Summary
As part of the SMS High Availability (HA) functionality and in order to prevent another SMS from taking control of the same device, the IPS/TPS device records the IP address and CERT of the active SMS in an HA cluster. Under normal HA failover conditions, the CERT from the active SMS is copied to the passive SMS and used to manage the devices. If the cluster fails-over or is swapped then the devices are still seamlessly managed with the same CERT. In most cases if the active SMS fails, it is recovered and the HA cluster is re-synced.
Details
However, if the active SMS is not recoverable (RMA) and the cluster is broken, then all devices must be un-managed and re-managed.
Remember that when replacing the failed SMS, the new SMS will have a new serial (CERT) number. When the Primary SMS is replaced, the original information of the old SMS is still in the devices. Replacing the Primary SMS device with a new SMS does not update the management information.
To verify if there will be a problem when you break HA, you can run the IPS/TPS CLI command "show sms"
If the output of the command shows the CERT (SMS Serial Number) from one SMS and the IP address of the other SMS in the cluster, then when you break HA the devices will become unmanaged. If both the CERT and the IP address belong to the active SMS, then you will not have an issue when you break HA. If the devices become unmanaged when HA is broken, the IPS/TPS devices will have to be unmanaged via the LSM or the CLI. Additionally the devices will have to be removed from the active SMS and then re-managed.
Remember that when replacing the failed SMS, the new SMS will have a new serial (CERT) number. When the Primary SMS is replaced, the original information of the old SMS is still in the devices. Replacing the Primary SMS device with a new SMS does not update the management information.
To verify if there will be a problem when you break HA, you can run the IPS/TPS CLI command "show sms"
{}show sms Allowed SMS IP address : 192.168.98.10 Device is under SMS control SMS Serial Number: XXXX-XXXX-XXXX SMS Version: 4.5.0.98012 SMS IP: 192.168.98.10 SMS Port: 8162 |
If the output of the command shows the CERT (SMS Serial Number) from one SMS and the IP address of the other SMS in the cluster, then when you break HA the devices will become unmanaged. If both the CERT and the IP address belong to the active SMS, then you will not have an issue when you break HA. If the devices become unmanaged when HA is broken, the IPS/TPS devices will have to be unmanaged via the LSM or the CLI. Additionally the devices will have to be removed from the active SMS and then re-managed.