Skip to main content
SAJUDIYA
Staff
SAJUDIYA
Staff
November 18, 2024

Troubleshooting Tip: HA status 'Unknown' and 'No route to host' error when accessing secondary device from CLI

  • November 18, 2024
  • 0 replies
  • 5222 views
Description

This article describes how to resolve HA out-of-sync issues with the 'Unknown' error, as well as cases where, when trying to access the secondary from the CLI, the following error is encountered:

 

execute ha manage 1 <user-name>
ssh: connect to host 169.254.0.2 port 22: No route to host
Scope FortiGate v7.2 and above version.
Solution

System HA status output will also show cluster checksum is 0000 for the secondary device:

 

get sys ha status
Primary selected using:
HA Health Status: OK
Model: FortiGate-120G
Mode: HA A-P
Group Name: Hub1
Group ID: 0
Debug: 0
Cluster Uptime: 109 days 22:9:15
Cluster state change time: 2024-10-29 03:54:15
    <2024/10/29 03:54:15> vcluster-1: FG120GTK00000001 is selected as the primary because its uptime is larger than peer member FG120GTK00000002.
    <2024/10/29 03:51:22> vcluster-1: FG120GTK00000001 is selected as the primary because it's the only member in the cluster. <--- The secondary member is not listed in the cluster.
    <2024/10/29 03:51:16> vcluster-1: FG120GTK00000001 is selected as the primary because SET_AS_SECONDARY flag is set on peer member FG120GTK00000002.

ses_pickup: disable
override: disable
Configuration Status:
    FG120GTK00000001(updated 0 seconds ago): in-sync
    FG120GTK00000001 chksum dump: 03 0a 0f 9d d3 e8 02 63 10 3f 71 a1 ef 20 31 90
    FG120GTK00000002(updated 1730208767 seconds ago): out-of-sync
    FG120GTK00000002 chksum dump: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <--- Checksum Cluster is 00.

 

ICMP packets show 'ICMP: host 169.254.0.2 unreachable' error:

 

filters=[host 169.254.0.1 or host 169.254.0.2]
2024-09-14 10:58:11.251632 vsys_ha out 169.254.0.1 -> 169.254.0.1: icmp: host 169.254.0.2 unreachable

 

GUI showing HA status as 'Unknown'.

HA-unknown.png
Note: HA status 'Unknown' error also shows up if Secondary device is on different firmware version (OR) if split brain is happening.
See this article for more info on split brain issue: High Availability - Split Brain - Fortinet Community.

When running hatalk and hasync debug, it shows the below error:

 

diag deb application hatalk -1
diag deb application hasync -1
diag deb en

2024-09-19 17:22:58 <hatalk> vcluster_1: ha_prio=1(secondary), state/chg_time/now=3(standby)/1726790186/1726791778
ag de2024-09-19 17:22:59 <hasync:WARN> conn=0xd46a160 connect(169.254.0.1) failed: 113(No route to host)

 

Workaround:

  • Use another port as hbdev other than HA and mgmt ports.
  • The permanent fix will be on v7.2.11, v7.4.5, v7.6.1.

Note: If FortiGate is hosted in VMware and having the same issue then it requires enabling MAC address spoofing on the virtual switches that connect heartbeat interfaces from VMware; or, simply configuring the unicast-ip method to make the firewall in sync.
      Terms & ConditionsAccessibility statement