06-03-2024 11:17 PM
Hi,
Given a ASA firewall running multiple contexts configured like this:
context web1
description Internet Edge/Hosting 1
member web1
allocate-interface Port-channel1.2-Port-channel1.3
allocate-interface Port-channel3.1140
allocate-interface Port-channel5.155
allocate-interface Port-channel5.160
storage-url private disk0:/private-storage disk0
storage-url shared disk0:/shared-storage shared
config-url disk0:/config/web1.cfg
join-failover-group 1
How is it possible to restore and reload an existing context from the configu-url or from a backup file that was created with the following command?
backup /noconfirm context ${context} passphrase ${password} location flash:/backup_${context}.tar.gz
Recently some nasty bugs in ASA code messed up the configuration after firewall reboot and deleted object-groups and associanted access-list lines. I had to restore it three times (after upgrade to 9.18.4.24, after kernel panic, after downgrade to 9.18.4.22). Took me several hours each time to copy paste all object-groups from backed up configuration on backup server and fiddle in the missing lines in access-lists and missing nat rules.
Regards,
Bernd
06-03-2024 11:28 PM
I see you face many issue with new ASA image
I think this image is not compatible with your FW
what is your FW platform
check this
Cisco Secure Firewall ASA Compatibility - Cisco
MHM
06-03-2024 11:37 PM
Firepower 2120. That one is "supported" ... not meaning that it is stable.
We've had many different ASA problems ever since we purchased these firewalls back in 2017, recommended by our vendor and consultant. Mostly being related to new hardware platform or multi-context. Same releases on ASA 5516-X caused no problems. I've been using PIX and ASA for 25 years, but it has never been that bad since it was ported to Firepower hardware.
06-03-2024 11:44 PM
the ASA 9.18 with 2120 is compatible what about ASDM ?
MHM
06-03-2024 11:46 PM
Haven't used ASDM for years.
06-04-2024 08:18 AM
@Bernd Nies, you can delete the context with "no context ..." and recreate it. If you still need traffic to pass, you can isolate one unit from the network completely, change its configuration as you need, then isolate the other and enable interfaces on the 1st one. This will lead to downtime of course, but connections will be recreated quickly. The advantage of Firepower hardware, such as 4100 or 2100 running in platform mode is that you can shutdown interfaces from FXOS and don't need to ask LAN switching team to do this.
06-05-2024 12:55 AM
Ah, yes. I thought about that but was afraid to do so. I feared it would also delete the private keys used for certificates for AnyConnect and also destroy the last bit firewall features that were working after reboot dropped all object-groups.
06-05-2024 05:56 AM
Well, most likely keys will be lost.
06-05-2024 08:58 PM
Yup. One context already lost the keys while downgrading from 9.18.4.24 to 9.18.4.22. This is definitely the last firewall I setup in multi-context mode.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide