Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3483
Views
0
Helpful
5
Replies

Cisco ASA5520 multiple context revert back to single context

Go to solution
nldannyvdaa
Level 1
Level 1

‎10-09-2013 01:04 AM - edited ‎03-11-2019 07:49 PM

Hi all,

We have a redudant set of Cisco ASA5520's. This firewalls runs in multiple context mode.

No we want to make both "virtual" firewalls physical.

We already migrated on of the two firewalls to another physical set.

Now we would like to revert back the multiple context into single context mode, with keeping on of the two firewalls as the new running config.

We would like to do this with a minimum downtime.

Is this possible, can someone advise?

Kind regards,

Danny van der Aa

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎11-30-2013 02:25 PM

The config will be saved as config.old when you change the mode of the firewall (this goes both ways I believe).  As Luis has mentioned it is a major change but if you have ASA's in a failover pair then doing this with little or no down time should be possible.

I would first go about this by taking the current Standby ASA and take a backup of the running configuration on it, and make any required changes to the configuration to suite your needs.  Most likely you will not have much need of what is in the system context, but take a backup of it anyway just be on the safe side.  Then change it to single mode with the command "mode single".  Now copy the configuration into the ASA.

Now, assuming that both ASAs have the same IP addresses assigned to its interfaces, remove the currently active ASA and then connect the ASA that is now in single mode back into the network.  You may have to clear the MAC address table on some servers depending on how old they are and how touchy they are.

Do the same for the second ASA and connect it back to the network.  Now, if you have kept the failover configuration, the ASAs will setup an Active/Standby failover in single mode and replicate the configuration.

Your down time should only be dependent on how fast you can remove the second ASA and add the first ASA back to the network.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Luis Silva Benavides
Cisco Employee
Cisco Employee

‎10-10-2013 04:55 PM

Hi Danny,

Moving from Multiple mode to Single mode is a mayor change. The way the FW works will change completelly.

You should schedule a Window to perform this change.

HTH

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach us"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva
0 Helpful

Go to solution
nldannyvdaa
Level 1
Level 1
In response to Luis Silva Benavides

‎11-29-2013 04:12 AM

We have a time window. We only would like to know if it is just a command.

Or that we have to restore the firewall to default and then restore the backup.

0 Helpful

Go to solution
jumora
Level 7
Level 7
In response to nldannyvdaa

‎11-29-2013 09:36 PM


look, the ASA has a .cfg file for each context configuration into flash, just extract the configuration from flash through ASDM or through copy command then move back to single mode, then copy whichever file you want on to the firewall that you made single and then the other configuration upload to the new firewall. Make sure you understand the interface allocation purpose of the multiple context and any interface setting that you defined into system context (sub-interface, vlan, etc) if you just allocated physical interfaces than there is not much to worry about.

I would suggest posting the configuration, maybe for Luis or myself that we work at TAC it would not take us much time to do this but if you are not accustomed then it could take you more then what you think.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
0 Helpful

Go to solution
jumora
Level 7
Level 7
In response to jumora

‎12-01-2013 08:00 PM

??????

Value our effort and rate the assistance!

Value our effort and rate the assistance!
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎11-30-2013 02:25 PM

The config will be saved as config.old when you change the mode of the firewall (this goes both ways I believe).  As Luis has mentioned it is a major change but if you have ASA's in a failover pair then doing this with little or no down time should be possible.

I would first go about this by taking the current Standby ASA and take a backup of the running configuration on it, and make any required changes to the configuration to suite your needs.  Most likely you will not have much need of what is in the system context, but take a backup of it anyway just be on the safe side.  Then change it to single mode with the command "mode single".  Now copy the configuration into the ASA.

Now, assuming that both ASAs have the same IP addresses assigned to its interfaces, remove the currently active ASA and then connect the ASA that is now in single mode back into the network.  You may have to clear the MAC address table on some servers depending on how old they are and how touchy they are.

Do the same for the second ASA and connect it back to the network.  Now, if you have kept the failover configuration, the ASAs will setup an Active/Standby failover in single mode and replicate the configuration.

Your down time should only be dependent on how fast you can remove the second ASA and add the first ASA back to the network.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card