Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
John_Carnicle1
Explorer

Migrate_server fails on a MDS

I'm attempting to migrate a R80.20 MDS to a new R81.10 MDS. The export from the R80.20 is successful but the import always fails on 9th domain with the same error. 

Failed to create Primary Management's certificate

NOTE: The creation of the certificate failed
DN = domain , GetCAState = -1

.

.

.


Failed to retrieve FQDN
Error creating CA for cce02hpe-sites-emea (16.232.74.15)

Error was detected. Removing Domain Management Server domain. 

 

I have the latest patch, upgrade tools and deployment agent on both Checkpoint appliances. 

How do I correct this error? Is this a problem on the source destination domain? 

Thanks

John Carnicle

0 Kudos
13 Replies
PhoneBoy
Admin
Admin

What process did you follow for the export/import?

0 Kudos
John_Carnicle1
Explorer

export from R80.20

cd $MDS_FWDIR/scripts
./migrate_server export -v R81.10 -skip_upgrade_tools_check  /var/log/install/export/MDS01-export.tgz --exclude-licenses

Import to the R81.10 MDS

cd $MDS_FWDIR/scripts

./migrate_server import -v R81.10 -skip_upgrade_tools_check  /var/log/install/export/MDS01-export.tgz --exclude-licenses

 

I have followed the sk172645 that seemed to apply. The file was not empty. 

It successfully imports 8 of the CMAs then gets this error and stops.  I am also have to change the MDS ip as it is in another datacenter.

Thanks for you help. 

0 Kudos
PhoneBoy
Admin
Admin

I suspect the TAC will need to be engaged to understand what's going on.
Or you might try exporting/importing the various domains one at a time versus trying to do it at the MDS level.

0 Kudos
John_Carnicle1
Explorer

I have had a TAC case opened for several weeks and tried their recommendations but they have not solved this problem.  I looked in to exporting the global then the domains as the next step but that is not supported between R80 and R81. How crazy is that!? Checkpoint's next recommendation is the downgrade the destination and try these solutions. I was trying not to downgrade but I'm running out of things to try. I have used your suggestions and/or solutions over the years. Thanks for all your help. 

0 Kudos
PhoneBoy
Admin
Admin

If I'm reading this correctly, you couldn't even migrate a domain from, say, R80.20 to R80.40.
Specifically the limitation "Migrating a Domain is possible only when the source and the destination have the same version installed"
Which, I will admit, was not something I was aware of when I made this suggestion. 
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Send me the TAC case in a PM.

0 Kudos
John_Carnicle1
Explorer

That is the way I understand it. It only supports the exact version domain migration.  I sent the TAC case. Thanks

0 Kudos
John_Carnicle1
Explorer

I have another question. The import error says "failed to create CA" and "failed to retrieve FQDN" on the import of that domain. Is this because it is missing FQDN on the source domain? Is there a way to check if one exist? I see we can use "cp_conf ca FQDN" to create one on the domain. Will it cause problems on the source domain if I create one? Thanks 

0 Kudos
PhoneBoy
Admin
Admin

This error comes up in the context of MDS upgrades of specific CMAs.
One thing I saw in a TAC case that might help.
As I don't have MDS installed anywhere, I can't provide more details.

The ICA is recreated upon upgrade, so the old case suggested to do this:
go to /opt/CPmds-R80.20/scripts/mdsadd_customer and comment out the last function which removes the CMA - this will make sure the CMA is imported as well.

Hopefully that provides a clue that might work in the meantime

0 Kudos
John_Carnicle1
Explorer

Thanks. I'll go check on  the MDS for that script see if it helps. 

0 Kudos
John_Carnicle1
Explorer

I see that script on the source at /opt/CPmds-R80.20/scripts/mdsadd_customer and on the destination at /opt/CPmds-R81.10/scripts/mdsadd_customer. It seems the one I should modify is the one in the destination server. Correct?

0 Kudos
PhoneBoy
Admin
Admin

I think it's only on the destination but, like I said, not sure.
I was trying to track down where this recommendation came from and...I couldn't find it.

0 Kudos
John_Carnicle1
Explorer

FYI: I commented out 2 lines from the destination MDS  /opt/CPmds-R81.10/scripts/mdsadd_customer subroutine exit_with_remove. The first was the remove cma line and the second was the exit script line.  This allowed the install to continue.  All the CMAs that do not have a problem were imported successfully.  The CMAs that have a problem were imported but the services do not start. 

#JCC $ENV LD_LIBRARY_PATH=${CPDIR}/lib:${FWDIR}/lib:${LD_LIBRARY_PATH} $MDSDIR/scripts/mdsremove_customer $cmaname $echocmd -brute
# exiting with the specified exit code
#JCC exit $exit_code

 

Thanks for your help.

0 Kudos
PhoneBoy
Admin
Admin

Clearly this doesn't solve the problem for the CMAs that had issues, but at least it gets the rest of the CMAs up to the most recent release.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events