• After resetting the controller admin password using the API, the new password updates successfully on the Controller and other components. However, on the Service Engines, although login with the new password works, the sudo -s command still requires the old password.

• On SE auth.log we could see the local_login script would fail.

2025-08-12T05:18:13.377624+00:00 Avi-Service-Engine sshd[3580418]: Starting session: shell on pts/0 for admin from ****** port 54159 id 0
2025-08-12T05:18:19.841812+00:00 Avi-Service-Engine sudo: pam_exec(sudo:auth): /opt/avi/scripts/local_login.py failed: exit code 1
2025-08-12T05:18:19.846371+00:00 Avi-Service-Engine sudo: pam_unix(sudo:auth): authentication failure; logname=admin uid=2000 euid=0 tty=/dev/pts/0 ruser=admin rhost=  user=admin
2025-08-12T05:18:27.246148+00:00 Avi-Service-Engine sudo: pam_exec(sudo:auth): /opt/avi/scripts/local_login.py failed: exit code 1
2025-08-14T04:24:54.726758+00:00 Avi-Service-Engine sshd[3830491]: Starting session: shell on pts/0 for admin from 1***** port 60217 id 0
2025-08-14T04:25:01.611009+00:00 Avi-Service-Engine sudo: pam_exec(sudo:auth): /opt/avi/scripts/local_login.py failed: exit code 1
2025-08-14T04:25:01.611115+00:00 Avi-Service-Engine sudo: pam_unix(sudo:auth): authentication failure; logname=admin uid=2000 euid=0 tty=/dev/pts/0 ruser=admin rhost=  user=admin
2025-08-14T04:25:21.598998+00:00 Avi-Service-Engine sudo: pam_exec(sudo:auth): /opt/avi/scripts/local_login.py failed: exit code 1

• Previously, the cluster watcher service ran only on the leader node, and all Service Engines (SEs) were directly subscribed to it. Later, the design was updated so that this service runs on all controller nodes, allowing SEs to subscribe to any active node.
• As a result of this change, if an SE is subscribed to a follower node, password synchronization does not occur, since the password update API currently syncs passwords only to SEs subscribed to the leader node.