Technical Tip: HA cluster out-of-sync issue due to 'vpn.certificate.ca' mismatch
| Description | This article describes the behavior behind the out-of-sync issue due to 'vpn.certificate.ca' on an HA cluster. |
| Scope | FortiGate, FortiProxy. |
| Solution | The devices on an HA cluster can become out of sync due to various reasons, including after an upgrade, reboot, or failover, or even if the configuration from primary to secondary takes longer to be propagated.
One of the cases of the cluster getting out-of-sync is due to the 'vpn.certificate.ca' object.
PrimaryFirewall # diagnose sys ha checksum show root
In this scenario, the certificates will be shown as present on the secondary device but will be missing on the primary one, when checking the configuration below in the CLI:
show full-configuration vpn certificate ca
As an example:
SecondaryFirewall # config vpn certificate ca edit "SecureSign_Root_CA15" MIICIzCCAamgAwIBAgIUFhXHw9hJp75pDIqI7fBw+d23PocwCgYIKoZIzj0EAwMw ---------------------- edit "TWCA_CYBER_Root_CA" ---------------------- end
PrimaryFirewall #config vpn certificate ca PrimaryFirewall (ca) # show full
If the following command is executed, however, the certificates will show as part of both devices:
diagnose sys ha checksum show global vpn.certificate.ca
Secondary Firewall:
SecureSign_Root_CA12: 74619550cc2dc3fd9783ad34c53a2455
Primary Firewall:
SecureSign_Root_CA12: fda425633fefe53bf193f8ffc9efdcb2
The following command can also be executed on both firewalls to try to recalculate the checksums:
diagnose sys ha checksum recalculate
If recalculating the checksum does not work, another possible workaround is to delete the extra certificates from the secondary device. Use the following commands:
config vpn certificate ca delete <duplicate_certificate> <----- Certificate in secondary, but not in primary. end
The default CA certificates are read-only and therefore cannot usually be modified or deleted. If it is deleted, there will be no impact, and the FortiGates should sync as expected. Additionally, use the command below to verify the certificate bundle version and determine whether there is a version mismatch on the secondary device:
diagnose autoupdate versions | grep "Certificate Bundle" -A 6
If there is a Certificate Bundle mismatch between the primary and secondary , then refer to this article to update or import the Certificate Bundle manually: Technical Tip: How to import public CA certificate bundle in FortiGate.
If these steps do not resolve the issue, open a ticket with the TAC support team. Refer to this article: Technical Tip: How to create a ticket for Fortinet TAC.
The output of the commands below from both members of the cluster (primary/secondary) will be necessary to troubleshoot the issue with the TAC team further:
To disable the debug process:
diagnose debug disable diagnose debug reset
To resolve the problem, run the 'execute update-now' on the current primary (this guarantees having the most recent certificate bundle) and then reboot the current primary.
Run the same command on the new primary and wait for the cluster to get into sync (if necessary, synchronization can be manually triggered by running the command 'execute ha synchronize start'). See this article: Technical Tip: HA Synchronization failure due to the 'vpn.certificate.ca' object. |