Changing Virtual FMC management address

Chess Norris · ‎10-04-2020

Hi,

Is there any way I can change management address of a virtual FMC without first remove the FTD from the FMC and then re-register the FTD after I changed the IP address?

The issue is that the customer already have VPN tunnels configured and there is not possible - as far as I know - to remove the FTD without first delete all VPN tunnel configuration.

Thanks

/Chess

Marvin Rhoads · ‎10-04-2020

You can change the FMC address under System > Configuration. Or use the cl script as follows:

sudo /usr/local/sf/bin/configure-network

After you have done that you will need to change the FMC from the managed device with "configure manager delete" and then "configure manager add" and resync the configuration. It will require an outage on the managed devices during this second process.

Chess Norris · ‎10-04-2020

Thank you @Marvin Rhoads I was under the assumption that I needed to delete the FTD from FMC as well and this was when I got the error about VPN configuration. So deleting the manager from FTD CLI and then re-adding it would be enough?

I am in the process of moving both FTD and FMC to a new management network and my plan was to first change IP address on the FTD and then on the FMC, but I am not 100% sure that this is the correct order, so looking for the correct step-by-step approach.

Thanks

/Chess

Marvin Rhoads · ‎10-04-2020

There's not a documented approach for changing everything as part of one overall process as this is an unusual set of things to do together.

FMC you change as I noted.

For FTD, first disable device management in FMC. Then change the address on the managed device directly ("configure network..." from the cli). Then edit the management address in FMC, re-enable management and sync policy via a deployment.

Chess Norris · ‎10-04-2020

Quick update after testing this in my lab.

Delete the manager from FTD CLI and changing IP addresses on the FTD and FMC went without issues, except that I needed to use the ESXI console and run the network script when changing the FMC IP. Not sure why it didn't take the changes from the GUI.

I then added the FMC back with the configure manager add command and used the same password as before.

The problem came after I tried to enable management again from the FMC. It would just time out and ask me to try add it again later.

I started a pigtail log on both the FMC and FTD and tried to enable management again and saw the following message in the pigtail log "MSGS: 10-05 01:24:03 ftd01 SF-IMS[7603]: [13408] sftunneld:sf_ssl [WARN] VerifyConnect:Failed to authenticate or to be authenticated by peer 'x.x.x.x'

Removing the device from FMC and the add it again worked, so it looks like it not possible to change management address without unregister the device from FMC.

I also noted that all my security zones had lost it's interface members, so the ACP and NAT policy was not working at all. I needed to re add them again from the object-Interface page.

To sum up. This task is far from straight forward and nothing I would do in production without a maintenance window and fresh backups of both the FTD and FMC.

Marvin Rhoads · ‎10-04-2020

It's definitely not a straightforward process. I know Cisco are planning significant changes going forward in 6.7 and later releases. Personally I'm a bigger fan of CDO management for many things.