Technical Tip: HA cluster out-of-sync issue due to 'system.npu' mismatch

Description

This article describes the behaviour behind the out-of-sync issue due to 'system.npu' in an HA cluster.

Scope

FortiGate.

Solution

Devices in an HA cluster may become out of sync due to various factors, such as system upgrades, reboots, failovers, or delays in configuration synchronization from the primary to the secondary unit.

One of the cases where the cluster gets out of sync is due to the 'system.npu' object.


The following command may be executed on both firewalls to try to recalculate the checksums:

diagnose system ha checksum recalculate

In this scenario, the 'system.npu' configuration of the primary device was verified through CLI, and the default NP queue priority configuration appears to be empty, as shown below:

FW_01 # config system npu
FW_01 (npu) # config np-queues
FW_01 (np-queues) # sh full
end

On the secondary device, the default NP queue priority configuration is present, as shown below:

FW_02 # config system npu

FW_02 (npu) # config np-queues

FW_02 (np-queues) # sh full
config np-queues
    config ethernet-type
        edit "ARP"
            set type 806
            set queue 9
            set weight 15
        next
        edit "HA-SESSYNC"
            set type 8892
            set queue 11
            set weight 15
        next
        edit "HA-DEF"
            set type 8890
            set queue 11
            set weight 15
        next
        edit "HC-DEF"
            set type 8891
            set queue 11
            set weight 15
        next
        edit "L2EP-DEF"
            set type 8893
            set queue 11
            set weight 15
        next
        edit "LACP"
            set type 8809
            set queue 9
            set weight 15
        next
end
config ip-protocol
    edit "OSPF"
        set protocol 89
        set queue 11
        set weight 14
    next
    edit "IGMP"
        set protocol 2
        set queue 11
        set weight 14
    next
    edit "ICMP"
        set protocol 1
        set queue 3
        set weight 14
    next
end
config ip-service
    edit "IKE"
        set protocol 17
        set sport 500
        set dport 500
        set queue 11
        set weight 13
    next
    edit "BGP"
        set protocol 6
        set sport 179
        set dport 179
        set queue 9
        set weight 13
    next
    edit "BFD-single-hop"
        set protocol 17
        set sport 3784
        set dport 3784
        set queue 11
        set weight 13
    next
    edit "BFD-multiple-hop"
        set protocol 17
        set sport 4784
        set dport 4784
        set queue 11
        set weight 13
    next
    edit "SLBC-management"
        set protocol 17
        set sport 0
        set dport 720
        set queue 11
        set weight 13
    next
    edit "SLBC-1"
        set protocol 17
        set sport 11133
        set dport 11133
        set queue 11
        set weight 13
    next
    edit "SLBC-2"
        set protocol 17
        set sport 65435
        set dport 65435
        set queue 11
        set weight 13
    next
end
end

Note: After upgrading the FortiGate device with NP7 processors, it is recommended to verify that the NP queue priority configuration matches the intended configuration or the default configuration shown below. When upgrading from a FortiOS version that does not support the NP queue priority feature, the configuration after the firmware upgrade may appear empty or incorrect.

Refer to the document: Default NP7 queue protocol prioritization configuration.

To resolve the issue, copy the default NP queue priority configuration from the secondary device and paste it to the primary device via CLI. After this, the HA cluster synchronized successfully.