| Solution | In an HA cluster, if only the primary FortiGate is licensed, the GUI on the primary may still display the license as expired. When FortiGate fetches contract details, it should retrieve the license information for both the primary and secondary units. If this synchronization fails, the system may continue to show the license as expired, as illustrated in the image below.   diagnose debug reset diagnose debug disable diagnose debug application update -1 diagnose debug enable execute update-now Primary device contract:
Contract=AVDB-1-06-20251002:0:1:1:0*AVEN-1-06-2
0251002:0:1:1:0*COMP-1-20-20251002:0:1:1:0*ENHN-1-20-20251002:0:1:1:0*FMWR-1-06-20251002:0:1:1:0*FRVS-1-06-20251002:0:1:1:0*FURL-1-
06-20251002:0:1:1:0*HDWR-1-05-20251002:0:1:1:0*NIDS-1-06-20251002:0:1:1:0*SBCL-1-06-20251002:0:1:1:0*SPAM-1-06-20251002:0:1:1:0*SPR
update_status_obj[731]-SBCL contract expiry=Thu Oct 2 04:00:00 2025
level(6) alert(0)
update_status_obj[731]-AVDB contract expiry=Thu Oct 2 04:00:00 2025
level(6) alert(0)
update_status_obj[731]-ETDB contract expiry=Thu Oct 2 04:00:00 2025
Secondary device contract:
Contract=AVDB-1-06-20250727:0:1:1:0*AVEN-1-06-2
0250727:0:1:1:0*COMP-1-20-20250727:0:1:1:0*ENHN-1-20-20250727:0:1:1:0*FMWR-1-06-20250727:0:1:1:0*FRVS-1-06-20250727:0:1:1:0*FURL-1-
06-20250727:0:1:1:0*HDWR-1-05-20250727:0:1:1:0*NIDS-1-06-20250727:0:1:1:0*SBCL-1-06-20250727:0:1:1:0*SPAM-1-06-20250727:0:1:1:0*SPR
update_status_obj[731]-SBCL contract expiry=Sun Jul 27 04:00:00 2025
level(6) alert(0)
update_status_obj[731]-AVDB contract expiry=Sun Jul 27 04:00:00 2025
level(6) alert(0)
update_status_obj[731]-ETDB contract expiry=Sun Jul 27 04:00:00 2025
level(6) alert(0) Note: When the secondary device license is renewed, the FortiGate GUI will show as an active license in the GUI. 
Since February 2025, units must be registered under the same FortiCloud account. Notes: - If the following error is received: "Missing contracts, got 1, expect 2" in the debug log indicates that the FortiGate HA pair's license synchronization is failing because one unit has a different account registration or contract setup, resulting in an inconsistency.
- To resolve this, ensure both units are registered with the same FortiCare account and have synchronized licenses, which may involve re-registering or re-importing licenses on the affected unit, and verifying that the license details (contracts, serial numbers, etc.) match across the HA pair.
- Additionally, perform a license sync via CLI (execute ha manage 1 and execute ha manage 2) to force synchronization, and consider regenerating the license if discrepancies persist.
- A significant change has started from FortiOS v7.6.1, v7.4.6, and onwards; FortiGate A-P HA clusters can share a single FortiGuard service virtual license for the following models:
- FortiGate 40F and variants.
- FortiGate 60F and variants.
- FortiGate 70F and variants.
- FortiGate 80F and variants.
- FortiGate 100F and variants.
More information related can be checked in:
Single FortiGuard license for FortiGate A-P HA cluster
Related article:
Troubleshooting Tip: License not updating when FortiGate on HA have Different Account Registration. |
