https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Fetching-policy-failed-when-running-sp-upgrade-script/m-p/240898#M3186 <P>Hi,<BR /><BR />No, VS0 is on the same network as the SmartCenter.<BR /><BR />I think Implied Rules are the issue. Will try again with Implied Rules enabled.<BR /><BR />Regards,<BR />Martijn</P> Tue, 11 Feb 2025 13:25:13 GMT Martijn 2025-02-11T13:25:13Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Fetching-policy-failed-when-running-sp-upgrade-script/m-p/229234#M2905 <P>Hi all,</P> <P>This week we tried to upgrade a Maestro set from R81.10 take 165 to R81.20 take 84. Because the Security Groups are configured with LACP bonds, I could not use the Zero Downtime (MVC) procedure and used the Minimum Downtime procedure.&nbsp;</P> <P>I followed the steps described in the R81.20 Maestro Admin guide and all seems to go OK. Orchestrators (MHO-140) where upgraded without any issues. Also the upgrade of the first member in the Security Group went OK and was succesfully upgraded to R81.20. But then things went wrong.</P> <P>When running the sp_upgrade script on the upgraded member, the fetching of the policy failed:</P> <P><EM>Fetching the policy from the Management Server and installing it... Failed on members 1_1</EM></P> <P><EM>Fetching the policy from xx.xx.xx.xx and installing it... Failed on members 1_1</EM><BR /><EM>Enter the IP address of the Management Server that manages this Security Group:xx.xx.xx.xx</EM></P> <P><EM>Fetching the policy from xx.xx.xx.xx and installing it... Failed on members 1_1</EM></P> <P><EM>Try to run 'sp_upgrade' again in few seconds. If the problem persists, contact support.</EM></P> <P>I have tried to run the command with the --NO-MVC option and got the same problem.</P> <P>Performed a verify and that seems to be OK.</P> <P><EM>[Expert@xxxxxxxxxxx-ch01-01:0]# sp_upgrade --verify</EM><BR /><EM>Starting the Security Group Pre-Upgrade Verifier:</EM><BR /><EM>Enter the IP address of the Management Server that manages this Security Group:xx.xx.xx.xx</EM><BR /><EM>Cluster State: Failed</EM><BR /><EM>Check the state of the following Security Group members. Make sure they are in Active state before proceeding with the upgrade or remove them from the Security Group.</EM><BR /><EM>1_01</EM><BR /><EM>Connectivity to Management Server: Passed</EM><BR /><EM>LACP: Passed</EM><BR /><EM>Disk Space: Passed</EM><BR /><EM>The Security Group failed the Pre-Upgrade Verifier tests. Do not continue with the upgrade until you fix all the detected issues.<BR /><BR /></EM>The upgraded member was Down, but according to the Admin guide, that was expected. Also all verification earlier in the procedure reported an OK status.</P> <P>In the end we had to revert the whole upgrade on the Security Group. Orchestrators are still on R81.20.<BR /><BR />Did I miss something? Followed the procedure by the letter and double checked every step with the customer.<BR />Anyone had the same issue when upgrading?<BR /><BR />What can we do the next time we plan this upgrade? Are the LACP bonds affecting the upgrade?<BR /><BR />Regards,<BR />Martijn</P> Wed, 09 Oct 2024 08:01:23 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Fetching-policy-failed-when-running-sp-upgrade-script/m-p/229234#M2905 Martijn 2024-10-09T08:01:23Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Fetching-policy-failed-when-running-sp-upgrade-script/m-p/229323#M2910 <P>Do you manage the system over an LACP-bond? Try switching to magg or change the bonding type to active/backup temporarily.</P> Wed, 09 Oct 2024 21:03:56 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Fetching-policy-failed-when-running-sp-upgrade-script/m-p/229323#M2910 Lari_Luoma 2024-10-09T21:03:56Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Fetching-policy-failed-when-running-sp-upgrade-script/m-p/229337#M2913 <P>Hi,</P> <P>I forgot to mention that. Production bonding groups (uplinks) are LACP. MAGG is Active/Backup.<BR /><BR />Regards,<BR />Martijn</P> Thu, 10 Oct 2024 07:06:49 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Fetching-policy-failed-when-running-sp-upgrade-script/m-p/229337#M2913 Martijn 2024-10-10T07:06:49Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Fetching-policy-failed-when-running-sp-upgrade-script/m-p/240659#M3180 <P>Hi Martijn,</P><P>I have the same problem, SG is VSX and the connection from SG to MGMT is through a VS, I think the problem is that there is no connection to MGMT, so it can't take policies and when you upgrade it doesn't take policies, so it doesn't do anything.</P><P>How did you manage to solve it? I had this problem yesterday.</P><P>Regards</P> Thu, 06 Feb 2025 20:55:36 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Fetching-policy-failed-when-running-sp-upgrade-script/m-p/240659#M3180 77Madness77 2025-02-06T20:55:36Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Fetching-policy-failed-when-running-sp-upgrade-script/m-p/240777#M3184 <P>The connection between VSX and management server is through one of the VSs that the VSX hosts? This is not a supported deployment for any VSX setup, maestro or otherwise, upgrades will always fail in this scenario.&nbsp;</P> Mon, 10 Feb 2025 05:15:22 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Fetching-policy-failed-when-running-sp-upgrade-script/m-p/240777#M3184 emmap 2025-02-10T05:15:22Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Fetching-policy-failed-when-running-sp-upgrade-script/m-p/240898#M3186 <P>Hi,<BR /><BR />No, VS0 is on the same network as the SmartCenter.<BR /><BR />I think Implied Rules are the issue. Will try again with Implied Rules enabled.<BR /><BR />Regards,<BR />Martijn</P> Tue, 11 Feb 2025 13:25:13 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Fetching-policy-failed-when-running-sp-upgrade-script/m-p/240898#M3186 Martijn 2025-02-11T13:25:13Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Fetching-policy-failed-when-running-sp-upgrade-script/m-p/240995#M3189 <P>I have heard of issues with VSX upgrades and implied rules being disabled, I think specifically the 'allow control connections' one.</P> Wed, 12 Feb 2025 08:15:28 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Fetching-policy-failed-when-running-sp-upgrade-script/m-p/240995#M3189 emmap 2025-02-12T08:15:28Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Fetching-policy-failed-when-running-sp-upgrade-script/m-p/245679#M3289 <P>Just had a similar issue, solution was to manually copy the policy files from the Manager to the upgraded members and run sp_upgrade with fetch from tmp flag.</P><P>Solution was associated with <SPAN><A class="" title="https://support.checkpoint.com/results/sk/sk180402" href="https://support.checkpoint.com/results/sk/sk180402" target="_blank" rel="noreferrer noopener">sk180402</A></SPAN>.</P><P>I just think the upgraded members couldn't connect to the manager or viceversa for some reason.<BR /><BR />My setup connects to the manager via uplink bond (acitve backup thoug), so maybe it doesn't like the fact that there is no management itnerface, not sure.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 04 Apr 2025 10:39:14 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Fetching-policy-failed-when-running-sp-upgrade-script/m-p/245679#M3289 Machine_Head 2025-04-04T10:39:14Z