How to reload ASA context with backed up configuration?

Bernd Nies · ‎06-03-2024

Hi,

Given a ASA firewall running multiple contexts configured like this:

context web1
  description Internet Edge/Hosting 1
  member web1
  allocate-interface Port-channel1.2-Port-channel1.3
  allocate-interface Port-channel3.1140
  allocate-interface Port-channel5.155
  allocate-interface Port-channel5.160
  storage-url private disk0:/private-storage disk0
  storage-url shared disk0:/shared-storage shared
  config-url disk0:/config/web1.cfg
  join-failover-group 1

How is it possible to restore and reload an existing context from the configu-url or from a backup file that was created with the following command?

backup /noconfirm context ${context} passphrase ${password} location flash:/backup_${context}.tar.gz

Recently some nasty bugs in ASA code messed up the configuration after firewall reboot and deleted object-groups and associanted access-list lines. I had to restore it three times (after upgrade to 9.18.4.24, after kernel panic, after downgrade to 9.18.4.22). Took me several hours each time to copy paste all object-groups from backed up configuration on backup server and fiddle in the missing lines in access-lists and missing nat rules.

Regards,

Bernd

MHM Cisco World · ‎06-03-2024

I see you face many issue with new ASA image
I think this image is not compatible with your FW
what is your FW platform
check this
Cisco Secure Firewall ASA Compatibility - Cisco

MHM

Bernd Nies · ‎06-03-2024

Firepower 2120. That one is "supported" ... not meaning that it is stable.

We've had many different ASA problems ever since we purchased these firewalls back in 2017, recommended by our vendor and consultant. Mostly being related to new hardware platform or multi-context. Same releases on ASA 5516-X caused no problems. I've been using PIX and ASA for 25 years, but it has never been that bad since it was ported to Firepower hardware.

MHM Cisco World · ‎06-03-2024

the ASA 9.18 with 2120 is compatible what about ASDM ?

MHM

Bernd Nies · ‎06-03-2024

Haven't used ASDM for years.

tvotna · ‎06-04-2024

@Bernd Nies, you can delete the context with "no context ..." and recreate it. If you still need traffic to pass, you can isolate one unit from the network completely, change its configuration as you need, then isolate the other and enable interfaces on the 1st one. This will lead to downtime of course, but connections will be recreated quickly. The advantage of Firepower hardware, such as 4100 or 2100 running in platform mode is that you can shutdown interfaces from FXOS and don't need to ask LAN switching team to do this.

Bernd Nies · ‎06-05-2024

Ah, yes. I thought about that but was afraid to do so. I feared it would also delete the private keys used for certificates for AnyConnect and also destroy the last bit firewall features that were working after reboot dropped all object-groups.

tvotna · ‎06-05-2024

Well, most likely keys will be lost.

Bernd Nies · ‎06-05-2024

Yup. One context already lost the keys while downgrading from 9.18.4.24 to 9.18.4.22. This is definitely the last firewall I setup in multi-context mode.