Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wolfgang
Authority
Authority

Problem with add or remove of SGMs to a security group in a dual site environment

We had a small R81.20 jumbo take 10 dual site environment with one MHO and one SGM on every site. Both sites are connected via external switch infrastructure (QinQ is working fine). 

Everything is working fine…. But if we remove a SGM from the security group the configuration is accepted and in orchestrators GAiA WebUi the appliance is shown as unattached. Normally after removing the appliance from the security group the appliance reboots and did a reset to factory defaults. But this procedure isn‘t done and the appliance leaves as it is. You can add the appliance again to the security group and this is accepted by the orchestrator but it does not work. If we reset the appliance manual to factory default you can add them to the security group and the appliance is installed and configured as needed.

That‘s our first dual site environment but I think it should be working like with none dual site configuration. Does anyone knows exactly how is getting the remote appliance the information to revert to factory default. Command sent from orchestrator via site_sync to the remote orchestrator and then to the appliance or any other way ?

0 Kudos
3 Replies
HeikoAnkenbrand
Champion Champion
Champion

 Normally, this is done by the SMO process.

Check the REST-API connectivity to all MHOs.

# smo_rest_util -c show-connectivity-test -i 1_1
# smo_rest_util -c show-connectivity-test -i 1_2
# smo_rest_util -c show-connectivity-test -i 2_1
# smo_rest_util -c show-connectivity-test -i 2_2

Result should be:

{

   "Status" : "OK"

}

Check the REST-API status:
# rest_api_status 

Used to identify the SMO and more
# asg stat -i tasks

Show log files across all SGMs
> show smo log ...

Check if SMG is reachable via LLDP
# lldpctl

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Factory reset a SGM:

You can do it either one of two ways:

1. Reboot the SGM and interrupt the boot when prompted, then select “Factory Defaults” from the boot menu.

2. On the clish CLI, run set fcd revert VERSION – you can use tab completion to see the list of versions. Be aware that running this in glcish will revert ALL of the SGMs simultaneously. You can use set global-mode off in order to run the revert on the local SGM only.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
emmap
Employee
Employee

It should work as you state, but one little tweak - when you remove an SGM from the SG it does a 'mini-fcd' - it's not a full factory default restore (as that may revert it to an earlier version) but it should wipe all the config. It sounds like that process is not happening for some reason though. You might find some clues in the blade_config or silent_install log files, but this sounds like something we need TAC investigating.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

 
Upcoming Maestro Events