Technical Note: Checksum mismatch in a FortiGate HA cluster due to an empty object
Description
Solution
Step 3
Check the CLI with tools such as Ultraedit or Winmerge to find out any differences or in this case an incomplete setting such as the one below.
Either delete the object which is a subnet object, or complete the object as expected by FortiOS with a subnet value (see below).
Perform both of the following commands on both units to crosscheck the issue is resolved.
This article concerns a HA Checksum discrepancy between FortiGate units. It provides steps to identify and resolve HA Checksum errors due to empty objects.
Solution
The solution is to delete the empty object or modify it with the expected parameter.
Step 1
Step 1
Identify the first checksum difference. Do not focus on errors after the first one, as they are consequences of the first error.
#diagnose sys ha cluster-csum
Master value differs from slave unit (example below in vdom 'FW12345VD01')
FW12345VD01: 92 6f 1c 66 9d 60 e4 39 a9 91 4b 81 44 b4 4d e5
FW12345VD01: 6b 09 16 4a 5b a8 0b 50 90 c4 4f 28 81 93 2b 13
Step 2
Once the Vdom is identified as in step 1 ,assess the difference and find the incorrect parameter or feature.
Once the Vdom is identified as in step 1 ,assess the difference and find the incorrect parameter or feature.
#diagnose sys ha showcsum 01 FW12345VD01
MASTER : firewall.service.custom: 88cf86d105c371cf35b005f8c87b5763
SLAVE : firewall.service.custom: d93f366edcfe4cc97c9f7a2b0c45e530
From the above output, the discrepancy appears in the "Firewall custom services" feature. It is therefore necessary to closely crosscheck these objects settings.
Step 3
Check the CLI with tools such as Ultraedit or Winmerge to find out any differences or in this case an incomplete setting such as the one below.
#Configuration CLI
config firewall service custom
edit "srv-172.19.100.10"
Step 4
Either delete the object which is a subnet object, or complete the object as expected by FortiOS with a subnet value (see below).
edit "srv-172.19.100.10"
set subnet 172.19.100.10 255.255.255.255
Verification of Configuration and troubleshooting
Perform both of the following commands on both units to crosscheck the issue is resolved.
diag sys ha csum-recalculate
diag system ha status
Related Articles
Technical Note: Troubleshooting a checksum mismatch in a FortiGate HA cluster