Technical Tip : Resync IPsec tunnel on secondary HA unit when it is down

The IPsec tunnel on the secondary FortiGate will not communicate with the remote firewall/router, like a primary FortiGate.

The IPsec tunnel status on the primary FortiGate will sync over the hasync process to the secondary.

Hence, it is possible to restart the hasync process on the primary to achieve this.

Log in to the primary FortiGate and check for the hasync process pid and restart it. 

Here is the example:

# FGT # diagnose sys top
Run Time:  2 days, 23 hours and 18 minutes
0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 2010T, 541F
          hasync     1504      S <     0.5     1.9
          hatalk     1501      S <     0.5     0.5
          fcnacd      209      S       0.0     4.6
         reportd      170      S       0.0     2.4

To restart the process:

diagnose sys kill 11 1504     

After that, it is possible to verify the IPsec tunnel status on the secondary unit.

Related article:

Technical Tip: Restarting internal processes/daemons