Skip to main content
rk1
Staff
rk1
Staff
December 31, 2020

Troubleshooting Tip: HA out of sync issue due to 'vpn.certificate.local' object

  • December 31, 2020
  • 0 replies
  • 26583 views

Description

 

This article describes how to troubleshoot the HA out-of-sync issue due to the 'vpn.certificate.local' object with FortiGate.

Scope

 

All FortiGate versions.

Solution

 

This object 'vpn.certificate.local' holds all the local certificates present in the FortiGate. If a HA cluster goes out of sync due to the object 'vpn.certificate.local', it is necessary to check if the private-data-encryption is enabled or not under global settings.

 

  1. Check if the private-data-encryption is enabled or not using the commands below:

 

config system global
show full | grep private

 

Sample output:

 

FW1 # config system global

FW1 (global) # show full | grep private
set private-data-encryption enable    <----- Enabled.

 

Related article

Technical Tip: How to enable private-data-encryption feature on a standalone FortiGate

 

  1. Verify if the checksum of certificates is different or not under the object 'vpn.certificate.local' using the below command on the cluster units:

 

diagnose sys ha checksum show root vpn.certificate.local

 

  1. If the private-data-encryption is enabled and if the checksums of certificates are different, follow the steps below:
  • Disable private-data-encryption:

 

execute ha synchronize start

diagnose sys ha checksum cluster <----- If the checksums are the same, proceed to step 4.

 

  1. If the private-data-encryption is disabled and if the checksums of certificates are different, follow the steps:
  • Enable private-data-encryption:

 

execute ha synchronize start

diagnose sys ha checksum cluster  <----- Make sure if the checksums are the same.


Note:

If the private data encryption is disabled

 

show full | grep private
    set private-data-encryption disable  <---

 

  • Perform a hard failover to the HA Cluster to resolve the issue.
  • Run the command on the Primary FortiGate:

 

execute ha failover set 1

Caution: This command will trigger an HA failover.
It is intended for testing purposes.
Do you want to continue? (y/n)y

 

  • To stop the failover, run the following command:

 

execute ha failover unset 1

 

  • Run the commands below to recalculate the HA checksums:

 

diagnose sys ha checksum recalculate

diagnose sys ha checksum show global

get sys ha status

 

  • If the problem persists, restart the following processes using the CLI commands below and reboot the secondary unit:

 

fnsysctl killall hatalk

fnsysctl killall hasync

 

Note: 

Super Admin privilege is required to run the 'fnsysctl' command. Otherwise, FortiGate will return an error, as explained in this KB article: Troubleshooting Tip: fnsysctl command returns Unknown action.

    Terms & ConditionsCookie settingsAccessibility statement