Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1015
Views
0
Helpful
3
Replies

ASA traffic redirection to Sourcefile in Multiple Contexts

iwearing
Level 1
Level 1

‎11-09-2017 01:41 AM - edited ‎02-21-2020 06:41 AM

Hi,

 

I had issues configuring traffic redirection on ASA's configured with multiple contexts.

I can create a new class-map within each context and enable monitor mode. However when I want I want to disable monitor mode and configure inline via ASDM I receive an error:

[Error] sfr fail-open command failed.

I am able to configure without errors via the admin context.

 

ASA Ver 9.6.3(1)

ASDM Ver 7.7.1(151)

 

Documentation suggests that the redirection should be configured within each context.

 

Any suggestions or clarification would be appreciated.

 

Ian

 

Labels:
0 Helpful
3 Replies 3

mikael.lahtela
Level 4
Level 4

‎11-09-2017 12:04 PM

Hi,

Can you verify that this is not happening?
You cannot configure both inline tap monitor-only mode and normal inline mode at the same time on the
ASA. Only one type of security policy is allowed. In multiple context mode, you cannot configure inline
tap monitor-only mode for some contexts, and regular inline mode for others.

On page 3:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/firewall/asa-firewall-asdm/modules-sfr.pdf

br, Micke
0 Helpful

iwearing
Level 1
Level 1
In response to mikael.lahtela

‎11-14-2017 06:24 AM

Hi Micke,

I deleted the redirection class map from both contexts.

I created a new class map on one context only and the policy still fails when trying to apply online. I can still configure in monitor mode only..

Br

Ian
0 Helpful

mikael.lahtela
Level 4
Level 4
In response to iwearing

‎11-14-2017 11:27 AM

This has been working for me:

admin context:
Nothing

 

contextA:

access-list contextA-inside_mpc extended permit ip any any
!
class-map contextA-inside-class-sfr
match access-list contextA-inside_mpc
!
policy-map contextA-inside-policy
class contextA-inside-class-sfr
sfr fail-open
!

contextB:

access-list contextB-inside_mpc extended permit ip any any
!
class-map contextB-inside-class-sfr
match access-list contextB-inside_mpc
!
policy-map contextB-inside-policy
class contextB-inside-class-sfr
sfr fail-open
0 Helpful
Review Cisco Networking for a $25 gift card
Top