Prior to FortiOS version 7.6.4, routing processes were handled by primary FPM slot on FortiGate 7000 platforms.
Now, from FortiOS version 7.6.4 and later, on FortiGate 7000 routing processes run on the primary FIM.
Under normal conditions, when primary FIM fails, secondary FIM will take the Config-Sync role and routing processes are established again on that Slot.
However, in some cases when the FIM failover is performed (either manually done by customer or automatically perfomed by FortiGate Chassis) routing processes stop working on the new primary FIM Slot.
In the following example, BGP routing protocol stopped working after failover from FIM01 to FIM02.
FGT7K [FIM01] (global) # get system status
Version: FortiGate-7121F v7.6.6,build3652,260127 (GA.M)
First GA patch build date: 240724
...
Current HA mode: standalone
Config-Sync: Secondary (Primary: slot 2), in-sync < ---
FPM Primary: slot-3
Branch point: 3652
Release Version Information: GA
FortiOS x86-64: Yes
System time: Fri Apr 10 15:18:29 2026
Last reboot reason: power cycle
Then, a manually FIM failover is done by powering-off the primary FIM slot:
FGT7K [FIM02](global) # get system ha status
HA Health Status: OK
Model: FortiGate-7000F
Mode: Standalone
Group Name:
Group ID: 1
Debug: 0
Cluster Uptime: 0 days 0h:0m:0s
Cluster state change time: N/A
ses_pickup: disable
override: disable
System Usage stats:
HBDEV stats:
number of member: 0
number of vcluster: 0
Chassis Status: (Local chassis ID: 1)
Chassis ID 1: Primary Chassis
Slot ID 1 (FIM41FTE26000XXX): Secondary Slot
Slot ID 2 (FIM41FTE26000XXX): Primary Slot
FGT7K [FIM02] (global) # execute load-balance slot power-off 2
This operation will power-off the slots: 2!
Do you want to continue? (y/n)y
Power off slot 2
Upon checking the BGP summary on the new primary FIM slot, the BGP summary becomes empty:
Upon checking the BGP summary on the new primary FIM slot, the BGP summary becomes empty:
FGT7K [FIM01] (root) # get router info bgp summary
Slot: 3 Module SN: FPM20FTB23800XXX
==========================================================================
Slot: 4 Module SN: FPM20FTB23800XXX
==========================================================================
Current slot: 1 Module SN: FIM41FTE26000XXX
A packet capture on reported VDOM shows that the BGP TCP packet is reaching the FortiGate interface, is reset by the FortiGate unit:
FGT7K [FIM01] (root) # diagnose sniffer packet any "host 130.0.0.111 and tcp port 179" 4
interfaces=[any]
filters=[host 130.0.0.111 and tcp port 179]
[FPM03] 75.604071 v130 in 130.0.0.111.9088 -> 130.0.0.254.179: syn 3588396192
[FPM03] 75.604171 v130 out 130.0.0.254.179 -> 130.0.0.111.9088: rst 0 ack 3588396193
[FPM03] 75.604175 xlag1 out 130.0.0.254.179 -> 130.0.0.111.9088: rst 0 ack 3588396193
[FPM03] 75.604177 2-P11/1 out 130.0.0.254.179 -> 130.0.0.111.9088: rst 0 ack 3588396193
[FIM02] 75.613835 v130 in 130.0.0.111.9088 -> 130.0.0.254.179: syn 3588396192
[FIM02] 75.613858 v130 out 130.0.0.254.179 -> 130.0.0.111.9088: rst 0 ack 3588396193
[FPM03] 193.657674 v130 in 130.0.0.111.9096 -> 130.0.0.254.179: syn 2554788841
[FPM03] 193.657763 v130 out 130.0.0.254.179 -> 130.0.0.111.9096: rst 0 ack 2554788842
[FPM03] 193.657766 xlag1 out 130.0.0.254.179 -> 130.0.0.111.9096: rst 0 ack 2554788842
[FPM03] 193.657768 2-P11/1 out 130.0.0.254.179 -> 130.0.0.111.9096: rst 0 ack 2554788842
[FIM02] 193.668038 v130 in 130.0.0.111.9096 -> 130.0.0.254.179: syn 2554788841
[FIM02] 193.668059 v130 out 130.0.0.254.179 -> 130.0.0.111.9096: rst 0 ack 2554788842
To recover the services, one option is to restart the zebos and chlbd processes or reboot the FIM Slots. One possible workaround to recover the services is to restart both zebos_launcher and chlbd daemons.
Another workaround to avoid this behavior is to downgrade to v7.6.3 where the routing processes run on primary FPM.
A fix is scheduled to be included in the next GA 7.6.7 release.
The commands to check this issue are as follows:
diagnose test application zebos_launcher 1 Zebos-launcher debug:
diagnose debug console time ena
diagnose debug application zebos-launcher -1
diagnose debug enable
BGP traffic sniffer:
diagnose sniffer packet any "host x.x.x.x and tcp port 179" 4
BGP commands:
diagnose sys tcpsock | grep 179
get router info bgp summary
| 
