This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
AaronCP
Advisor
Monday
Jump to solution

Generic Data Centre Object not copying to Maestro SGM

Evening,

We've recently deployed a new Maestro stack that comprises the following:

2 x MHO-140s (single site)

3 x 9800 SGMs

VSX mode enabled

R81.20 T84

1 x VFW

We've configured both a Generic Data Centre Object & a Cisco ACI object to use the ESGs and ExternalEPGs in firewall policy. The GDO points to a JSON file stored in GitHub that contains the ExternalEPG information (we had to use this as a workaround due to the Cisco ACI object lacking the ability to query ExternalEPGs). The VFW policy uses the ESGs & ExternalEPGs as source & destination objects.

Connectivity testing commenced today, with intermittent results. I could see in the logs that some traffic was being accepted and some being dropped by the cleanup rule. Further analysis showed that the accepted traffic was for the SMO (member ID 1_1) and all dropped traffic was on members 1_2 & 1_3 (side note - it would be great if this field could be selected as a view option in dashboard!).

When logging into the SMO, switching to vsenv 1 and running dynamic_objects -cfo_show, the contents/IP ranges of the GDO object are displayed as expected. When moving to members 2 & 3 and switching to vsenv 1, the dynamic_objects -cfo_show command returns a "File not found" message.

I assumed that the SMO would have copied the GDO objects to the other SGMs, but it would appear that's not happening.

Has anyone seen this behaviour before? Or have any suggestions as to why the GDO objects aren't being copied to all members?

Thanks,

Aaron.

0 Kudos
1 Solution

Accepted Solutions
AaronCP
Advisor
Thursday
In response to AkosBakos
Jump to solution

Hi Akos,

We've figured out the issue. The vsecUpdate.sh script that's execute on the SMO via cpridutil via the MDS has an error in the logic. The vsecUpdate.sh script adds the dynamic objects to $FWDIR/tmp, however the script is trying to sync the object to the other SGMs in the /tmp directory.

This is fixed in R81.20 T79.

View solution in original post

0 Kudos
4 Replies
AkosBakos
Mentor Mentor
Mentor
Tuesday
Jump to solution

@AaronCP 

I'm not 100% percent sure about that, this kind of files must been copied to the other members automatically.

If you check the show smo image md5sum what is the output? The md5sum's are tehe same?

A workaround can be to copy the relevant files to each SGM with #asg_cp2blades command

You can expant the script with this line.

Akos

 

----------------
\m/_(>_<)_\m/
0 Kudos
AaronCP
Advisor
Thursday
In response to AkosBakos
Jump to solution

Hi Akos,

We've figured out the issue. The vsecUpdate.sh script that's execute on the SMO via cpridutil via the MDS has an error in the logic. The vsecUpdate.sh script adds the dynamic objects to $FWDIR/tmp, however the script is trying to sync the object to the other SGMs in the /tmp directory.

This is fixed in R81.20 T79.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
Thursday
In response to AaronCP
Jump to solution

Do you mean JHF T97 as you were already running T84 based on the original post?

CCSM R77/R80/ELITE
0 Kudos
AaronCP
Advisor
Thursday
In response to Chris_Atkinson
Jump to solution

Hi @Chris_Atkinson,

I believe it's T79 on the MDS (we're currently running T76). Apologies, should have clarified that.

 

Thanks,

 

Aaron.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events