Troubleshooting Tip: Troubleshooting intermittent HA synchronization issue using Tera Term general script

Description

This article describes how to use Tera Term scripting to troubleshoot intermittent HA synchronization issues in an out-of-sync cluster.

Scope

FortiGate.

Solution

The following script is designed to gather relevant debug information related to HA out-of-sync issues. 

Issues may be encountered where the intermittent HA gets out-of-sync, and verification of checksum values on FortiGates within the cluster to detect potential configuration mismatches. A script can be used to capture logs automatically. This will help ensure that all necessary data is collected in advance before opening a case with TAC.

This script runs simultaneously on both units of the FortiGate firewall cluster. Refer to Troubleshooting Tip: Preparing windows machine to run Teraterm scripts for instructions on how to use Tera Term.

HA Reserved Management interface can be configured to access the FortiGate individually. Refer to Technical Tip: HA Reserved Management Interface.

Note:

If the script logs out automatically, try increasing the login timeout duration using the following command:

config system global
    set admin-ssh-grace-time <number_of_seconds> <max 3600 seconds>

    set admintimeout <number_of_minutes< << max 480 minutes
end

Along with the HA TTL script below, the following logs can also be collected from both the firewalls manually while uploading the logs in the TAC ticket:

get sys status

get sys ha status
get system performance status

diagnose sys top 1 20 3
diagnose sys ha history read
diagnose debug crashlog read

diagnose sys ha checksum
diagnose debug config-error-log read
diagnose sys ha mac
diagnose sys ha dump-by <device|group|kernel>