Hi @emmap ,

thanks for the valuable info.

We did the same steps but the results sere different.

If we created a new security group and did the steps that you mentioned -> the result was the new SGM came up to active and everything was fine.

but an upgraded SG (which was r81.10 before) the new SGM remained in detached state, the version was r81.20 as in the first step.

Did you expreienced this kind of behaviour?

And one more question:

if I put an SGM next to 2 SGMs its “number” will be 1_3. The member id remains this if remive the two old sgms?

akos

Not sure I properly follow. The existing MHOs and SGMs must be running R81.20 before you can add the 9300s in, as they are also running R81.20 (though you may have to re-image them to the Maestro R81.20 image if they are not already running that). 

Yes when adding a new SGM, it will take the lowest available ID. So if you have 2 SGMs in the group and you add another one, it'll be 1_3. If you remove SGM 1_2 from the group, you'll have a group with 1_1 and 1_3 in it. If you then add another SGM it'll take the 1_2 ID. 

Hi @emmap 

A short summary of the chnage: 

• removed the 2 old SGMs from site A
• put the new SGM to site A
• Came up in down state (it took ~10 minutes)
• #cphaprob synscat showed policy installation error
  • realized that the original lic expired - we knew that therefore created EVAL earlier-  and the EVAL license has just expired - (that1s the fun fact) 
    • we assume that because of the lack of valid lic (in this situation only InitialPolicy was availabe on the SGM) the SGM couldn't pull from its own lic from the usercenter (the initialPolicy didn't allower the traffic to usercenter)
• We created a new EVAL for the new SGP
• install the lic with cplic put
• rebooted the SGM, then it came up in Active state
• install the necessary jumbo take 
• than manual failover to the ne SGM

The arrange of the other three SGMs into Security Group were easy after this experience.

Cleaunup: we remoed all EVAL licenses from the SGM-s g_cplic del <signature>

Akos

Is it not better to install the Jumbo before makeing it a cluster? 

If you have a default R81.20 image and mix it with other gateways the version difference is to big. 

Also many issues solved in a jumbo so was maybe worth testing to build it with updated systems.

Of course no license does also not help 😉 

Ok, but if I want to intall a jumbo hotfix onto an SGM, the SGM must be in Security Group.(admin guide)

So how? 😉

Hi Bako's,

I recently came across your thread and found it extremely insightful—thank you for sharing your experience.

I’m currently managing a Maestro setup with:

• 2 Maestro Orchestrators on R81.10

• 1 Security Group with 3x 6600 SGMs, all running R81.10 JHF 110

We are planning to replace the 6600 SGMs with 9300 appliances, which come preloaded with R81.20.

I have a couple of questions based on your experience:

1. Did you upgrade your Maestro Orchestrators and existing SGMs to R81.20 before introducing the new 9300 SGMs?

2. If all components (Maestro + existing SGMs + 9300) were already on R81.20, were you able to add the 9300 appliances directly into the Security Group without issues?

Any insights or best practices from your upgrade process would be greatly appreciated.

Mahesh

@Maheshreddy You are commenting on a post which over a year old.

I suggest opening a new discussion for your needs.