Description

This article describes an issue where a 'system.federated-upgrade' checksum causes an HA desync.

Scope

FortiGate.

Solution

While hovering over the HA device, it will show 'system.federated-upgrade' has a mismatch in checksum values. This error is triggered in different scenarios.

Scenario 1

When the fabric upgrade is enabled on the HA devices, and after the targeted firmware upgrade is finished, the cluster still goes out-of-sync. 

If HA reservation management is enabled, log in to the secondary device via the GUI and disable the Fabric upgrade.

The following is what the configuration looks like:

FortiGate-60F # config global

FortiGate-60F (global) # config system federated-upgrade

FortiGate-60F (federated-upgrade) # sh
config system federated-upgrade
    set status ready
    set upgrade-id 2
    set ha-reboot-controller "FGT60FTK2000YYYY"
        config node-list
            edit "FGT60FTK2000YYYY"
                set timing scheduled
                set time 05:25 2025/06/12 UTC
                set setup-time 11:56 2025/06/11 UTC
                set upgrade-path 7-2-11
            next
        end
end

But while deleting from the CLI, it returns the error: 

 FortiGate-60F # config global

FortiGate-60F (global) # config system federated-upgrade 

FortiGate-60F (federated-upgrade) # config node-list

FortiGate-60F (node-list) # delete FGT60FTK20006777 
Federated upgrade cannot be configured directly.
Please use 'execute federated-upgrade ...' to configure.
command_cli_delete:6898 delete table entry FGT60FTK2000YYYY unset oper error ret=-39
Command fail. Return code -39

Solution:

To disable the fabric-upgrade execute the following command:

FortiGate-60F (global) # execute federated-upgrade cancel 
This will cancel the upgrade. If the upgrade is immediate or scheduled to happen very soon,
some nodes may have already gone down for upgrade.
Do you want to continue? (y/n)y


FortiGate-60F (global) # show system federated-upgrade 
config system federated-upgrade
     set status disabled
end

Note:

The config system federated-upgrade command is read-only. Attempting to configure federated upgrade using the config command will show the following error message:

Federated upgrade cannot be configured directly.

Please use 'execute federated-upgrade ...' to configure

Once the command is executed, the status will be changed to disabled, wait for a while, and the HA status will show in-sync.

Upgrading all device firmware by following the upgrade path (federated update)

If the HA status does not return to In Sync:

• Perform a manual synchronization, or,

• Reboot the primary node to resolve the discrepancy.

Scenario 2
There is different configuration in primary and secondary

In primary FortiGate

config system federated-upgrade
    set status disabled
     set initial-version 'firmware-7.6.4'
    set starter-admin 'super_admin'

end

In secondary FortiGate

config system federated-upgrade
    set status disabled

Solution

Rebooted primary

Primary became secondary

Still the issue was observed in the new primary Fortigate.

Issue the following in new primary Fortigate.

execute ha synchronize stop 
execute ha synchronize start
diag sys ha checksum recalculate    // issue 3 times

For more information on Fabric-upgrades, refer to Upgrading all devices.

To sync HA manually, refer to Technical Tip: Procedure for HA manual synchronization.