topic Re: Generic Data Centre Object not copying to Maestro SGM in Hyperscale Firewall (Maestro)

Generic Data Centre Object not copying to Maestro SGM

AaronCP — Mon, 24 Mar 2025 21:26:29 GMT

Evening,

We've recently deployed a new Maestro stack that comprises the following:

2 x MHO-140s (single site)

3 x 9800 SGMs

VSX mode enabled

R81.20 T84

1 x VFW

We've configured both a Generic Data Centre Object & a Cisco ACI object to use the ESGs and ExternalEPGs in firewall policy. The GDO points to a JSON file stored in GitHub that contains the ExternalEPG information (we had to use this as a workaround due to the Cisco ACI object lacking the ability to query ExternalEPGs). The VFW policy uses the ESGs & ExternalEPGs as source & destination objects.

Connectivity testing commenced today, with intermittent results. I could see in the logs that some traffic was being accepted and some being dropped by the cleanup rule. Further analysis showed that the accepted traffic was for the SMO (member ID 1_1) and all dropped traffic was on members 1_2 & 1_3 (side note - it would be great if this field could be selected as a view option in dashboard!).

When logging into the SMO, switching to vsenv 1 and running dynamic_objects -cfo_show, the contents/IP ranges of the GDO object are displayed as expected. When moving to members 2 & 3 and switching to vsenv 1, the dynamic_objects -cfo_show command returns a "File not found" message.

I assumed that the SMO would have copied the GDO objects to the other SGMs, but it would appear that's not happening.

Has anyone seen this behaviour before? Or have any suggestions as to why the GDO objects aren't being copied to all members?

Thanks,

Aaron.

Re: Generic Data Centre Object not copying to Maestro SGM

AkosBakos — Tue, 25 Mar 2025 14:12:55 GMT

@AaronCP

I'm not 100% percent sure about that, this kind of files must been copied to the other members automatically.

If you check the show smo image md5sum what is the output? The md5sum's are tehe same?

A workaround can be to copy the relevant files to each SGM with #asg_cp2blades command

You can expant the script with this line.

Akos

Re: Generic Data Centre Object not copying to Maestro SGM

AaronCP — Thu, 27 Mar 2025 23:19:48 GMT

Hi Akos,

We've figured out the issue. The vsecUpdate.sh script that's execute on the SMO via cpridutil via the MDS has an error in the logic. The vsecUpdate.sh script adds the dynamic objects to $FWDIR/tmp, however the script is trying to sync the object to the other SGMs in the /tmp directory.

This is fixed in R81.20 T79.

Re: Generic Data Centre Object not copying to Maestro SGM

Chris_Atkinson — Thu, 27 Mar 2025 22:55:01 GMT

Do you mean JHF T97 as you were already running T84 based on the original post?

Re: Generic Data Centre Object not copying to Maestro SGM

AaronCP — Thu, 27 Mar 2025 23:15:21 GMT

Hi @Chris_Atkinson,

I believe it's T79 on the MDS (we're currently running T76). Apologies, should have clarified that.

Thanks,

Aaron.