             GigabitEthernet0/2
Haddad/2#

Maybe I could add another context that I could switch to system from? Also if I create a new context a my device is running in prod and I'm doing this during business hours any risks I should be aware of (like device having to reboot, disconnecting user sessions, etc). Thank you

Hi,

Seems you use a bit wrong command formats above (though you found the correct one)

The following command should be able to change you to System Context from under any Security Context

changeto system

The following command should be able to change you to the Security Context of your choice from any other Context or System Context

changeto context

The following command should enable you to show a cleare output of all the contexts configured on the device. Use it in System Context space

show run context

To my understanding your purpose was to use the Gi0/2 as a Trunk for DMZ purposes. So first you would need to check its configurations. If its already in some use then it will be harder to do the change in a production environment

You can use the following command in System Context space to list the current interface configurations

show run interface

To my understanding all commands should be supported whichever unit you are logged in on. Naturally all configuratins should be done on the Active unit or the configuration will be out of sync.

- Jouni