cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

FTD: Need to Change MGMT IP

Piyush_Sharma
Beginner
Beginner

Hi,

 

I need to change the management IP of both FTD running in HA and FMC will be the same.

 

Please suggest how to do it best way, as after de-registering from previously IP from FMC, we need to re-register to FMC with new IP.

21 REPLIES 21

Rodrigo Gurriti
Participant
Participant

I would:

1 - Place the HA in maintenance to suspend them up. ( do not break because that will erase the failover config)

 

2- delete the manager from the FTD: 

configure manager delete

 

3 - remove the device from FMC

Devices > Device Management

 

4 -  change the IPs of the FTD:

 

configure network ipv4 manual ipaddr netmask gw [ management_interface]

 

5 - Add the manager back on FTD:

configure manager add

 

6 - Add the FTD to the FMC and reply the configuration. 

Devices > Device Management

7 - When you re-deploy your policies there will be a traffic interruption.  I would do this during a maintenance window. 

 

I haven't seen any documentation on Cisco's website for this procedure. 

HI Rodrigo Gurriti,

 

While re-adding the device to FMC againg HA-needs to be configured...??

 

Will FMC automatically detect the HA..??? i just need to add both device..???

Wow. It worked well. Many thanks

Does the act of deleting the manager from the FTD device cause the device to loose its configuration? The way you worded your steps it sounds like the answer is no (which is great!) but I just wanted to verify. If the only traffic interruption you get it from the policy redeployment and there is no need to reconfigure all of the interfaces that is actually a very seamless process. I am in a similar situation and will need to do this myself soon. 

Hi @brandonbittinger 

The command "configure manager delete" resets the FTD configuration to default, so completely removes the FTD configuration (access control policies, data interfaces etc). The management interface configuration is not removed.

 

Reference here.

 

HTH

Hi Rodrigo - How do you put an HA pair into "maintenance mode"?  I can't find that anywhere in the documentation and I don't see anything in the GUI about maintenance mode. 

 

Also, you can't remove a device from FMC that has VPN config applied.  Sadly, you can't unapply the config, you can only delete it.  Make sure you have the settings handy because you will be reconfiguring all the VPN tunnels. 

Try this method instead:

1. Disable management of the device in FMC. Do that via Device Management > edit the Device > Device tab > move slider next to management section.

2. Change the address on the device directly using "configure network ..." command from the cli.

3. Edit the management address in FMC from the same place you disabled management. Then move the slider back to enable management. 

Marvin - This actually worked nicely, thanks!  The problem I have now is that I need to change the IP of the FMC but idk how to do it without breaking the sensor comms to the FMC.  Any ideas?

 

Hopefully this is relevant enough to the OP.  Don't want to hijack the thread.  =]

As far as I know, changing the FMC address will require you to "configure manager delete" on the managed devices, change the address on FMC, "configure manager add" using the new address on the devices and then redeploy from FMC to sync everything.

If this is production, I'd definitely recommend raising a TAC case as my information is based on general understanding of the product and not any published procedure.

Hi,

    

    You can't do it without breaking the communication between the sensor and the manager. Is the FMC configured on the sensor only via the IP address, or do you also have the hostname configured?

 

Regards,

Cristian Matei.

Cristian,
I see where you're going with this and unfortunately it's configured using the IP. I always use IPs for the device communication because I've run into problems before using DNS. Kinda surprised that Cisco wouldn't code in a way to change the manager IP on the sensor. I can't be the only person needing to make a subnet change.

only version 6.5 and later have the ability to change the FMC IP...you have to have delete the FTD from FMC first onearlier versions!! 

Furqan,

At the risk of resurrecting a dead thread, where did you happen to read that it was possible to change the Management IP in version 6.5 and higher?  

I looked through the release notes and I wasn't able to find it.

 

Thanks!

I had participated in 6.5 beta program and tested that feature but I believe they have removed it from the final release and moved that feature to FMC Model Migration for 6.5 version. That allows you to change MGMT IP address with out deleting the FTDs from the FMC. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: