topic Re: Change VSX management interface to a bond with same IP Address in Firewall and Security Management

Change VSX management interface to a bond with same IP Address

Peter_Thome — Thu, 04 Jan 2024 08:49:06 GMT

Hello Community,

our customer has the need to change Cabling from copper to fiber links in their DC.

Their VSX Cluster is configured with the builtin Mgmt copper interface as VS0 Management Interface.

Is there a possibility to change the physical interface to a bond interface, which is built out of 2 fiber interfaces?

I tried it in our lab with setting vsx off in Clish, delete Mgmt Interface IP Address, set the same IP Address to the new bond interface and then enable vsx again.

Was able to do that, but when accessing the VSX Cluster in SmartConsole, I'm not able to change the Interface from Mgmt to the bond and the VSX operation end with errors:

pt-vsx-02 error :Internal Error - Failed to commit changes in the OS.. 10.10.32.82 is already in use as the local address of bond4..
pt-vsx-01 error :Internal Error - Failed to commit changes in the OS.. 10.10.32.81 is already in use as the local address of bond4..

These are the management IP Addresses, which I switched from Mgmt to bond4 in clish .

Any hints how we can get this done ?

Many thanks - Peter

Re: Change VSX management interface to a bond with same IP Address

Alex- — Thu, 04 Jan 2024 09:10:23 GMT

You don't change interfaces with clish when using VSX.

Use vsx_util to display and change interfaces configuration.

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ScalablePlatforms_VSX_AdminGuide/Topics-SP-VSX/209207.htm?tocpath=Command%20Line%20Reference%7Cvsx_util%7C_____0

Re: Change VSX management interface to a bond with same IP Address

Peter_Thome — Thu, 04 Jan 2024 11:07:40 GMT

Hello Alex,

thanks for your answer. I already looked at vsx_util, but there is no option to change the physical management interface of vs0.

you can change the management IP Address and will have to do some tasks from sk9242, but there is no way to change the interface from Mgmt to bond4 in my case.

The vsx_util change_interfaces only works for physical interfaces used by virtual systems, not for management Interface of vs0

KR, Peter

Re: Change VSX management interface to a bond with same IP Address

Alex- — Thu, 04 Jan 2024 14:22:42 GMT

Right, the Management interface is defined per the physical topology of each cluster member in the VS0 object in Smart Console and this doesn't seem to be editable.

Maybe add a new bond with new IP on fibre links and use the vsx_util utility to change management IP to that one could be an option.

Re: Change VSX management interface to a bond with same IP Address

Bob_Zimmerman — Thu, 04 Jan 2024 19:55:47 GMT

Depends on the version. I just checked, and my R81.20 managements can do this (older versions lack the option for step 3), but it will require an outage.

Run 'vsx_util change_interfaces -s 127.0.0.1' on the management and log in
Select the cluster you want to work on
Select the option to apply changes to the management database only
Select the old management interface, and replace it with the bond
Rebuild one VSX member. Be sure to create the bond(s).
Use 'vsx_util reconfigure -s 127.0.0.1' on the management to reestablish SIC with, push policy to, and provision the member
Repeat steps 5 and 6 for each other member in the VSX cluster

I highly, highly recommend replacing all references to individual interfaces references with references to bonds. Bonds can have one member, and don't have to participate in LACP.

Edit: Thinking about it some more, I don't know if the first rebuilt member will be able to sync with an original member. It might be possible. If sync works, it may be possible to do without an outage. You should still assume there will be an outage when you fail over from the original member(s) to the first rebuilt member.

You probably need to build the bond on the command line of both members and add the bond to the VSX cluster object's list of known physical interfaces before starting the above process. I'm pretty sure change_interfaces only lets you change to an interface which is listed there.

Keep these management-side debugs for VSX provisioning handy. They can let you make changes on the management without needing working communications with the cluster members. Very useful if the physical member can't meet the requirements of the object on the management. For example, if the management expects to see both eth1 and bond1 which has eth1 as a member, this set of debugs lets you delete the interface from the management's list of interfaces on the VSX cluster.

Take a snapshot on everything before you start.