Re: Admin context on active device is faulty

shinda_77 · ‎10-24-2020

I have situation, that on the active device of FMMS the admin context is faulty and it has hell lot configuration missing, can not login to it. On the Secondary Device firewall Admin context is fine.
--------------------------------
The version is:
On the active device it says:

-- From System Context:
FWSM Firewall Version 4.1(6) <system>
Detected an old ASDM version.
You will need to upgrade it before using ASDM.
......................................................

on the Secondary device:
FWSM Firewall Version 4.1(6) <system>
Device Manager Version 6.2(2)F
---------------------------------------------

On the actual 6500 device the version:

Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(33)SXJ1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Wed 22-Jun-11 18:03 by prod_rel_team

ROM: System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1)

=======================================================================

I tried to failover from primary to secondary from system context .. with command "no failver active" on Primary.

but it does not make different yes on System context it changes but other contexts it does not.
So idea is that the faulty context can become secondary and can sync with secondary one which will be 'active' after failover. Then we can change back to the original stage.

Anyway several tries has not resulted in success.

Please if some one can help.

Please note this is in Prod, cant try just anything.

need a solution so that i can write the CIP and can request CRQ.

Regards

Shinda

balaji.bandi · ‎10-24-2020

Looks like the configuration not synched with secondary as per the information.

have you done any upgrade?

You will need to upgrade it before using ASDM.

FWSM is the end of life way decade back, i know some people still using it depends on requirement. if you have out of the box config backup.

i only suggest pulling the module and insert back. (but its risk - other than that i do not see any option ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

shinda_77 · ‎10-24-2020

Hello BB,

thanks for your reply,

we don't use ASDM so, not worried about it.
meantime the best is to fix the admin context on Active.

if it was other contact we would rebuilt it, but admin we cant delete and rebuild.

So only solution is restarting the device? no way we fix by synchronizing ?

Thanks again

Aref Alsouqi · ‎10-25-2020

How were you able to see that there are some missing configs on the admin context config file? did you try to move into the admin context with the command changeto context admin and it failed?. One thing you might try would be to copy the admin context config file from the standby unit (disk0:/admin.cfg unless you changed it from its default) to the primary unit.

shinda_77 · ‎10-25-2020

Hi,

Thanks a lot Aref,

we can go by the actual 6500 device with command:

'session slot 6 p 1'

we can change to "changeto context admin"

but cant run any command even 'sh run"

from the system context we can do with command:

"more disk0:/admin.cfg "
this shows us more like "sh run" of the context and here i can see that this context is missing hell lot of configuration as compared to secondary admin context. more importantly reletated user login, tacacs etc.

is there way we can edit "disk0:/admin.cfg" like copy it from secondary device ?

how can we do this ?

Regards

Shinda Singh

Aref Alsouqi · ‎10-25-2020

You welcome. How about if you transfer the admin.cfg file from the secondary to a tftp server, and then you copy it from the tftp server to the primary?

shinda_77 · ‎10-25-2020

Hi Aref,

that is what I want to know how can we copy ?
is it possible ?
please if you can send me some links or url i can go through the steps.

Regards

Shinda Singh

Aref Alsouqi · ‎10-26-2020

Setup a tftp server, then go into the context admin on the standby unit, and use the command copy run tftp:, it will prompt you to confirm the source file name, hit enter, then it will ask you to type in the tftp server IP address, and will ask you to confirm the destination file name, here type admin.cfg. Once that is done, go to the primary unit admin context, and the do the reverse with the command copy tftp: run, confirm the details, and save the config. That should work.

shinda_77 · ‎10-26-2020

Hi Aref,
I will try and let you know

issue is when I login to 'admin' context on primary, I can only do by 6500 device with command "session slot 7 p 1" and then using credentials. It takes me to system context and I can change to admin from here. but being in it I cant run any command ?

it gives error as below:

admin/7/act# sh run
Command authorization failed
-----------------
so that is the issue , if i can run tftp commands:

Regards

Aref Alsouqi · ‎10-28-2020

What aaa configuration have you applied to the admin context? also, for what purpose are you using the admin context? only management or as an actual context for users?