Change the Manager Access Interface from Data to Management in a High Availability Pair
You can manage the FTD from either the dedicated Management interface, or from a data interface. If you want to change the Cisco Defense Orchestrator access interface after you added the device to CDO, follow these steps to migrate from a Data interface to the Management interface. To migrate the other direction, see Change the Manager Access Interface from Management to Data in a High Availability Pair.
Initiating the CDO access migration from data to Management causes the CDO to apply a block on deployment to the FTD. You must disable CDO access on the data interface to remove the block.
Note | Unless stated otherwise, perform all steps mentioned in this section only on the active unit. Once the configuration changes are deployed, the standby unit synchronizes configuration and other state information from the active unit. |
See the following steps to disable CDO access on a data interface, and also configure other required settings.
Procedure
Step 1 | Initiate the interface migration.
| ||
Step 2 | Disable CDO access on a data interface on the page. See Configure Routed Mode Interfaces. This step removes the block on deployment. | ||
Step 3 | If you have not already done so, configure DNS settings for the data interface in a Platform Setting policy, and apply it to this device at . See DNS. The CDO deployment that disables CDO access on the data interface will remove any local DNS configuration. If that DNS server is used in any security policy, such as an FQDN in an Access Rule, then you must re-apply the DNS configuration using CDO. | ||
Step 4 | Deploy configuration changes. The CDO will deploy the configuration changes over the current data interface. | ||
Step 5 | When the deployment completes around 90 percent, the new management interface takes effect. At this stage, you must re-cable the FTD so that the CDO reaches FTD on the Management interface and completes the deployment successfully. After you re-cable, the deployment may fail if it timed out before re-establishing the management connection to the new interface. In that case, you must reinitiate the deployment after re-cabling for a successful deployment.
| ||
Step 6 | At the FTD CLI, configure the Management interface IP address and gateway using a static IP address or DHCP. When you originally configured the data interface for CDO access, the Management gateway was set to data-interfaces, which forwarded management traffic over the backplane so it could be routed through the CDO access data interface. You now need to set an IP address for the gateway on the management network. Static IP address: configure network {ipv4 | ipv6} manual ip_address netmask gateway_ip DHCP: configure network{ipv4 | ipv6} dhcp
| ||
Step 7 | Ensure the management connection is reestablished. In CDO, check the management connection status on the field or view notifications in CDO. At the FTD CLI, enter the sftunnel-status-brief command to view the management connection status. If it takes more than 10 minutes to reestablish the connection, you should troubleshoot the connection. See Troubleshoot Management Connectivity on a Data Interface. |
