Skip to main content
gmanea
Staff
gmanea
Staff
November 2, 2021

Technical Tip: Harelay process

  • November 2, 2021
  • 0 replies
  • 1981 views

Description

 

This article describes the role of the harelay process in a FortiGate FGCP cluster.

 

Scope

 

FortiOS, FGCP.

 

Solution

 

In a FGCP cluster, regardless of HA mode (Active-passive or Active-Active), the primary unit handles the local-out connection for all members. The main role of the harelay process is to provide services for the secondary unit(s) or vcluster. Harelay is used to relay the secondary member(s) daemons’ local-out sessions to the primary for routing.

 

To view the harelay statistics and connections, use the command diagnose test app harelay <#> with one of the following options:

 

Fortigate-Primary # diagnose test app harelay ?

1. Show harelay statistics
2. Show harelay connections

 

To live-debug the harelay process, use the following debug commands:

 

diagnose debug app harelay -1

diagnose debug console timestamp enable

diagnose debug enable

 

Below is a sample debug output from a primary HA member where the administrator tried to login from the primary into the secondary using execute ha manage <id> <admin_username> but was unable to authenticate successfully due to a connection reset from the LDAPS server (as seen by errno=104:(

 

Fortigate-Primary # 2026-01-14 17:16:05 harelay_on_clt_read_tcp[314] pid-2492 conn=39143 read() failed: num=0, errno=115

2026-01-14 17:16:26 harelay_accept[485] pid-2492 conn=39144 receied a relay req from ha-1/4928

2026-01-14 17:16:26 harelay_accept[485] pid-2492 conn=39145 receied a relay req from ha-1/4930

2026-01-14 17:16:26 harelay_on_clt_read_id[213] pid-2492 conn=39144 read relay-id: family=2, svr=172.16.100.4:636, source=172.16.100.11:0, vdom=root, intf_sel_mode=0, in

tf_sel_name=

2026-01-14 17:16:26 harelay_connect_to_server[144] pid-2492

2026-01-14 17:16:26 __set_socket_interface[134] pid-2492 Binded interface index: 0

2026-01-14 17:16:26 harelay_on_clt_read_id[213] pid-2492 conn=39145 read relay-id: family=2, svr=172.16.10.62:636, source=, vdom=root, intf_sel_mode=0, intf_sel_name=

2026-01-14 17:16:26 harelay_connect_to_server[144] pid-2492

2026-01-14 17:16:26 __set_socket_interface[134] pid-2492 Binded interface index: 0

2026-01-14 17:16:26 harelay_on_svr_read_tcp[404] pid-2492 conn=39145 read() failed: num=-1, errno=104

2026-01-14 17:16:27 harelay_on_svr_read_tcp[404] pid-2492 conn=39144 read() failed: num=-1, errno=104

 

Running debug commands on the harelay process at the same time as the main daemon that handles a given service can be helpful for better understanding inter-process communication and determining the root cause of the issue. For example:

  • fnbamd (on the secondary FortiGate) -> harelay (on the primary FortiGate) -> Remote LDAP server.
  • miglogd (secondary) -> fgtlogd (secondary) -> harelay (primary) -> FortiAnalyzer logging server.

 

Related documents:

    Terms & ConditionsAccessibility statement