AnsweredAssumed Answered

Migrating from one ISP to another on remote GW

Question asked by Ty King on Apr 17, 2018
Latest reply on Jul 25, 2018 by Maarten Sjouw

I'm trying to best avoid the "cutting off the limb your standing on" scenario with this one, and I apologize if this topic has been covered in detail in any other resource.  I tried Checkmates, official docs, and a call to support, but was left wanting.


I've got a remote gateway (3200, 77.30, centrally managed) connected to a single ISP whose performance has been seriously terrible.  We brought in another provider and got them to terminate on an available interface (eth4).  I've verified I can ping from the gateway's new interface to the new ISP's gateway.  The old ISP's public address (/30 on eth5) is the IP the gateway has SIC registered as well as the VPN termination point for the site-to-site community that connects all our remote branches.


So now I have two ISP paths to this gateway.  The issue I'm facing is how to safely migrate to the new ISP without physically going onsite to do the work.  I've pushed a policy to the gateway that allows any and all traffic from the Mgmt server to the new public IP assigned on eth4.  But of course I can't reach the new IP because the default routes on the GW push everything to the current ISP.


Something tells me I'll have to change the static default route in Gaia to point to the new ISP gateway and hope I can reach it after the fact.  I realize I'll need to then update the SIC address for the GW to the new public IP and pray to the network gods that it works.  Also, failing that, will I be able to access the Gaia page on the GW at the new address to undo the routing change if it doesn't work?


I'll be setting these two ISPs up in redundancy mode on the GW if I can get this remote reconfig to work, but that's out of the scope of this question.


I doubt I'm the first to do this, so any input on previous success or failure with your steps taken would be greatly appreciated.  I'd lab this if I had the spare gear.



Hristo's comment made me questions something:  If a different interface from the mgmt server can manage the GW through secondary IP, can the IP defined in a GW object be changed without consequence?  I know changing names is complicated.  But is changing just the IP in the object a problem for SIC and certificates used for VPN and pushing policy?


I tested a theory last night with a user on site.  I had a priority 2 route defined in the static default route on the remote GW.  I then had the user unplug the current ISP connection from the GW.  After a few seconds I was able to SSH into the GW once the primary route aged out of the table.


If changing the IP of the GW object is allowed, then all I have to do at that point is update the IP in the mgmt server, verify SIC, and push policy.  Or at least it seems that easy in my head.


Once I've got full mgmt control of the GW back I can update the default route selection to put the new ISP as priority 1 and the old as 2.  Then I have the onsite person plug the old ISP connection back in and move on with my ISP redundancy configuration.