For some unknown reason, I've noticed that one of our sensors has a secondary IP address for the primary manager config. I have no idea why or how this got there as we just moved this sensor from an NSM 8.1 instance to a new 8.2 instance via "deinstall" and "setup". During the setup wizard when it prompts you for a secondary IP, none was listed and we selected "No" to that question. However, it still has an extra IP. This IP strangely belongs to our dev 8.2 instance, but that instance has never even had this sensor in it to the best of my (and my team's) knowledge, so it makes no sense to me. I found the sensor CLI command "set manager secondary ip" and thought maybe using 0.0.0.0 would remove it, but that fails of course. Then I found the command "deletemgrsecintf" which seems to be exactly what I want but when I run that, I just get an error that reads "This operation is not allowed while in MDR mode. Please do this operation from the Manager." So I'm not sure how to proceed as I don't know of a way to run sensor CLI commands from the Manager nor do I know how to find this IP address within the Manager.
Here's the trimmed output from the "show" command--the "184.108.40.206" example IP is the one that doesn't belong in my case.
Manager IP addr : 220.127.116.11 (primary intf)
Manager IP addr : 18.104.22.168 (secondary intf)
[Peer Manager Config]
Manager IP addr : 22.214.171.124 (primary intf)
Thanks in advance!
I ran into the same issue recently, the secondary manager ip had been set in a previous version (possibly 6) and was never removed when we implemented MDR I assume.
Support advised that this was probably a bug and sent it to development.
The only work around they gave me was to perform a resetconfig on the sensor and then reinstall it into the manager.
I had asked them if breaking the MDR pair would allow me to run the command but they were unsure.
They did tell me there was no impact in having this value set and that it should be fixed in a future release.
Thanks for the response. Unfortunately, I don't currently have physical access to this sensor, so a resetconfig is going to take me down. I may try to break the MDR pair to fix it. Will report back if I do that.
Running 'deinstall' should trick the sensor into believing there is no MDR pair, which should allow you to remove the second IP address. Just run 'setup' or 'set sensor sharedsecretkey' to reestablish trust with the manager.