Skip to main content
acvaldez
Staff
acvaldez
Staff
June 4, 2021

Troubleshooting Tip: HA setup with identical license subscription

  • June 4, 2021
  • 0 replies
  • 3847 views

Description

 

This article describes how to troubleshoot the error received when the HA FortiGate does not have the same license subscription across the cluster units.

Scenario:

  • When the FortiGate is a part of the HA, and the license subscription is not identical.
  • What will happen is that the FortiGuard details are not reflected in the FortiGate primary. It will not show the current subscription on FortiGuard.

 

Scope

 

Any supported version of FortiGate in HA.

Solution

 

Access FortiGate via SSH(using PuTTY), through the GUI (On FortiGuard page -> Verify the license status), or through the CLI on GUI and run the following command.

 

diagnose debug reset
diagnose debug disable
diagnose debug app update -1
diagnose debug enable 

execute update-now

 

To disable debugs:

 

diagnose debug disable

 

The following is the output of the update daemon log when the FortiGate HA does not have the same license subscription:

 

------------------------------------------------------------------------------------------------------------------------------------------

do_update[484]-Starting now UPDATE (final try)
upd_act_HA_contract_info[724]-ContractItem (1) does not contain all HA (2): FG6H1Exxxxxxxxxx
do_update[496]-UPDATE failed
do_check_wanip[642]-Starting getting wan ip
upd_comm_connect_fds[458]-Trying FDS 173.243.140.6:443
tcp_connect_fds[234]-Binding to interface 13
[113] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[480] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[486] ssl_ctx_use_builtin_store: Enable CRL checking.
[493] ssl_ctx_use_builtin_store: Enable OCSP Stapling.

If one of the FortiGates has a lower level of licensing, then all the FortiGates in the cluster operate at the lowest licensing level.

 

Untitled picture.png

 

All cluster members must have the same licenses.

 

Note:

As of v7.2.9, v7.4.6, v7.6.1, and above, FortiGate A-P HA clusters support sharing a single FortiGuard service license for both cluster units for the following models:

  • 40F and variants.

  • 60F and variants.

  • 70F and variants.

  • 80F and variants.

  • 100F and variants.

 

The two FortiGate serial numbers will be linked on FortiCare to generate a single virtual Serial Number (vSN), to which the services will be registered.

 

For more information, refer to the following documents

Single FortiGuard license for FortiGate A-P HA cluster 7.2.9

Single FortiGuard license for FortiGate A-P HA cluster 7.4.6

Single FortiGuard license for FortiGate A-P HA cluster 7.6.1

    Terms & ConditionsAccessibility statement