Solved: Maestro Upgrade

gemechis

Maestro R81.20 → R82 Zero-Downtime MVC Upgrade – Upgraded SGM stuck in Down(R82) / DETACHED with FSYNC, POLICY, during_upgrade PNOTE
Problem Description:
I am performing a Zero-Downtime Multi-Version Cluster (MVC) upgrade on a Quantum Maestro Security Group from R81.20 to R82.
Environment:

Management Server: R82
Both Maestro Orchestrators (MHOs): R82
Security Group has 2 SGMs:
SGM 1_01 → Upgraded to R82
SGM 2 → Still on R81.20 Jumbo HF Take 119

Mode: [Please specify: Gateway mode or Traditional VSX mode?]

Current Symptoms:

The upgraded member (1_01) is stuck in Down(R82) state and shows as DETACHED in asg monitor.
Security Group status shows: Maestro (During Upgrade)
PNOTE on member 1_01: FSYNC, POLICY, during_upgrade
Previously also saw: "Site HA module not started"
Only SGM 2 (R81.20) is ACTIVE and handling traffic.
Policy installation fails with the classic error:
"Policy installation failed because the gateway version as defined in the SmartConsole does not match the version installed on the gateway."

Actions Already Performed:

Upgraded Management + both Orchestrators to R82 first.
Disabled SMO image auto-cloning (set smo image auto-clone state off).
Changed the Maestro Security Group object version to R82 in SmartConsole (multiple times) + Get Gateway Data.
Disabled Accelerated Policy Installation and attempted policy install multiple times.

gemechis

@Tom_Kendrick @simonemantovani @emmap

Thank you guys for the help. Finally, it's solved by installing the latest hotfix which Take 91 on R82 on both SMS and the upgraded gateway.

View solution in original post

simonemantovani

Just for curiosity, did you follow this procedure?

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_ScalablePlatforms_AdminGuide/Conte...

gemechis

I have tried Step 9 from these, but not succeded.

simonemantovani

Did you also tried the command g_clusterXL_admin –b 1_1 up?

1_1 should your member with ID 1 (the upgraded member).

and after that tried the command g_clusterXL_admin –b 1_2 down

1_2 should be the member in R81.20, and then try to install the policy ... but it could be better to complete the upgrade to R82 for all the members.

gemechis

@simonemantovani

g_clusterXL_admin –b 1_1 up tried this, and it gave an error as per the attached screenshot.

simonemantovani

What happens if you try from the upgrade member the following command?

fw -d fetch -a -s -f -c

Tom_Kendrick

Can I just check, when you say "Changed the Maestro Security Group object version to R82 in SmartConsole (multiple times) + Get Gateway Data." Do you mean you clicked "Get" on the right of the SecGroup object?

If yes, you should not, as the 1st step (manually changing the setting) tells the system to use R82 (in your case), and then clicking Get, queries the running Sec Group, and the old member which is active (but still on R81.20) will say "I'm on 81.20" and revert the change you made, causing the policy push to fail due to version mismatch, the upgraded member to likely not leave the DOWN(Policy) state...

That would be my thing to check first.

gemechis

hi @Tom_Kendrick ,

yes i mean I clicked Get.

But even without clicking the GET , i have tried and it still fails. Below are the screneshots for your refernece.

emmap

Make sure you're installing just the Access Control policy.

gemechis

@Tom_Kendrick @simonemantovani @emmap

Thank you guys for the help. Finally, it's solved by installing the latest hotfix which Take 91 on R82 on both SMS and the upgraded gateway.