How to Migrate to another Management Server?

[hi_there]

Hi

What are the steps required to change the management server? The new management server will be having a different IP Address from the exisiting.

The old/new management OS is W2K and using Nokia box with VRRP active.

Thanks

[northlandboy]

Use the upgrade_export/upgrade_import tools. Read about them in the Upgrade Guide.

Even though you're not changing versions, it doesn't matter, the export/import tools seem to do the trick.

[hi_there]

Quote:

Originally Posted by northlandboy

Use the upgrade_export/upgrade_import tools. Read about them in the Upgrade Guide.

Even though you're not changing versions, it doesn't matter, the export/import tools seem to do the trick.

Did use the tool for the importing of the database to the new server, change the management object IP address to reflect the new address by using dbedit.

Establish SIC with the secondary Nokia box than push the rules down.

BUT.... when the change the VRRP prority to high value to take over from primary it does not take over as master. Reason for doing one Nokia box at time is not to have any drop packets.

Is there a method to change to the another management server with different IP Address and without any downtime?

Thanks

[northlandboy]

You should be able to do what you want. If you're re-establishing SIC, then state sync will probably be broken, and you might drop established connections when you switch VRRP priorities. If that's a major issue, you could always temporarily allow out of state connections.

But anyway, your process seems OK. When you raised the VRRP priorities of the secondary, what happened? Did the primary stay master, even with a lower priority? And did the secondary stay in backup? Look at the detailed VRRP view, which shows things like the effective priority, and who the firewall thinks the master is.

You may even want to check things on the wire with tcpdump, to look at the VRRP traffic.

You haven't mentioned what version of IPSO you're running, but if it's 3.7+, then IPSO monitors the firewall state, for VRRP. If certain things aren't right (fwd, cphad not running, sync not working, no policy), then the firewall won't go into VRRP master.

Check to see if sync is working or not - cphaprob state. It might not work, it's hard to say for certain. You may even need to do another cpstop;cpstart after pushing the policy out, to get things working happily, so that VRRP will think all is well, and let that node go master.