Troubleshooting Tip: Backup & Restore Cluster HA when there are many differences in tables

For testing purposes, FortiGate-500E v7.0.15, build0566, 231024 is used.

• Confirm in both FortiGates if the override is disabled as follows:

show full sys ha

• Confirm the hostname and serials in both FortiGates as follows:

get system status

The collected information shows as follows (output truncated for better readability):

Hostname: Fortigate-A
FG-SERIALXXX_A
Primary
Priority 200
FortiGate-500E v7.0.15,build0566,231024 (GA.M)
Override disable
Mode: Active - Pasive
--------------------------
Hostaname: Fortigate-B
FG-SERIALXXX_B
Secondary
Priority 100
FortiGate-500E v7.0.15,build0566,231024 (GA.M)
Override disable
Mode: Active - Passive

Initial notes:

• This procedure also works for Active-Active environment.
• A person must be on-site to be able to disconnect and reconnect cables to the devices.
• Perform a full backup of the Primary node (FortiGate-A).

Activity Summary:

• Currently, FortiGate-B has too many checksum differences between different tables and is out of Sync. 
• Perform a Restore on FortiGate-B.
• Load a Backup on FortiGate-B, edit it, add it to the cluster, and resynchronize the HA.

Procedure:

• Make a full backup of FortiGate-A (Active FortiGate with serial terminal FG-SERIALXXX_A).
• Disconnect (all cables) from the HA secondary cluster member, the FortiGate-B. (Secondary FortiGate with serial terminal FG-SERIALXXX_B.)
• Leave only the FortiGate-A connected (Active FortiGate with serial terminal FG-SERIALXXX_A). This equipment will       remain operational to avoid service affectation. See Figure 1:

Note:

If the cables are not labeled, proceed to identify them to avoid confusion when reconnecting them later.

• Work with the FortiGate that is disconnected from the HA, that is, FortiGate-B (Hardware with the Serial number FG-SERIALXXX_B).
• Log in to the FortiGate-B via the management port and get connected to the GUI.
• The backup made in the step 1 file should be located in the PC connected to the FortiGate-B. Choose and Load the Backup made in Step 1 to this FortiGate-B:

• Once the backup is loaded, the FortiGate will reboot.
• Log back into the GUI and Edit the Hostname and basic HA configuration as follows:

Note:

If there is no access to the secondary member through the GUI, these changes must be performed through the serial console connection, but first the configuration must be restored using a TFTP server. More information in the following technical document: Technical Tip: Restoring a config file from the CLI by using TFTP server

• (Optional) Via CLI could be updated as follows:

config system global
    set hostname Fortigate-B
end

config system ha
    set priority 100       <- Set the value to 100, originally 200.
end                               <- Save the changes.

Check from the CLI that the changes have been accepted:

show full system global | grep hostname     <- FortiGate-B should be the hostname.

show full system ha | grep priority            <- 100 should be the Priority.

• Once these configuration settings have been made and verification has been performed, physically connect the secondary device (FortiGate-B) to the HA cluster and wait for it to sync. See Figure 2:

If the units DO NOT sync, open a ticket with support and call support for immediate assistance.

For more information on how to troubleshoot a checksum mismatch on HA clusters, see Troubleshooting Tip: Troubleshooting a checksum mismatch in a FortiGate HA cluster.