Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
333
Views
0
Helpful
4
Replies

Physically moving and changing of IP address on FMC pair.

James Hardman
Level 1
Level 1

‎07-16-2024 06:54 AM - edited ‎07-16-2024 07:09 AM

Good afternoon,

We are planning to move a FMC pair which are hosted across two datacentres, to two new datacentres.  We have to change the IP address of the FMCs which manage a number of FTD pairs.  My plan is:

  1. From the primary FMC (FMC1) GUI go to System, Integration, High Availability, Break High Availability.  Chose option: Manage registered devices from this console"(All devices will be unregistered from the peer.)
  2. Power down FMC2.  Verify all FTD pairs are still operating and healthy from FMC1.
  3. Physically move FMC2 to the new datacentre and connect into the network.
  4. Re-configure the IP address of FMC2:

    expert

    sudo su

    /etc/sysconfig/configure-network

  5. Go to a site where an FTD pair is being managed by FMC1
  6. Disconnect all data cables (not the HA or mgmt) from the standby FTD (FTD2)
  7. Suspend the HA between the firewalls running the following from FTD1:
    1. configure high-availability suspend
  8. On FTD2, delete and re-add the FMC by adding the new IP address of FMC2:

    1. configure manager delete

      configure manager add <IP add> <Unique Code>

  9. Confirm the registration on FMC2
  10. Re-connect the data cables to FTD2 and disconnect data cables from FTD1
  11. Test FTD2 is passing traffic okay.
  12. Repeat step 6, 8 and 9 on FTD1
  13. Re-connect all data cables to FTD1
  14. Un-suspend the HA on FTD1 CLI with;
    1. configure high-availability resume
  15. Confirm high availability on the FTDs and FMC2.  If required, rebuild HA on FMC2; 
    1. devices, device management, 'add high availability'
  16. Push all policies to the FTDs.
  17. Test
  18. Repats steps 5 to 17 for all sites hosting FTDs
  19. Once all sites are managed by FMC 2, repeat steps 2 to 4 for FMC1
  20. Re-add FMC1 into a cluster with FMC2 ensuring FMC1 is secondary
  21. Confirm FMC cluster health.  Promote FMC1 back to primary. Test again.

 

Thoughts?

 

 

Thank you for any feedback.

 

Regards

 

Jimmy

 

0 Helpful
4 Replies 4

Marius Gunnerud
VIP
VIP

‎07-17-2024 01:52 AM

What version are you running on the FMC and FTDs?  and are you managing the FTDs over VPN or via data-interface?

In newer versions you can updated the FMC IP on the FTD devices without removing them from management, saving you a lot of time and hassle adding it back and reconfiguring everything.

If memory serves me correct the option to updated management IPs came in 6.7.

Also, changing the IP on the FMC, the FTDs should re-establish connection automatically once the FMC IP is changed given that reachability sftunnel is up when the change happens.  I am not entirely sure how this will be if the IP is changed while sftunnel is down.

So here are my suggestion on how to proceed depending on software version running:

  • backup FMCs and FTD device backups
  • change IP of the FMC as you indicated, or follow this LINK
  • verify that connection between FMC and FTDs are re-established
  • update manager IP on FTDs following this LINK .  This is optional as long as connection is re-established after changing the FMC IP.  However, I much prefer to have correct information across the board when making changes.  It can get confusing when troubleshooting and seeing different IPs on FMC and FTD.
--
Please remember to select a correct answer and rate helpful posts
0 Helpful

James Hardman
Level 1
Level 1
In response to Marius Gunnerud

‎07-18-2024 12:12 AM

Thank you for your reply.

I never thought about the sftunnel establishment with the secondary FMC, i.e. this information is passed to the FTDs once they have registered with the primary FTD.

Therefore, changing the FTD2's IP address (and physically moving it to the new DC) but then ensuring it re-establishes the HA with FMC1 again should in theory update all the FTDs manager IP address for the secondary/FTD2.  Then if I fail the FMC's over, FTD2 should now be managing all the FTDs via it's new IP address and I can undertake the same process on FTD1. Great news.  A lot less work and disruptive than my proposal. 

0 Helpful

ccieexpert
Spotlight
Spotlight

‎07-17-2024 08:51 PM

the FMC will establish sftunnel as it has changed the ip... the client will not now about the ip change of FMC it until the FMC re-establishes the sftunnel to each ftd box.. I would suggest doing this in phases..

1) change ip of secondary FMC

2) verify that primary / secondary FMC are communicating

3) verify sftunnel is there to secondary FMC from all FTD boxes

4) Make FMC secondary the active unit.. check sftunnel status  to secondary ...test a policy push to 1 FTD (if you want to be sure that its work)

5) Change old primary FMC ip address

6) verify HA

7) verify sftunnel to old primary and new primary (old secondary)

switch HA roles if you really want to or leave it as is

This is a safer option rather than having to change both FMC units ip.

 

0 Helpful

James Hardman
Level 1
Level 1
In response to ccieexpert

‎07-18-2024 12:14 AM

Thank you !  This makes sense and is way simpler than what I had planned.  I have never deployed a FMC or FTD in a live environment, I usually just manage them once they are in service. Looking forward to the migration, good learning curve.


Thank you again !

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card