ā11-15-2020 06:40 AM
please can anyone list the steps on how to change the ip addresses subnet of my current fmc and 2 ftd in ha? I have read that in fmc 6.5 changing ip can be done in the GUI but im not sure of the steps on how to do the whole thing
Solved! Go to Solution.
ā11-16-2020 12:48 AM - edited ā11-16-2020 12:52 AM
Assuming you are referring to the management IP addresses, I don't think you need to break the HA to do these changes. The HA link would be formed on a data interface, so changing the management IP addresses do not affect the HA connection between the peers. Here is the summary of the steps I would go through to apply these changes, I am using FMC/FTD 6.7 in this example, but should be similar on the previous versions:
1) Change the FMC management IP
2) Wait till the sftunnel is re-established between the FMC and the FTD appliances
3) Change the primary FTD management IP on the FTD
4) Change the primary FTD management IP on the FMC
5) Change the secondary FTD management IP on the FTD
6) Change the secondary FTD management IP on the FMC
--
1) To change the FMC management IP:
2) To verify the sftunnel is re-established use the command sftunnel-status from the FTD CLISH mode ">". Go the the end and check if the new FMC IP address is populated next to the 'ip' variable, and also check if the 'active' variable shows 1. Please keep in mind that changing the FMC IP address does not require deleting the FMC as the manager and re-add it to the FTD appliances.
3) To change the primary FTD management IP on the FTD, log into the primary FTD, and use the command configure network ipv4 manual <the new IP address> <subnet mask> <the default gateway>
4) To change the primary FTD management IP on the FMC:
5) Similar to step 3, to change the secondary FTD management IP on the FTD
6) Similar to step 4, change the secondary FTD management IP on the FMC.
ā11-15-2020 10:46 AM
As per my learning - never done, need to break the HA and change the IP and join them back.
Technically personally can be done like this.
1. Bring the Standby offline - so it can not become active (now kind of no failover active always be active)
2. change the Active /standby device HA IP
3. Connect only HA Link between 2 boxes - so they have communication and configuration synched from Primary to Secondary.
Connect the rest of the links as per network, just think before you deploy. make sure offload the current config out of the box. and od this step in the change/maintenance window.
ā11-15-2020 01:12 PM
but I read some steps where I need to disable the ftd maintenance from fmc? also is it true that I can change fmc ip from GUI in 6.5? if yes from where?
ā11-16-2020 12:48 AM - edited ā11-16-2020 12:52 AM
Assuming you are referring to the management IP addresses, I don't think you need to break the HA to do these changes. The HA link would be formed on a data interface, so changing the management IP addresses do not affect the HA connection between the peers. Here is the summary of the steps I would go through to apply these changes, I am using FMC/FTD 6.7 in this example, but should be similar on the previous versions:
1) Change the FMC management IP
2) Wait till the sftunnel is re-established between the FMC and the FTD appliances
3) Change the primary FTD management IP on the FTD
4) Change the primary FTD management IP on the FMC
5) Change the secondary FTD management IP on the FTD
6) Change the secondary FTD management IP on the FMC
--
1) To change the FMC management IP:
2) To verify the sftunnel is re-established use the command sftunnel-status from the FTD CLISH mode ">". Go the the end and check if the new FMC IP address is populated next to the 'ip' variable, and also check if the 'active' variable shows 1. Please keep in mind that changing the FMC IP address does not require deleting the FMC as the manager and re-add it to the FTD appliances.
3) To change the primary FTD management IP on the FTD, log into the primary FTD, and use the command configure network ipv4 manual <the new IP address> <subnet mask> <the default gateway>
4) To change the primary FTD management IP on the FMC:
5) Similar to step 3, to change the secondary FTD management IP on the FTD
6) Similar to step 4, change the secondary FTD management IP on the FMC.
ā04-08-2023 02:14 AM
hi,
did someone Test this scenario?
Will the show manager on the FTD update it self?
regards
alex
ā04-11-2023 02:56 AM
Hi,
I did some Tests in Lab.
FMC 7.2 IP 10.1.11.30
FTDv 6.6.0 IP 10.1.11.31
Changed the FMC IP to 10.11.1.181 as described. -> DONE OK
the FTD will update it“s sftunnel-status
> show managers
Type : Manager
Host : 10.1.11.30
Registration : Completed
>
>
> sftunnel-status
SFTUNNEL Start Time: Sun Jan 29 12:22:20 2023
Both IPv4 and IPv6 connectivity is supported
Broadcast count = 112147
Reserved SSL connections: 0
Management Interfaces: 1
eth0 (control events) 10.1.11.31,
***********************
**RUN STATUS****10.1.11.30*************
Key File = /var/sf/peers/c10e7f24-29f6-11ed-83cc-0aab1286a13d/sftunnel-key.pem
Cert File = /var/sf/peers/c10e7f24-29f6-11ed-83cc-0aab1286a13d/sftunnel-cert.pem
CA Cert = /var/sf/peers/c10e7f24-29f6-11ed-83cc-0aab1286a13d/cacert.pem
Cipher used = AES256-GCM-SHA384 (strength:256 bits)
ChannelA Connected: Yes, Interface eth0
Cipher used = AES256-GCM-SHA384 (strength:256 bits)
ChannelB Connected: Yes, Interface eth0
Registration: Completed.
IPv4 Connection to peer '10.1.11.30' Start Time: Tue Apr 11 09:16:36 2023
PEER INFO:
sw_version 7.2.0
sw_build 82
Management Interfaces: 1
eth0 (control events) 10.1.11.180,
Peer channel Channel-A is valid type (CONTROL), using 'eth0', connected to '10.1.11.180' via '10.1.11.31'
Peer channel Channel-B is valid type (EVENT), using 'eth0', connected to '10.1.11.180' via '10.1.11.31'
TOTAL TRANSMITTED MESSAGES <4> for Identity service
RECEIVED MESSAGES <2> for Identity service
SEND MESSAGES <2> for Identity service
FAILED MESSAGES <0> for Identity service
HALT REQUEST SEND COUNTER <0> for Identity service
STORED MESSAGES for Identity service (service 0/peer 0)
STATE <Process messages> for Identity service
REQUESTED FOR REMOTE <Process messages> for Identity service
REQUESTED FROM REMOTE <Process messages> for Identity service
TOTAL TRANSMITTED MESSAGES <247> for IP(NTP) service
RECEIVED MESSAGES <177> for IP(NTP) service
SEND MESSAGES <70> for IP(NTP) service
FAILED MESSAGES <0> for IP(NTP) service
HALT REQUEST SEND COUNTER <0> for IP(NTP) service
STORED MESSAGES for IP(NTP) service (service 0/peer 0)
STATE <Process messages> for IP(NTP) service
REQUESTED FOR REMOTE <Process messages> for IP(NTP) service
REQUESTED FROM REMOTE <Process messages> for IP(NTP) service
TOTAL TRANSMITTED MESSAGES <4> for Health Events service
RECEIVED MESSAGES <2> for Health Events service
SEND MESSAGES <2> for Health Events service
FAILED MESSAGES <0> for Health Events service
HALT REQUEST SEND COUNTER <0> for Health Events service
STORED MESSAGES for Health service (service 0/peer 0)
STATE <Process messages> for Health Events service
REQUESTED FOR REMOTE <Process messages> for Health Events service
REQUESTED FROM REMOTE <Process messages> for Health Events service
TOTAL TRANSMITTED MESSAGES <15> for RPC service
RECEIVED MESSAGES <3> for RPC service
SEND MESSAGES <12> for RPC service
FAILED MESSAGES <0> for RPC service
HALT REQUEST SEND COUNTER <0> for RPC service
STORED MESSAGES for RPC service (service 0/peer 0)
STATE <Process messages> for RPC service
REQUESTED FOR REMOTE <Process messages> for RPC service
REQUESTED FROM REMOTE <Process messages> for RPC service
TOTAL TRANSMITTED MESSAGES <0> for EStreamer Events service
RECEIVED MESSAGES <0> for service EStreamer Events service
SEND MESSAGES <0> for EStreamer Events service
FAILED MESSAGES <0> for EStreamer Events service
HALT REQUEST SEND COUNTER <0> for EStreamer Events service
STORED MESSAGES for EStreamer Events service (service 0/peer 0)
STATE <Process messages> for EStreamer Events service
REQUESTED FOR REMOTE <Process messages> for EStreamer Events service
REQUESTED FROM REMOTE <Process messages> for EStreamer Events service
TOTAL TRANSMITTED MESSAGES <12> for IDS Events service
RECEIVED MESSAGES <6> for service IDS Events service
SEND MESSAGES <6> for IDS Events service
FAILED MESSAGES <0> for IDS Events service
HALT REQUEST SEND COUNTER <0> for IDS Events service
STORED MESSAGES for IDS Events service (service 0/peer 0)
STATE <Process messages> for IDS Events service
REQUESTED FOR REMOTE <Process messages> for IDS Events service
REQUESTED FROM REMOTE <Process messages> for IDS Events service
TOTAL TRANSMITTED MESSAGES <4> for CSM_CCM service
RECEIVED MESSAGES <2> for CSM_CCM service
SEND MESSAGES <2> for CSM_CCM service
FAILED MESSAGES <0> for CSM_CCM service
HALT REQUEST SEND COUNTER <0> for CSM_CCM service
STORED MESSAGES for CSM_CCM (service 0/peer 0)
STATE <Process messages> for CSM_CCM service
REQUESTED FOR REMOTE <Process messages> for CSM_CCM service
REQUESTED FROM REMOTE <Process messages> for CSM_CCM service
TOTAL TRANSMITTED MESSAGES <3> for Malware Lookup Service service
RECEIVED MESSAGES <2> for Malware Lookup Service) service
SEND MESSAGES <1> for Malware Lookup Service service
FAILED MESSAGES <0> for Malware Lookup Service service
HALT REQUEST SEND COUNTER <0> for Malware Lookup Service service
STORED MESSAGES for Malware Lookup Service service (service 0/peer 0)
STATE <Process messages> for Malware Lookup Service service
REQUESTED FOR REMOTE <Process messages> for Malware Lookup Service) service
REQUESTED FROM REMOTE <Process messages> for Malware Lookup Service service
Priority UE Channel 1 service
TOTAL TRANSMITTED MESSAGES <19> for UE Channel service
RECEIVED MESSAGES <2> for UE Channel service
SEND MESSAGES <17> for UE Channel service
FAILED MESSAGES <0> for UE Channel service
HALT REQUEST SEND COUNTER <0> for UE Channel service
STORED MESSAGES for UE Channel service (service 0/peer 0)
STATE <Process messages> for UE Channel service
REQUESTED FOR REMOTE <Process messages> for UE Channel service
REQUESTED FROM REMOTE <Process messages> for UE Channel service
Priority UE Channel 0 service
TOTAL TRANSMITTED MESSAGES <21> for UE Channel service
RECEIVED MESSAGES <2> for UE Channel service
SEND MESSAGES <19> for UE Channel service
FAILED MESSAGES <0> for UE Channel service
HALT REQUEST SEND COUNTER <0> for UE Channel service
STORED MESSAGES for UE Channel service (service 0/peer 0)
STATE <Process messages> for UE Channel service
REQUESTED FOR REMOTE <Process messages> for UE Channel service
REQUESTED FROM REMOTE <Process messages> for UE Channel service
TOTAL TRANSMITTED MESSAGES <292529> for FSTREAM service
RECEIVED MESSAGES <145948> for FSTREAM service
SEND MESSAGES <146581> for FSTREAM service
FAILED MESSAGES <0> for FSTREAM service
Heartbeat Send Time: Tue Apr 11 09:23:32 2023
Heartbeat Received Time: Tue Apr 11 09:23:18 2023
***********************
**RPC STATUS****10.1.11.30*************
'ip' => '10.1.11.180',
'uuid' => 'c10e7f24-29f6-11ed-83cc-0aab1286a13d',
'ipv6' => 'IPv6 is not configured for management',
'name' => '10.1.11.30',
'active' => 1,
'uuid_gw' => '',
'last_changed' => 'Tue Apr 11 09:15:13 2023'
Check routes:
No peers to check
>
But changing the FTD IP does not work for me.
> configure network ipv4 manual
IP address AAA.BBB.CCC.DDD where each part is in the range 0-255 IPv4 address
> configure network ipv4 manual 10.1.11.181 255.255.255.0 10.1.11.1
Setting IPv4 network configuration.
On the FTD the fstunnel-status get an error.
>
> sftunnel-status
SFTUNNEL Start Time: Tue Apr 11 09:28:20 2023
Both IPv4 and IPv6 connectivity is supported
Broadcast count = 4
Reserved SSL connections: 0
Management Interfaces: 1
eth0 (control events) 10.1.11.181,
***********************
**RUN STATUS****10.1.11.30*************
Connected: No
SSL Verification status: ok
Registration: Completed.
Connection to peer '10.1.11.30' never happened
Connection to peer '10.1.11.30' Attempted at Tue Apr 11 09:39:55 2023
***********************
peer c10e7f24-29f6-11ed-83cc-0aab1286a13d did not reply at /usr/local/sf/bin/sftunnel_status.pl line 302.
Retry rpc status poll at /usr/local/sf/bin/sftunnel_status.pl line 308.
**RPC STATUS****10.1.11.30*************
RPC status :Failed
Check routes:
No peers to check
>
so, in my defence the FMC eval. is off so I can't deploy.
But for now I can not see how this could work.
regards
Alex
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide