Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
834
Views
15
Helpful
4
Replies

ASA 9.0(1) on 5510

rrfield
Level 1
Level 1

‎11-01-2012 08:37 AM - edited ‎03-11-2019 05:17 PM

So I loaded the shiny new ASA 9.0(1) on a test/dev cluster of 5510's with the SecPlus license.

Two things.

1.  In 8.4.4 (or maybe 8.4.3?) new password-policy commands were introduced, which allowed for very granular password policies for local users.  This appears to be gone in 9.0.1. Is this by design?  These commands met certain compliance regulations.

2.  EIGRP is supported in multiple context mode now, however the contexts dont appear to form EIGRP neighborships with each other on a shared interface.  I did issue the mac-address auto command in system mode if that matters.  All contexts do form EIGRP neighborships with a regular IOS device, however routes are still not propegated from CTX1 to CTX2, 3, etc.

CTX1    CTX2    CTX3

|       |       |

|       |       |

--------------------

      |

      |

    IOS-Device

It's entirely possible I'm doing something wrong, this is my first stab at multiple contexts, or its possible this doesnt work by design?


Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎11-01-2012 02:07 PM

Since it's a brand new software release, I would suggest that you open a case with TAC so it can be troubleshot and if there is any bug, the engineer can help to raise it immediately.

But yes, you are right, both features should work in this new version.

0 Helpful

rrfield
Level 1
Level 1
In response to Jennifer Halim

‎11-01-2012 02:13 PM

I did open a TAC case and will post the results here.  I was hoping someone else had noticed this in their testing of the new software.  Or maybe that Cisco has noticed this in their testing of the software

0 Helpful

rrfield
Level 1
Level 1
In response to rrfield

‎11-01-2012 02:31 PM

TAC called back pretty quick on the EIGRP issue, it's not supported on shared interfaces because of some multicast limitations, which kind of makes sense.  It's in the notes, I must have missed it.

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/route_eigrp.html#wp1057302

Additional Guidelines

EIGRP instances cannot form adjacencies with each other across shared interfaces because inter-context exchange of multicast traffic is not supported.

For what it's worth, I was able to get the routes from one context to another by disabling EIGRP split horizion on an interface in the same subnet of an IOS device.  Disabling split horizion seems like a bad idea, though.

Jennifer Halim
Cisco Employee
Cisco Employee
In response to rrfield

‎11-01-2012 04:39 PM

Excellent, thanks for the update.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card