Change management ip of cluster nodes.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Change management ip of cluster nodes.

L4 Transporter

Hello,

 

We have 3200 series HA cluster .

 

The requirement is to change the ip addrrss of management interface of both the nodes.

( Note we are not changing the ip address of panorama )

 

All the required rules and routes are in place .

Can we change the ip address remotely while still logging through the management interface ( old ip).

 

Via the command line if we change the ip and gateway ( via a single command)  , we may get the disconnect ion momentarily ? But if everything else seems to be in place like proper port settings and routing etc to reach new management range , it should work ?

 

We want to avoid going to DC as of restrictions .( For console access)

 

Can anyone suggest a way to change the managment ip of cluster nodes remotely? Which node to do first secondary ?

 

Also after changing the node managemebt ip addresses, what change we have to do in panorama to reflect new ip addresses ? 

 

If anyone has procedure pls share 

16 REPLIES 16

Hi @FWPalolearner ,

 

There is a lot of comments, not sure if I get everything but:

- What version is your FW and Panorama? If you are running 9.1 you probably can rely on the feature Automated Commit Recovery We still run on 9.0 so I haven't test this feature, but in theory this show work great for your case:

1. Enable the autmatic recovery

2. Push the new mgmt IP from Panorama. If there are any issues with the new mgmt FW will loose access with Panorama and the recovery process should kick in.

 

- In general you don't have to do anything on the Panorama once you change FW mgmt IP. This is because the Panorama is using serial number to track the FWs. When you configure FW with panorama IP, it will attempt to register to Panorama. By default panorama will accept any source IP and will try to establish the TCP/SSL connection, it will ask for SN and if the provided SN is already added to Panorama it will accept the fw request and complete the registration. So in your case once you change the mgmt ip, the fw will generate new tcp session with the new source, panorama will establish this session and will see that the SN is the same as the one already registered and will automatically update the IP under the "manage devices"

 

Similar to the FW you can configure permit IP list to specify which IP address are allowed to connect to Panorama, if nothing is defined panorama will accept anything. So if you have anything configured under the permit ip, make sure you have included the new mgmt ip/range

 

- You cannot ssh to member over the HA link. Even if you receive password prompt, the firewall will not allow you to connect.

 

- As falback you can configure the the mgmt profile to dataplane interface. Indeed for HA cluster you will be able to connect only to the active member. But this should be enough as falback:

1. Assign mgmt profile

2. Connect to active FW, fix the mgmt ip

3. Suspend FW to cause failover

4. Reconnect to mgmt profile IP, which now will connect you to the secon FW

5. Fix mgmt IP on secondary device

 

 

- I believe @OtakarKlier was trying to say - check your HA config and make sure you don't use the mgmt IP  for HA1. If you do and you don't have backup HA1 you will have split brain once you change the FW mgmt IP on one of the members.

@aleksandar.astardzhiev  Thanks a lot . This is clear now 

  • 8091 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!