Applies to Cisco Email Security Appliance (Ironport) Version: 9.6.x
Assume that you have a Ironport cluster consists of 3 ironport hosts: Esa1 (10.10.10.1) , esa2 (10.10.10.2) and esa3 (10.10.10.3) . You need to change IP address of esa3 to a new address 10.10.10.7. And You configured the cluster before such that your cluster communication was established from IP addresses not host names.
In User Guide for AsyncOS 9.6 for Cisco Email Security Appliances document, there is a section (page 1074) for changing name and IP at the same time. But these steps are ambiguous. (Disable CCS on NIC??)
How To Change IP address of a Cisco ESA (Ironport) Node in Cluster
Here is the steps that worked many times:
Before You Begin:
Check Current Cluster Connection and Consistency: clustermode command and select Cluster/ clustercheck and clusterconfig commands in SSH console. If you have disconnected hosts check CCS 2222 port. (see step 19 below)
1- Make sure that Web Management Console and SSH ports are accessible from your PC to the new IP 10.10.10.7 before you begin
2- Connect to esa3 via Web Management Console using web browser, change mode to Machine: esa3
3- Go to Network / IP Interfaces
4- Click the interface name which to want to change the IP.
5- In IPv4 Address / Netmask: field, type 10.10.10.7/24)
6- And click submit. Which makes you to return to IP Interfaces page.
7- Click Commit changes
8- After 20-30 seconds, you should be able to ping new IP 10.10.10.7
9- The current web console cannot connect anymore. Close it.
10- Open a new web browser page and connect to new IP 10.10.10.7:port here the port is the port number you use for web management
11- Although esa3 is now disconnected from the cluster, of course you can login with the same user and password. Login to esa3 by Web Console and ensure that configurations look fine. (Ironport cluster is a peer to peer cluster, which means all nodes contains all configuration for the cluster locally.
12- Connect Esa1 (10.10.10.1) using putty via ssh and login
13- Run clustermode command and select 1. Cluster then run clusterconfig command
14- Type CONNSTATUS command now you will see that esa3 is disconnected
15- While you are still in ClusterConfig Menu, type COMMUNICATION
(Cluster MyCluster)> clusterconfig
Choose the operation you want to perform:
– ADDGROUP – Add a cluster group.
– SETGROUP – Set the group that machines are a member of.
– RENAMEGROUP – Rename a cluster group.
– DELETEGROUP – Remove a cluster group.
– REMOVEMACHINE – Remove a machine from the cluster.
– SETNAME – Set the cluster name.
– LIST – List the machines in the cluster.
– CONNSTATUS – Show the status of connections between machines in the cluster.
– COMMUNICATION – Configure how machines communicate within the cluster.
– DISCONNECT – Temporarily detach machines from the cluster.
– RECONNECT – Restore connections with machines that were previously detached.
– PREPJOIN – Prepare the addition of a new machine over CCS.
Select Should all machines in the cluster communicate with each other by hostname or by IP address?
1. Communicate by IP address.
2. Communicate by hostname.
All machines in the cluster will communicate with each other by IP address.
1. Machine Esa1.contoso.com: using IP address 10.10.10.1 port 2222
2. Machine Esa2.contoso.com: using IP address 10.10.10.2 port 2222
3. Machine Esa3.contoso.com: using IP address 10.10.10.3 port 2222
Choose the operation you want to perform:
– EDIT – Change the IP and port for a machine.
17- type EDIT
Enter the number of the machine you wish to edit.
What IP address should other machines use to communicate with Machine Esa3.contoso.com?
1. 192.168.42.42 port 22 (SSH on interface Management)
2. 10.10.10.7 port 22 (SSH on interface Mail1)
3. 10.10.10.7 port 2222 (Cluster Communication Service on interface Mail1)
4. Enter an IP address manually
Here the magic occurs: You will see the new IP on the list. You can select 3 (or select 4 and enter new IP 10.10.10.7 again manually) then type commit and press enter
18- On esa1 and esa3 run clustermode command and select 1. Cluster then run clusterconfig command
19- Run CONNSTATUS command now you may see that many of the nodes in the cluster are disconnected not only Esa3. I saw this issue many times during IP change operations!
20- The cause of the problem is Cluster Communication Service (CSS) stops listening from port 2222 on most of the nodes! You can check it: from a node run
telnet other_disconnected_nodeIP 2222
You will not get any response. The resolution is to disable and enable CSS on the problematic disconnected nodes.
21- On each disconnected node, using web console go to Network / IP Interfaces click interface name, uncheck Cluster Communication Service 2222. Hit submit and commit changes.
22- On each disconnected node, using web console go to Network / IP Interfaces click interface name, check Cluster Communication Service 2222. Hit submit and commit changes.
Now CCS service started to work and all nodes can communicate via port 2222. Check port 2222 by telnet again.
23- And check the status on all nodes by: run clustermode command and select 1. Cluster / clusterconfig / CONNSTATUS. Now you should see that all nodes are connected. (without any disconnected error)
24- Also check the cluster consistency by: run clustermode command and select 1. Cluster and then clustercheck