This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Paul_Warnagiris
Advisor
‎2023-01-04 05:33 PM

Maestro auto clone fails

Howdy Check Mates.  I have a simple single site, single MHO140 setup with two SGMs.  This was working perfectly fine and we had to move IPs.  The way the ISP is currently setup is we take a single IP address via DHCP which is statically reserved on their side.  Then they route our publicly routable IPs to us via that IP.

All is up including the SMO and traffic is flowing appropriately.  However, my second SGM is never able to join the SMO.  When I drag it and drop it asg monitor reports detached.  The only thing we did other than changing from static to dynamic is to click the "kernel routes" option under the "routing options" in the SMO in order to get our default route.  But that is in the SMO so all configuration from the SMO should get picked up by each individual SGM.  Meaning the configuration should not be different.

As I move SGM02 in and out of the SMO I watch on the console.  All looks fine when taking it out, but upon bring it back in this is as far as I get:

[Expert@gw-bf2c60:0]# Setting GW to be SGM 1_2 in security-group 1
Shutting start_linker: [  OK  ]

That is is.  Nothing else happens.  If I wait a while I can eventually log in with the default un/pw and there is no config done on the box.  There is no more output, there is no reboot.  Auto-clone is on and the FTW information is set appropriately in the orchestrator.

[Global] sgo-ch01-01> show smo image auto-clone state 
1_01:
Image auto-clone state is on
 
[Global] sgo-ch01-01>

I am running 81.10 with JHF 81.  Has anyone ever seen this functionality before or do I need to open a ticket?

Thanks in advance.

0 Kudos
9 Replies
_Val_
Admin
Admin
‎2023-01-08 11:44 PM

@Lari_Luoma@Anatoly please advise

0 Kudos
_Val_
Admin
Admin
‎2023-01-09 12:34 AM

Please open a TAC case

0 Kudos
Alexander_Wilke
Advisor
‎2023-01-09 01:26 AM

As far as I know removing the SGM from the Security Group should revert it to factory defaults. (set fcd revert).

It may be possible that the "Factory default" image is to old and not able to join the security group and clone the image.
So it is not possible to join an R76.50SP SGM to a R80.20SP Security group - it will not work and not auto clone.
Probably will not work with R81.10 and R80.20.

My experience is only with 64k Scalable Plattform not Maestro. But just as a hint - check if the SGM reverts to factory defaults after removing it from the Security group (or do it manually via clish of this SGM) and then re-add it again to the Security Group.

However I would like to know what type of "difference" between the SMO and another SGM should trigger the auto clone-feature. Where is the list of files which will be checked if differences exists.

0 Kudos
Paul_Warnagiris
Advisor
‎2023-01-09 06:19 AM
In response to Alexander_Wilke

Thank you.  Removing the SGM from the SMO does indeed reset to factory defaults.  It is an 81.10 build which is also the factory default.  This is validated by using the FTW admin/admin creds and then fw ver.  However, when dragging back into the SMO it does what is shown above (that is console output).   No other output until you wait and eventually you are back at the login prompt from the console.

[Expert@gw-bf2c60:0]# Setting GW to be SGM 1_2 in security-group 1
Shutting start_linker: [  OK  ]

 

0 Kudos
Paul_Warnagiris
Advisor
‎2023-01-09 07:58 AM
In response to Paul_Warnagiris

Confirmed Maestro and Security Group member 1 are on Take 338 base and JHF Take 81 over it.

 

[Local SGM] XXX-MSG-ch01-01> show installer packages installed

**  ************************************************************************* **

**              Connection error. Packages list might be incomplete           **

**  ************************************************************************* **

**  ************************************************************************* **

**                                 Hotfixes                                   **

**  ************************************************************************* **

Display name                                                                                    Type         

Check_Point_R81_10_JUMBO_HF_MAIN_Bundle_T81_FULL.tgz                                            Hotfix       

**  ************************************************************************* **

**                                  Majors                                    **

**  ************************************************************************* **

Display name                                                                                    Type         

Check_Point_R81.10_T338_ScalablePlatform_Upgrade.tgz                                            Major Version

[Local SGM] XXX-MSG-ch01-01>

 

Member 2 is erroring out for commands.  I attempted to install JHF Take 81 then drag out/in of security group but no luck.  It is also undoing JHF Take 81 after reboot.

[Local SGM] gw-bf2c60> show installer packages installed 

**             ************************************************************************* **

**                         Connection error. Packages list might be incomplete           **

**             ************************************************************************* **

Show packages: no packages to display

[Local SGM] gw-bf2c60> fw ver

gexec: Unable to open '/dev/fw0': Unknown error -1

Resolver Error 0 (no error)

Error: Failed to retrieve cluster state.

[Local SGM] gw-bf2c60> exit

[Expert@gw-bf2c60:0]# 

[Expert@gw-bf2c60:0]# 

[Expert@gw-bf2c60:0]# 

[Expert@gw-bf2c60:0]# fw ver

This is Check Point's software version R81.10 - Build 884

[Expert@gw-bf2c60:0]# 

[Expert@gw-bf2c60:0]# clish -c "show installer packages installed"

**             ************************************************************************* **

**                         Connection error. Packages list might be incomplete           **

**             ************************************************************************* **

Show packages: no packages to display

[Expert@gw-bf2c60:0]# 

[Expert@gw-bf2c60:0]#

 

When Maestro and member 1 are on image take 338, member 2 should be as well.  I used the same for all devices.

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2023-01-09 06:10 AM

Hi Paul!
I don't think this is auto-cloning problem, but an issue with the SMO. Reboot the SMO and I'm pretty sure it fixes it. If it still won't, open a TAC case.

0 Kudos
Paul_Warnagiris
Advisor
‎2023-01-09 06:14 AM
In response to Lari_Luoma

Thank you.  I have rebooted the SMO and same issue.

0 Kudos
Alexander_Wilke
Advisor
‎2023-01-09 01:39 PM

Hi,
if I do a reboot of one of my SGMs after this message:

 

Shutting start_linker:

 

The SGM resolves the SSM (Scalable Plattform). In your case it should probably try to communicate with the MHO but for whatever reason can not reach it or resolve it.

Can you ping/reach the MHO from your SGM2 ? Don't know how this works on Maestro compared to 64k.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events
    li.common.scroll-to.top