Troubleshooting Tip: FortiGate HA synchronization messages and cluster verification steps
Description
Note that all commands are passed in global mode if VDOMs are enabled (as shown in the following examples).
get system ha status
diagnose sys ha checksum cluster
execute ha synchronize start/stop
execute ha manage <id> <admin name>
Step 1:
secondary's configuration is not in sync with primary's, sequence:0
secondary's configuration is not in sync with primary's, sequence:1
secondary's configuration is not in sync with primary's, sequence:2
secondary's configuration is not in sync with primary's, sequence:3
secondary's configuration is not in sync with primary's, sequence:4
secondary starts to sync with primary
logout all admin users
secondary succeeded to sync with primary
Step 2:
- Output example from the Primary:
Model: 300
Mode: a-p
Group: 30
Debug: 0
ses_pickup: disable
Primary:200 FGT300-5 FG300A3906550380 0
Secondary :128 FGT300-2 FG300A2904500186 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Primary:0 FG300A3906550380
Secondary :1 FG300A2904500186
- Output example from the Secondary:
get system ha status
Mode: a-p
Group: 30
Debug: 0
ses_pickup: disable
Secondary:128 FGT300-2 FG300A2904500186 1
Primary:200 FGT300-5 FG300A3906550380 0
number of vcluster: 1
vcluster 1: standby 169.254.0.1
Secondary:1 FG300A2904500186
Primary:0 FG300A3906550380
The following example shows a FortiGate running with multiple VDOMs, and the configuration checksum being similar on both devices for all of the VDOMs.
- Getting the HA checksums on the Primary.
global: e5 45 87 ff 9d 4b d5 dc 37 98 ce bd 53 c0 75 70
root: f3 a7 72 9a f8 8a 42 f3 80 77 89 a3 eb d9 09 2b
LAN: a5 f8 cf 4c 98 3b 25 b7 22 3b 17 f6 76 8e b0 3c
INTERNET: f9 32 66 b4 d6 6d 2e 0a 42 59 11 c2 4c 85 53 f8
DMZ: 30 96 97 69 ff 07 32 bd 6c 84 0c 5c 4a 13 78 92
all: 4b a1 24 73 2b 3a 86 71 a8 9a 98 22 15 1c 76 65
checksum
global: e5 45 87 ff 9d 4b d5 dc 37 98 ce bd 53 c0 75 70
root: f3 a7 72 9a f8 8a 42 f3 80 77 89 a3 eb d9 09 2b
LAN: a5 f8 cf 4c 98 3b 25 b7 22 3b 17 f6 76 8e b0 3c
INTERNET: f9 32 66 b4 d6 6d 2e 0a 42 59 11 c2 4c 85 53 f8
DMZ: 30 96 97 69 ff 07 32 bd 6c 84 0c 5c 4a 13 78 92
all: 4b a1 24 73 2b 3a 86 71 a8 9a 98 22 15 1c 76 65
- Getting the HA checksums on the Secondary (and comparing with the Primary):
diagnose sys ha checksum cluster
global: e5 45 87 ff 9d 4b d5 dc 37 98 ce bd 53 c0 75 70
root: f3 a7 72 9a f8 8a 42 f3 80 77 89 a3 eb d9 09 2b
LAN: a5 f8 cf 4c 98 3b 25 b7 22 3b 17 f6 76 8e b0 3c
INTERNET: f9 32 66 b4 d6 6d 2e 0a 42 59 11 c2 4c 85 53 f8
DMZ: 30 96 97 69 ff 07 32 bd 6c 84 0c 5c 4a 13 78 92
all: 4b a1 24 73 2b 3a 86 71 a8 9a 98 22 15 1c 76 65
checksum
global: e5 45 87 ff 9d 4b d5 dc 37 98 ce bd 53 c0 75 70
root: f3 a7 72 9a f8 8a 42 f3 80 77 89 a3 eb d9 09 2b
LAN: a5 f8 cf 4c 98 3b 25 b7 22 3b 17 f6 76 8e b0 3c
INTERNET: f9 32 66 b4 d6 6d 2e 0a 42 59 11 c2 4c 85 53 f8
DMZ: 30 96 97 69 ff 07 32 bd 6c 84 0c 5c 4a 13 78 92
all: 4b a1 24 73 2b 3a 86 71 a8 9a 98 22 15 1c 76 65
Any checksum difference between Primary and Secondary will depict a synchronization problem. Configuration synchronization can be forced with the following command:
execute ha synchronize start
If further problems are experienced, it is recommended to open a ticket with Fortinet TAC and attach the information that has been gathered.
Related articles: