03-19-2010 07:09 PM - edited 03-11-2019 10:24 AM
Hi All,
I need to upgrade the version for ASA 5520 pair that runs in multi-context mode.
Here is my issue:
It seems to have the following contexts:
If I change to system context the copy tftp command is available. However, it cannot connect to any IP address. In the admin context, it can connect to all IP add, but the copy tftp: command is not available.
What am I missing?
Thank you in advance.
gw-fw-01# sh context
Context Name Class Interfaces URL
*extgw default GigabitEthernet0/0, disk0:/extgw
GigabitEthernet0/2,
GigabitEthernet0/2.100,110,
120,130,140,150-153,160,170,
GigabitEthernet0/3
Total active Security Contexts: 1
gw-fw-01# sh context detail
Context "system", is a system resource
Config URL: startup-config
Real Interfaces:
Mapped Interfaces: GigabitEthernet0/0, GigabitEthernet0/1,
GigabitEthernet0/2, GigabitEthernet0/2.100,
GigabitEthernet0/2.110, GigabitEthernet0/2.120,
GigabitEthernet0/2.130, GigabitEthernet0/2.140,
GigabitEthernet0/2.150-153, GigabitEthernet0/2.160,
GigabitEthernet0/2.170, GigabitEthernet0/3, Internal-Control0/0,
Internal-Data0/0, Management0/0
Class: default, Flags: 0x00000819, ID: 0
Context "extgw", has been created
Config URL: disk0:/extgw
Real Interfaces: GigabitEthernet0/0, GigabitEthernet0/2,
GigabitEthernet0/2.100, GigabitEthernet0/2.110,
GigabitEthernet0/2.120, GigabitEthernet0/2.130,
GigabitEthernet0/2.140, GigabitEthernet0/2.150-153,
GigabitEthernet0/2.160, GigabitEthernet0/2.170,
GigabitEthernet0/3
Mapped Interfaces: GigabitEthernet0/0, GigabitEthernet0/2,
GigabitEthernet0/2.100, GigabitEthernet0/2.110,
GigabitEthernet0/2.120, GigabitEthernet0/2.130,
GigabitEthernet0/2.140, GigabitEthernet0/2.150-153,
GigabitEthernet0/2.160, GigabitEthernet0/2.170,
GigabitEthernet0/3
Class: default, Flags: 0x00000813, ID: 2
Context "null", is a system resource
Config URL: ... null ...
Real Interfaces:
Mapped Interfaces:
Class: default, Flags: 0x00000809, ID: 257
gw-fw-01#
Solved! Go to Solution.
03-19-2010 09:36 PM
In multi context mode, you would need to perform the upgrade from the system context, and it will use the admin context ip address to connect to the tftp server.
Which interface is your tftp server connected to and what is the security level of the interface?
If it is the lowest security level, you would need to configure the following on the admin context: tftp-server
Hope it helps.
03-20-2010 05:34 PM
yes you are right, "extgw" is the admin context.
To perform the upgrade, you would need to do it from the system context, and since you are routing to the inside interface (assuming the inside interface is not the lowest security level interface), you should be able to perform "copy tftp flash" from the system context.
Are you getting any error message when you try to copy file from tftp server to flash via system context? if you do, can you share the output?
03-20-2010 07:31 PM
Make sure that the the tftp server IP is reacheable from the admin context and that you do not have a firewall enabled on this tftp server. I'd suggest tftpd32.
If you have another routers or another firewall, just make sure there is no problem with this tftp server before trying it from this multiple context ASA.
Once, you verify connectivity, then issue "copy tftp flash:" command from the system space like you had tried before.
It it doesn't work then, wireshark the tftp server and see if it sends packets and if the ASA responds.
-KS
03-19-2010 09:36 PM
In multi context mode, you would need to perform the upgrade from the system context, and it will use the admin context ip address to connect to the tftp server.
Which interface is your tftp server connected to and what is the security level of the interface?
If it is the lowest security level, you would need to configure the following on the admin context: tftp-server
Hope it helps.
03-20-2010 10:18 AM
Thank you Halijenn.
However, extgw seems to be the "admin context" based on the "show context" below and the tftp server is accessible from the "extgw" context. The tftp subnet is one of the LAN subnets and it is routed through inside interface
Do you mean I need to add the following tftp-server command in "extgw" context?
tftp-server inside x.x.x.x admin.cfg
gw-fw-01# sh context
Context Name Class Interfaces URL
*extgw default GigabitEthernet0/0, disk0:/extgw
GigabitEthernet0/2,
GigabitEthernet0/2.100,110,
120,130,140,150-153,160,170,
GigabitEthernet0/3
Total active Security Contexts: 1
gw-fw-01/extgw#
gw-fw-01/extgw# changeto system
gw-fw-01#
gw-fw-01# sh flash
-#- --length-- -----date/time------ path
8 8312832 Aug 11 2007 09:07:58 asa722-k8.bin
11 1622 Nov 07 2005 03:59:48 old_running.cfg
12 1076 Nov 07 2005 03:59:50 admin.cfg
13 38897 Mar 06 2010 07:17:54 extgw
14 5623108 Aug 11 2007 09:13:04 asdm-522.bin
15 6746112 Aug 11 2007 08:56:50 asa711-k8.bin
42110976 bytes available (20770816 bytes used)
gw-fw-01#
gw-fw-01#
03-20-2010 05:34 PM
yes you are right, "extgw" is the admin context.
To perform the upgrade, you would need to do it from the system context, and since you are routing to the inside interface (assuming the inside interface is not the lowest security level interface), you should be able to perform "copy tftp flash" from the system context.
Are you getting any error message when you try to copy file from tftp server to flash via system context? if you do, can you share the output?
03-20-2010 07:31 PM
Make sure that the the tftp server IP is reacheable from the admin context and that you do not have a firewall enabled on this tftp server. I'd suggest tftpd32.
If you have another routers or another firewall, just make sure there is no problem with this tftp server before trying it from this multiple context ASA.
Once, you verify connectivity, then issue "copy tftp flash:" command from the system space like you had tried before.
It it doesn't work then, wireshark the tftp server and see if it sends packets and if the ASA responds.
-KS
03-22-2010 07:50 AM
Thanks Kusankar.
You are absolutely right. After I understood the "system" context can access the inside interface without added config, this is what I wanted to verify this morning.
It was the CheckPoint in the middle and after I updated the policy I was able to copy the bin file to flash.
03-22-2010 07:48 AM
Thanks again Halijenn;
You put me on the right track regarding reachability to "inside" interface from "system" context without any additional config.
I suspected it could be the CheckPoint blocking tftp and that is what it turned out to be.
I was able to copy the new bin file for upgrade.
12-15-2016 05:57 AM
Can you explain the test.cfg part of this? My interface is the lowest security and I cannot TFTP from my system context?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide