Solved: Re: [Maestro R82] unable to register 3 security ga...

leangf_leangf1 · ‎2025-10-26

Hi Checkamates,

Is there a workaround on this without doing a factory default on all 3 gateways?

We've recently reconfigured our maestro (dual maestro single site) management ip address and delete the objects from the SMC.

We can access the Maestro and SMC but we havent made a factory reset on the 3 security gateways.

We tried unloading the policy on the 3 security gateways via ssh but still couldn't add or register it on the SMC.

Both management ips were accessible via ssh;

-maestro

-smc

-security gateways

Thoughts?

Leangf

the_rock · ‎2025-10-26

I have no clue if this makes sense, but this is what AI gave...

*****************************

Hey Leangf,

You’re in a pretty common situation after changing the management IP on a Maestro setup — the gateways still “think” they’re managed by the old management server identity (fingerprint, SIC, IP), so they refuse new SIC establishment attempts from the new management IP. The good news is that you usually don’t need to factory reset the SGMs (Security Group Members) to fix this.

Here’s the usual recovery path that works without a full reset 👇

🧭 Background

In Maestro, the management connection (SIC) info is stored in:

/etc/appliance_config.xml
/opt/CPsuite-R81.10/fw1/conf/InternalCA.*
/var/opt/CPshared/5.0/tmp/.CPprofile.sh and related directories

So even though the MHO and SMC are reconfigured, the SGMs still have the old management certificate relationship.

✅ Workaround Steps

1. SSH to each SGM (Security Gateway Member)

Example:

ssh admin@<SGM-IP>

2. Enter expert mode

expert

3. Reset the SIC manually (DO NOT factory reset)

Run:

cp_conf sic init <new_password>

You can choose a new one like MyNewSICpass123.

This clears the existing SIC trust but does not wipe your configuration or interfaces.

4. Recreate or re-import the Security Gateway object in SmartConsole

Add the gateways back under Security Gateways & Clusters.
Assign the correct IP (the one reachable from SMC).
When prompted for SIC, enter the same MyNewSICpass123 password you used above.

If SIC fails due to old certificates still being cached, you can also clean up the management side with:

cpca_client lscert
cpca_client revoke <certificate-number>
cpca_client delete <certificate-number>

Then try to re-establish SIC again.

5. Push Policy

Once SIC is established, push policy again — it should succeed, and the gateways will re-register with the new management IP.

🧹 Optional Clean-Up (if errors persist)

If after the above, the gateways still refuse to register:

rm -rf /opt/CPsuite-R81.10/fw1/conf/InternalCA.*
rm -rf /opt/CPsuite-R81.10/fw1/conf/*.p12

Then re-init SIC again (cp_conf sic init <pw>) and retry.

🚫 Do NOT

Don’t use set factory default — it’s overkill here.
Don’t delete /etc/appliance_config.xml unless directed by TAC (that can break Maestro sync).

🧩 Note for Maestro

Make sure to do the SIC reset on all SGMs (since each one maintains its own SIC), or use:

asg diag all "cp_conf sic init MyNewSICpass123"

from the MHO CLI to apply it cluster-wide.

If you can share:

R81.x version (e.g., R81.10 or R81.20)
Whether this is Dual Site or Single Site Maestro

…I can tailor the exact asg command sequence for you (since the MHO CLI options differ slightly).

Best,
Andy

View solution in original post

leangf_leangf1 · ‎2025-10-26

Thank you @the_rock , same results i had. One thing i need is to confirm from the experts if these were applicable in my case.

. I will go through with the procedures. Hopefully this will work as the devices were located from another remote location 🙂

By the way, the version we installed is R82.x across all devices - SMHO-140, SMC, Security Gateways (9100).

This is a dual maestro -single site deployment.

Leangf

View solution in original post

leangf_leangf1 · ‎2025-10-27

Just an update on this;

-i managed to access the SGs within the maestro console using the loopback ip 198.x.x.x.x

-replaced the ip address of magg1

-replaced the default route of SGs.

-reset the sic password

now its working..

awesome.

View solution in original post

the_rock · ‎2025-10-26

I have no clue if this makes sense, but this is what AI gave...

*****************************

Hey Leangf,

You’re in a pretty common situation after changing the management IP on a Maestro setup — the gateways still “think” they’re managed by the old management server identity (fingerprint, SIC, IP), so they refuse new SIC establishment attempts from the new management IP. The good news is that you usually don’t need to factory reset the SGMs (Security Group Members) to fix this.

Here’s the usual recovery path that works without a full reset 👇

🧭 Background

In Maestro, the management connection (SIC) info is stored in:

/etc/appliance_config.xml
/opt/CPsuite-R81.10/fw1/conf/InternalCA.*
/var/opt/CPshared/5.0/tmp/.CPprofile.sh and related directories

So even though the MHO and SMC are reconfigured, the SGMs still have the old management certificate relationship.

✅ Workaround Steps

1. SSH to each SGM (Security Gateway Member)

Example:

ssh admin@<SGM-IP>

2. Enter expert mode

expert

3. Reset the SIC manually (DO NOT factory reset)

Run:

cp_conf sic init <new_password>

You can choose a new one like MyNewSICpass123.

This clears the existing SIC trust but does not wipe your configuration or interfaces.

4. Recreate or re-import the Security Gateway object in SmartConsole

Add the gateways back under Security Gateways & Clusters.
Assign the correct IP (the one reachable from SMC).
When prompted for SIC, enter the same MyNewSICpass123 password you used above.

If SIC fails due to old certificates still being cached, you can also clean up the management side with:

cpca_client lscert
cpca_client revoke <certificate-number>
cpca_client delete <certificate-number>

Then try to re-establish SIC again.

5. Push Policy

Once SIC is established, push policy again — it should succeed, and the gateways will re-register with the new management IP.

🧹 Optional Clean-Up (if errors persist)

If after the above, the gateways still refuse to register:

rm -rf /opt/CPsuite-R81.10/fw1/conf/InternalCA.*
rm -rf /opt/CPsuite-R81.10/fw1/conf/*.p12

Then re-init SIC again (cp_conf sic init <pw>) and retry.

🚫 Do NOT

Don’t use set factory default — it’s overkill here.
Don’t delete /etc/appliance_config.xml unless directed by TAC (that can break Maestro sync).

🧩 Note for Maestro

Make sure to do the SIC reset on all SGMs (since each one maintains its own SIC), or use:

asg diag all "cp_conf sic init MyNewSICpass123"

from the MHO CLI to apply it cluster-wide.

If you can share:

R81.x version (e.g., R81.10 or R81.20)
Whether this is Dual Site or Single Site Maestro

…I can tailor the exact asg command sequence for you (since the MHO CLI options differ slightly).

Best,
Andy

leangf_leangf1 · ‎2025-10-26

Thank you @the_rock , same results i had. One thing i need is to confirm from the experts if these were applicable in my case.

. I will go through with the procedures. Hopefully this will work as the devices were located from another remote location 🙂

By the way, the version we installed is R82.x across all devices - SMHO-140, SMC, Security Gateways (9100).

This is a dual maestro -single site deployment.

Leangf

the_rock · ‎2025-10-26

Glad we can help!

Best,
Andy

leangf_leangf1 · ‎2025-10-27

Just an update on this;

-i managed to access the SGs within the maestro console using the loopback ip 198.x.x.x.x

-replaced the ip address of magg1

-replaced the default route of SGs.

-reset the sic password

now its working..

awesome.

the_rock · ‎2025-10-27

Excellent work.

Best,
Andy

[Maestro R82] unable to register 3 security gateways after changing the management ip address

🧭 Background

✅ Workaround Steps

1. SSH to each SGM (Security Gateway Member)

2. Enter expert mode

3. Reset the SIC manually (DO NOT factory reset)

4. Recreate or re-import the Security Gateway object in SmartConsole

5. Push Policy

🧹 Optional Clean-Up (if errors persist)

🚫 Do NOT

🧩 Note for Maestro

🧭 Background

✅ Workaround Steps

1. SSH to each SGM (Security Gateway Member)

2. Enter expert mode

3. Reset the SIC manually (DO NOT factory reset)

4. Recreate or re-import the Security Gateway object in SmartConsole

5. Push Policy

🧹 Optional Clean-Up (if errors persist)

🚫 Do NOT

🧩 Note for Maestro