The Service Engine (SE) is unable to establish a secure communication channel with the Controller. 

When this happens, you may observe one or more of the following:

• The SE shows as DOWN in the Controller UI.
• The SE remains stuck in PARTITION state.
• The SE does not appear in the Controller UI after deployment.
• The SE is reachable by ping/SSH, but it does not register with the Controller.
• The issue commonly occurs with manually deployed SEs or SEs configured without an orchestrator (No Orchestrator mode).

• VMware vCenter
• No Orchestrator
• NSX Cloud

The SE is unable to reconnect to the Controller due to one or more of the following reasons:

• The SE is using an incorrect or older Controller IP.

• The secure-channel certificate between the SE and Controller no longer matches.

• The SE’s secure-channel authentication token is invalid or expired.

• The Controller cluster IP or configuration changed, and the SE still holds stale connection details.

As a result, the SE cannot complete the secure handshake required for registration.

To restore secure communication between the Service Engine (SE) and the Controller, run the connect_se.py script from the Leader Controller node located in the path /opt/avi/scripts.

The script automatically performs the following actions:

• Updates the SE with the correct Controller certificate
• Refreshes the Controller IP and Zookeeper mapping
• Generates a new secure-channel authentication token
• Restarts SE services to trigger reconnection
• Once the script completes, the SE should appear as UP in the Controller UI.

Command:

python3 /opt/avi/scripts/connect_se.py --se <SE_MGMT_IP> --username <USER> --password <PASS>