Troubleshooting Tip: Secondary FortiGate VM shows 'License status: Warning' after an upgrade to v7.4.10/v7.4.11

Description

This article describes that a secondary FortiGate VM on HA is unable to validate the VM license after upgrading to v7.4.10/v7.4.11. This issue can occur when the FortiGate VM requires a defined source IP to reach the licensing servers.

Scope

v7.4.10, 7.4.11, FortiGate-VM.

Solution

FortiGate VM will cease operation if it is unable to validate its VM license within 30 days.
The unit attempts to validate the license every hour. In HA deployments, both FortiGate units must have valid licenses for the cluster to remain operational.

To demonstrate the issue, the following setup was used:

• 10.22.8.72 – Internet access blocked, preventing license validation.
• 10.22.8.71 – Internet access allowed, able to reach the licensing servers.

Network topology:

Configuration:

config system interface
    edit "port1"
        set vdom "root"
        set ip 10.22.8.72 255.255.255.0
        set type physical
        set snmp-index 1
        set secondary-IP enable
            config secondaryip
                edit 1
                    set ip 10.22.8.71 255.255.255.0
                next
            end
    next
end

config router static
    edit 1
        set gateway 10.22.8.117
        set device "port1"
    next
end

config system fortiguard
    set source-ip 10.22.8.71
end

Debug:

diagnose debug app update -1
diagnose debug app forticldd -1
diagnose debug application cloudinitd -1
diagnose debug console timestamp enable
diagnose debug enable

vmlic status:success, valid:1
vmlic check period:3591/3600
vmlic status:success, valid:1
vmlic check period:3596/3600
[3551] fds_handle_request: Received cmd 117 from pid-3266, len 4
[3351] fds_check_request: Image list was updated within 86400 secs.
[527] fds_send_reply: Sending 6808 bytes data.
vmlic status:success, valid:1
vmlic load config

vmlic setup vfid:0
vmlic resolve:vmactivation1.fortinet.net
vmlic server:12.34.97.82
vmlic server:209.40.106.82
vmlic resolve:vmactivation2.fortinet.net
vmlic server:139.138.105.36
vmlic server:192.35.158.36
vmlic resolve:vmactivation3.fortinet.net
vmlic server:173.243.140.6
vmlic add 12.34.97.82
vmlic add 209.40.106.82
vmlic add 139.138.105.36
vmlic add 192.35.158.36
vmlic add 173.243.140.6

vmlic setup 12.34.97.82
vmlic connect harelay:1
ssl connect wait error:2
vmlic status: success=>warning
vmlic status:warning, valid:1
vmlic check period:95/3600

diagnose debug reset
diagnose debug disable

Workaround:

1. Perform a failover to make the Secondary the Primary.
2. Enter the commands below to force the license update.
   
   

diagnose hardware sysinfo vm setup
UUID: 564de7c3920a2f112c9c25be80xxxxxx

The workaround prevents the license from becoming invalid; however, the secondary FortiGate will continue to display a Warning status. Ensure the workaround is applied within 30 days, before the license status changes to Invalid.

Permanent fix:
Scheduled to be resolved on the upcoming FortiOS v7.4.12 and FortiGate. The known issue ID is 1274753.

Related articles:

Technical Tip: How to upgrade FortiGate VM license

Technical Tip: Upgrading the VM license and adding VM resources for FortiGate-VM HA