topic Re: Error in Master Orchestrator Security Group in Hyperscale Firewall (Maestro)

Error in Master Orchestrator Security Group

SecdetKrypton — Fri, 22 May 2026 07:09:18 GMT

I have the following problem: I have a security group and I can ping the 3 members from the master orchestrator; they have licensing and have a correct connection, however they appear in a down state.

[Expert@SG01-SITE-s01-01:0]# cphaprob state

Cluster Mode: HA Over LS

ID Unique Address Assigned Load State Name

1 (local) 192.0.2.1 100% ACTIVE SG01-SITE-s01-01
2 192.0.2.2 0% DOWN SG01-SITE-s01-02
3 192.0.2.3 0% DOWN SG01-SITE-s01-03

Active PNOTEs: None

Last member state change event:
Event Code: CLUS-112004
State change: DOWN -> ACTIVE
Reason for state change: USER DEFINED PNOTE
Event time: Thu May 21 21:17:57 2026

Re: Error in Master Orchestrator Security Group

Martijn — Fri, 22 May 2026 07:48:55 GMT

Hi,

Can you SSH to the other SGM's from the Orchestrator and get more information:

#cphaprob stat
#cphaprob -l list

What version are you running?

Are there any custom pnotes configured?

Martijn

Re: Error in Master Orchestrator Security Group

SecdetKrypton — Fri, 22 May 2026 15:57:40 GMT

The curious thing is that it does switch and does not lose internet connection, but members 2 and 3 appear in a down state.

[Expert@SG01-SITE-s01-01:0]# cphaprob stat

Cluster Mode: HA Over LS

ID Unique Address Assigned Load State Name

1 (local) 192.0.2.1 100% ACTIVE SG01--SITE-s01-01
2 192.0.2.2 0% DOWN SG01--SITE-s01-02
3 192.0.2.3 0% DOWN SG01--SITE-s01-03

Active PNOTEs: None

Last member state change event:
Event Code: CLUS-112004
State change: DOWN -> ACTIVE
Reason for state change: USER DEFINED PNOTE
Event time: Thu May 21 21:17:57 2026
[Expert@SG01-C5-SITE-s01-01:0]# cphaprob -l list

Built-in Devices:

Device Name: CoreXL Configuration
Current state: OK

Registered Devices:

Device Name: Fullsync
Registration number: 0
Timeout: none
Additional description: Running
Current state: OK
Time since last report: 22662.8 sec

Device Name: Policy
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 22660.1 sec

Device Name: during_boot
Registration number: 2
Timeout: none
Current state: OK
Time since last report: 45584.3 sec

Device Name: routed
Registration number: 3
Timeout: none
Additional description: OK
Current state: OK
Time since last report: 45471.5 sec

Device Name: cxld
Registration number: 4
Timeout: 30 sec
Current state: OK
Time since last report: 45786.2 sec
Process Status: UP

Device Name: HD
Registration number: 5
Timeout: none
Current state: OK
Time since last report: 45786.2 sec

Device Name: fwd
Registration number: 6
Timeout: 30 sec
Current state: OK
Time since last report: 45781.6 sec
Process Status: UP

Device Name: Init
Registration number: 7
Timeout: none
Current state: OK
Time since last report: 45770.3 sec

Device Name: sgm_pmd
Registration number: 8
Timeout: 30 sec
Current state: OK
Time since last report: 0.4 sec

Device Name: lb_configd
Registration number: 9
Timeout: 30 sec
Current state: OK
Time since last report: 0.7 sec

Device Name: sgm_lsp
Registration number: 10
Timeout: 30 sec
Additional description: Member lost connectivity with the Orchestrators and other members in the Security Group
Current state: OK
Time since last report: 0.3 sec

Device Name: DSD
Registration number: 11
Timeout: none
Current state: OK
Time since last report: 22621.9 sec

Device Name: Iterator
Registration number: 12
Timeout: none
Current state: OK
Time since last report: 22650.1 sec

Device Name: LACP_SYNC
Registration number: 13
Timeout: none
Current state: OK
Time since last report: 45529.1 sec

Device Name: cvpnd
Registration number: 14
Timeout: none
Current state: OK
Time since last report: 0.7 sec

Re: Error in Master Orchestrator Security Group

emmap — Sat, 23 May 2026 03:49:33 GMT

We need to see 'cphaprob list' from the other SGMs, from 2 and 3. From SGM1 if you use the command 'm 1_2' and 'm 1_3' you can ssh over to the other SGMs to check their pnotes and see why they are down.

Re: Error in Master Orchestrator Security Group

SecdetKrypton — Mon, 25 May 2026 16:35:52 GMT

Thanks in order to request these are output commands

Expert@SG01-SITE-s01-01:0]# cphaprob list

There are no pnotes in problem state

[Expert@SG01-SITE-s01-01:0]# ssh admin@192.0.2.2
This system is for authorized use only.
Last login: Thu May 21 22:29:29 2026 from 192.0.2.1
You have logged into the system.
Warning: System diagnostics failed on the following tests: System Health.
[Expert@SG01-SITE-s01-02:0]# cphaprob list

Registered Devices:

Device Name: Policy
Registration number: 1
Timeout: none
Current state: problem
Time since last report: 47.6 sec

[Expert@SG01-C5-s01-02:0]# ssh admin@192.0.2.3
This system is for authorized use only.
Last login: Thu May 21 22:23:00 2026 from 192.0.2.2
You have logged into the system.
Warning: System diagnostics failed on the following tests: System Health.
[Expert@SG01-SITE-s01-03:0]# cphaprob list

Registered Devices:

Device Name: Fullsync
Registration number: 0
Timeout: none
Additional description: Policy installation failure
Current state: problem
Time since last report: 301146 sec

Device Name: Policy
Registration number: 1
Timeout: none
Current state: problem
Time since last report: 123.4 sec

Device Name: AMW
Registration number: 13
Timeout: none
Current state: problem
Time since last report: 182.8 sec

Re: Error in Master Orchestrator Security Group

SecdetKrypton — Mon, 25 May 2026 21:29:35 GMT

I found an error: the policy package is inconsistent. One GW had a policy package named 'Initial Policy', while the other two GWs had a policy package named 'Standard'. Thank you very much for your help anyway.

Re: Error in Master Orchestrator Security Group

emmap — Thu, 28 May 2026 01:36:39 GMT

Yep that'll do it, the SGMs will go into a Down state if they don't have the right policy on them. They should sync it from the SMO SGM, if this issue persists then you'll need to diagnose the sync issue.