11-01-2012 08:37 AM - edited 03-11-2019 05:17 PM
So I loaded the shiny new ASA 9.0(1) on a test/dev cluster of 5510's with the SecPlus license.
Two things.
1. In 8.4.4 (or maybe 8.4.3?) new password-policy commands were introduced, which allowed for very granular password policies for local users. This appears to be gone in 9.0.1. Is this by design? These commands met certain compliance regulations.
2. EIGRP is supported in multiple context mode now, however the contexts dont appear to form EIGRP neighborships with each other on a shared interface. I did issue the mac-address auto command in system mode if that matters. All contexts do form EIGRP neighborships with a regular IOS device, however routes are still not propegated from CTX1 to CTX2, 3, etc.
CTX1 CTX2 CTX3
| | |
| | |
--------------------
|
|
IOS-Device
It's entirely possible I'm doing something wrong, this is my first stab at multiple contexts, or its possible this doesnt work by design?
11-01-2012 02:07 PM
Since it's a brand new software release, I would suggest that you open a case with TAC so it can be troubleshot and if there is any bug, the engineer can help to raise it immediately.
But yes, you are right, both features should work in this new version.
11-01-2012 02:13 PM
I did open a TAC case and will post the results here. I was hoping someone else had noticed this in their testing of the new software. Or maybe that Cisco has noticed this in their testing of the software
11-01-2012 02:31 PM
TAC called back pretty quick on the EIGRP issue, it's not supported on shared interfaces because of some multicast limitations, which kind of makes sense. It's in the notes, I must have missed it.
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/route_eigrp.html#wp1057302
Additional Guidelines
EIGRP instances cannot form adjacencies with each other across shared interfaces because inter-context exchange of multicast traffic is not supported.
For what it's worth, I was able to get the routes from one context to another by disabling EIGRP split horizion on an interface in the same subnet of an IOS device. Disabling split horizion seems like a bad idea, though.
11-01-2012 04:39 PM
Excellent, thanks for the update.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide