Managing security contexts ASA multimode

Logan Kampsnider · ‎04-22-2014

We use a pair of ASA 5585's in a multimode active/active setup. I'm able to set up and access the management interface for the admin context easily, but I'm having trouble setting up management interfaces for the other contexts. I'm sure I'm missing a fundamental config or understanding...

Here is my summariezed admin context mgmt config:

_______________________

interface Management0/0
management-only
nameif management
security-level 100
ip address 10.199.0.220 255.255.255.0 standby 10.199.0.221

route management 0.0.0.0 0.0.0.0 10.199.0.1 1

Here is the summarized context1 mgmt config:

_______________________

interface Management0/0.1
management-only
nameif management
security-level 100
ip address 10.199.0.170 255.255.255.0

route management 0.0.0.0 0.0.0.0 10.199.0.1 1

Here is the summarized system config:

_______________________

interface Management0/0

interface Management0/0.1
description Context1 Management
vlan 7

context Context1
description Context1_VLAN177
allocate-interface GigabitEthernet0/5.1
allocate-interface Management0/0.1
allocate-interface TenGigabitEthernet0/8.1
config-url disk0:/dmzmt.cfg
join-failover-group 1

I am unable to ping the context1 management interface, whereas I can ping (and ssh) to the admin context. One thing that I think might be preventing ping is that Management0/0.1 is assigned to Vlan7. This is an arbitrary VLAN and is not actually running across any links, but the ASA won't let me assign the Management0/0.1 interface to Context1 unless it's configured with a VLAN not already in use (which is by the way frustrating). Then again, in Context1 the Management0.0.1 interface is assigned to the default VLAN, just like in the Admin context, so does that even matter?

I'm sure I'm missing something easy or maybe have a misunderstanding on how to configure management access to the other contexts. This is my first multimode setup. Any help would be appreciated.

Thanks,

Logan

Logan Kampsnider · ‎04-22-2014

FYI - I spoke with someone at Cisco and you have to put each management port that you configure for contexts into a separate VLAN. So, if you have 5 contexts with each having a management port, that's 5 VLANs. Fairly annoying as I'd hoped to keep all management traffic under the same VLAN.

That that said, I think we'll end up just managing the admin context with the management port and manage all the other contexts via the inside IP gig port address.

Marvin Rhoads · ‎04-23-2014

good information - thanks for sharing your resolution. +5

FYI I tested SNMP by snmpwalking a multi-context firewall. Admin context has only management interface allocated and thus only gives me an ifIndex for that single interface. I had to walk the production context to get an ifIndex (and associated counters) from one of their interfaces.

Logan Kampsnider · ‎04-23-2014

Well after some more searching I found a guy who had put the same VLAN on all the context management interfaces, so to me it sounds like what I originally want to do is possible. Here's the link to that post: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0CDIQFjAB&url=https%3A%2F%2Fsupportforums.cisco.com%2Fdiscussion%2F11112171%2Fsame-vlan-interfaces-different-ip-address-two-or-more-multiple-context&ei=cMNXU7e6BuLC2QX...

So I guess I'd like to ask the Cisco community again if they know if there is anyway to assign the Management interfaces on multiple contexts to the same VLAN, and therefore an IP on the same subnet.

Thanks,

Logan

Logan Kampsnider · ‎04-23-2014

So, to continue my one-sided conversation I finally figured out how to do this. It IS possible to share the management interface across multiple-contexts on the SAME vlan, despite what the rest of the Internet (or Cisco) says.

You simply need to allococate the main interface, Management0/0, and not the sub-interfaces, to whatever contexts you want to assign a management IP to. You'll notice however that you cannot assign a VLAN to a main interface, but you can with the sub-interfaces, within system.

So with this in mind we can assume the main interface, Management0/0, will operate on VLAN 1 since we can't assign it to a different vlan. In my case we needed management traffic to traverse VLAN 199. All I did to remedy this is make sure the switch port Management0/0 connected to was configured as an Access Port on VLAN 199. Viola, everything works.

Hope this information is useful to others. I know many people just use the inside interface of each context to manage it, but I think using the management interface (and subnet) for management purposes across all contexts is cleaner.