Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ob1lan
Collaborator

Management HA and make the secondary primary for migration

Hi,

We currently have 2 management servers running R81.10, to manage our numerous gateways spread across the world. We created the second one to support our migration plan, as the datacenter hosting the Primary will be closed in 2 months.

So we are in a Management HA scenario. The Secondary lies in AWS, and is now the Active. This works great. Of course, when we tested to shutdown the Primary (or issue a cpstop), some issues occurred, with our IPSEC VPN for instance. We later understood it was because the Primary still holds the CA role, even if it's not the Active server.

We now need to validate how we could make the Secondary-Active to become the Primary-Active. And also safely shutdown and delete the server in the datacenter. So the goal is to only have the one in AWS eventually. 

Can I simply follow the steps in R81.10 Security Management Administration Guide, under title "Promoting a Secondary Management Server to Primary" ? The previous titles under this section are clearly for DR, which is not really our case here, so I won't be able to recover/reuse the current Primary management IP. Won't it be a problem for the CA or other roles ? 

Thanks for your advises.

Regards.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

You manually have to promote the secondary node to primary for changes to take effect.
You can then promote the old primary back following the same procedure.

Ob1lan
Collaborator

Thanks for your answer @PhoneBoy , but how to handle the CRL URL that will change ?

If I have the new management server in AWS to become the Primary, it becomes the ICA, right ?

Currently if I check the CRL DP set on the certificates, it has an http URL with an IP that won't be assigned to the new mgmt. It also has a CN=ICA_CRL... 

How can I handle that to avoid any issue with the IPSEC/S2S VPN we have, and possibly SIC issues ?

Thanks !

0 Kudos
PhoneBoy
Admin
Admin

Correct, the new primary becomes the ICA.
I believe you will set the main IP of the secondary management server to the relevant elastic IP assigned to the instance that is reachable from the Internet.
That should resolve the various issues with SIC and VPN.

Ob1lan
Collaborator

Thanks again @PhoneBoy . But will I have to renew the certificates so it updates the CRL Distribution Points, or is that not needed ?

0 Kudos
PhoneBoy
Admin
Admin

I believe a standard policy push will update everything properly.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events