Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
960
Views
0
Helpful
7
Replies

Pinging from System Config - ASA in Multimode

Go to solution
mahesh18
Level 6
Level 6

‎05-02-2013 10:58 AM - edited ‎03-11-2019 06:37 PM

Hi Everyone,

Need to confirm below

ASA is in  multi mode say context    admin  and x.

while in admin context i did below

When i am  in context admin  i can  ping the destination IP from it as it has route for it.

then i ran the command

changeto system

Then i went to System config and  i was also able to  ping the destination IP from there as well.

So does it mean that from system config we can always ping the IP which has route  in other context like admin ?

Thanks

Mahesh

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-02-2013 11:01 AM

Hi,

The "admin" context is the context used to manage the whole virtual (Multiple Mode) ASA.

The System Context uses the "admin" contexts IP addressing/routing/configurations to reach the services it needs.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎05-02-2013 11:20 AM

Hi,

To my understanding the System Context only uses/has the information of "admin" context when it comes to forming connection from the ASA itself to somewhere.

In other words if the ASA running in Multiple Context mode has to form some connections. For example use NTP or send files with FTP or you simply want to form a SSH management connection TO the virtual ASA then you will be using the routing and configurations of the "admin" context.

System Context cannot be used to test any other Contexts connectivity to somewhere to my understanding.

Or did I missunderstand what you meant?

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-02-2013 11:26 AM

Here is a quote from Cisco material

The system configuration does not include any  network interfaces or network settings for itself; rather, when the  system needs to access network resources (such as downloading the  contexts from the server), it uses one of the contexts that is  designated as the admin context.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/contexts.html#wp1133678

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎05-02-2013 12:33 PM

Hi,

I cant ofcourse be absolultely sure but I can guess

I would guess that the "admin" context is connected to the rest of the network. I mean it has a connection to the same networks as the context "x". This would explain that you are able to PING addresses from the System Context to the Context X.

If you want to confirm this you can try to do the following

  • Check what interfaces are connected to the "admin" context. You can use the command "show run context admin" in the System Context space.
  • Check the routing and interface IP addresses in the Context admin
    • show run interface
    • show route
  • Also check the routing table of the Context "x" if needed.
  • With the collected base information you can check if the "admin" contexts interface or interfaces are connected to the same network as the Context "x"

I cant think of anything else at the moment. I think the "admin" context is connected to the same network as the context "x" and thats why you can reach the context "x" network IP addresses also from System Context as it uses the "admin" contexts routing/interface/etc configurations to contact other networks.

Hopefully this helps

- Jouni

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-02-2013 11:01 AM

Hi,

The "admin" context is the context used to manage the whole virtual (Multiple Mode) ASA.

The System Context uses the "admin" contexts IP addressing/routing/configurations to reach the services it needs.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎05-02-2013 11:04 AM

Hi Jouni,

also need to confirm from system context  if i need to ping some destination IP which is pingable from context x will it work?

Regards

Mahesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎05-02-2013 11:20 AM

Hi,

To my understanding the System Context only uses/has the information of "admin" context when it comes to forming connection from the ASA itself to somewhere.

In other words if the ASA running in Multiple Context mode has to form some connections. For example use NTP or send files with FTP or you simply want to form a SSH management connection TO the virtual ASA then you will be using the routing and configurations of the "admin" context.

System Context cannot be used to test any other Contexts connectivity to somewhere to my understanding.

Or did I missunderstand what you meant?

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-02-2013 11:26 AM

Here is a quote from Cisco material

The system configuration does not include any  network interfaces or network settings for itself; rather, when the  system needs to access network resources (such as downloading the  contexts from the server), it uses one of the contexts that is  designated as the admin context.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/contexts.html#wp1133678

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎05-02-2013 11:42 AM

Hi Jouni,

Here is what i tested

Context X has interface IP say  192.168.1.1

I went to the system context and i was able to  ping this IP.Is this default behaviour?

So this means that from system context we can reach context X  IP.

Also from system context i was able to  ping the default gateway for context b.

is this also default behaviour?

Thanks

MAhesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎05-02-2013 12:33 PM

Hi,

I cant ofcourse be absolultely sure but I can guess

I would guess that the "admin" context is connected to the rest of the network. I mean it has a connection to the same networks as the context "x". This would explain that you are able to PING addresses from the System Context to the Context X.

If you want to confirm this you can try to do the following

  • Check what interfaces are connected to the "admin" context. You can use the command "show run context admin" in the System Context space.
  • Check the routing and interface IP addresses in the Context admin
    • show run interface
    • show route
  • Also check the routing table of the Context "x" if needed.
  • With the collected base information you can check if the "admin" contexts interface or interfaces are connected to the same network as the Context "x"

I cant think of anything else at the moment. I think the "admin" context is connected to the same network as the context "x" and thats why you can reach the context "x" network IP addresses also from System Context as it uses the "admin" contexts routing/interface/etc configurations to contact other networks.

Hopefully this helps

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎05-03-2013 09:05 AM

Hi jouni,

I will try to check above stuff later.

Thanks

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card