Technical Tip: How to fix HA out of sync due to system.admin table without accessing to Secondary unit
| Description | This article describes how to fix HA out of sync, which can be caused by the command 'set password-expire' mismatch, and admin credentials do not work on the Secondary unit. |
| Scope | FortiGate. |
| Solution | When going to FortiGate -> System -> HA, the HA is out of sync due to the system.admin table:
In such a case, proceed to check the system admin section config by running the command: 'show system admin'.
FGVM02TM22026828-VBA~IOS # show system admin
Due to there being no access to the SECONDARY unit, it was not possible to confirm what the dates/times set with the 'password-expire' command on the peer unit might be mismatching, so it was not possible to adjust it manually.
To fix the authentication and HA out-of-sync issues, apply the following:
FGVM02TM22026828-VBA~IOS # config system admin FGVM02TM22026828-VBA~IOS (admin) # edit admin FGVM02TM22026828-VBA~IOS (admin) # unset password-expire FGVM02TM22026828-VBA~IOS (admin) # end
FGVM02TM22026828-VBA~IOS # diagnose sys ha checksum recalculate
FGVM02TM22026828-VBA~IOS # diagnose debug app hasync 255
Proceed to check with the command 'get system ha status' until both devices show back to the in-sync state.
Another possible reason for HA being out of sync on the system.admin parameter is if the old backup imported to the secondary device was not created by the local superadmin user.
Always use a Super Admin account to take backups; otherwise, the HA may become out of sync, as backups created with other admin profiles do not include the Super Admin account.
Note: If this does not resolve the issue, run the command 'diagnose sys ha checksum show global system.admin' on both units to compare the checksums for each admin.
Related articles: Troubleshooting Tip: How to troubleshoot HA synchronization issue using GUI and CLI on FortiGate Troubleshooting Tip: HA devices out of sync after a firmware upgrade |
