Forum Discussion

kgaigl's avatar
kgaigl
Icon for Cirrocumulus rankCirrocumulus
Nov 16, 2022
Solved

Changing Management-ip in an HA pair setup

Hello,

I've read this Article: https://support.f5.com/csp/article/K62249587

but I've a question:

if the management IP is not involved in Failover Network ot Config Sync, do I need to delete the Device Trust?

I thought about these steps:

  1. force the standby unit offline
  2. change Management IP of the standby unit
  3. change Management IP of the active unit
  4. release standby unit from offline

would there be traffic interruption?

Does the Management IP define the Device Trust?

As I've described, Failover Networks are HA and Inside Interface 

Thanks for Answers

Karl

  • kgaigl , 
    it is highly recommended to do that in a maintenance Window , specially if you have " voice " services or FTP applications on you Big-ip device. 
    if your services are web application only , you will not feel by impact during your action. 
    > I have do this before with 2 devices in HA , on of them was faulty and when getting the RMA new device , I installed it with the other node without any impact. 
    - I Broke the HA and device Trust and Configure the HA and build the trust from Scratch again , and it worked fine. 
    > only Follow these KBs : 
    This you have shared it : 
    https://support.f5.com/csp/article/K62249587
    > Re-build Device Trust : 
    https://support.f5.com/csp/article/K42161405

    but it is better to do it in a maintenance Window. 

    Regards

3 Replies

  • Hi kgaigl , 
         yes , it is a best Practise to Break the device trust even if you do not use the management network in " Config sync or mirroring " Or even if you did not build the device trust between devices by " HA or other Vlans interfaces " Not by using Management ips. 
    > Before I have implemented a HA between 2 F5 appliances , and I did not use Management interfaces to build the trust " Exchange certificates " , and instead of that I used the " HA" Vlan ips/interfaces , and it works well until now. 
    > But the issue is : 
    open ( Device management >>> select Devices >>> Properities TAB) you can see the Peer device name and its management ip address. 
    So changing management ips without break the trust will make some issues , as the management ip address info is transferred at the first time when building trust. 
    So the Result is : Management ip address is used to be an identification for appliance. 
    So you need to break the trust and change your management network as you read in this KB "https://support.f5.com/csp/article/K62249587" , after changing mangement ips , try ti build trust again " use the new mgmt ips / or HA ips " it will work well. 

    > And After finishing your Trust , and HA settings , and make sure that your apliances become "insync" again. 
    Navigate 
    ( Device management >>> select Devices >>> Properities TAB) 
    you should see under properities TAB 
    The new mgmt ip address of the other Peer , and same thing if you logged in the other appliance. 

    I hope this helps you. 
    Regards 

  • kgaigl's avatar
    kgaigl
    Icon for Cirrocumulus rankCirrocumulus

    Hello Mohamed,

    thanks for the Details. one last Question:

    Can I do this without traffic-interruption?

    • kgaigl , 
      it is highly recommended to do that in a maintenance Window , specially if you have " voice " services or FTP applications on you Big-ip device. 
      if your services are web application only , you will not feel by impact during your action. 
      > I have do this before with 2 devices in HA , on of them was faulty and when getting the RMA new device , I installed it with the other node without any impact. 
      - I Broke the HA and device Trust and Configure the HA and build the trust from Scratch again , and it worked fine. 
      > only Follow these KBs : 
      This you have shared it : 
      https://support.f5.com/csp/article/K62249587
      > Re-build Device Trust : 
      https://support.f5.com/csp/article/K42161405

      but it is better to do it in a maintenance Window. 

      Regards