Staff & Editor

Technical Tip: High Availability status not in Sync - scripting files on HA diff

Forum|Forum|1 year ago
January 21, 2025
0 replies
845 views

Description

This article describes how to troubleshoot and fix High Availability not in Sync due to synchronization issues with scripting files.

Scope

FortiWeb v7.6.0, v7.4.5 and earlier.

Solution

FortiWeb with ADOM enabled creates a data sub folder in the file system for each of the ADOM names. This includes configuration, certificates, scripting files, etc.

There are instances where the administrator deletes the unrequired ADOM feature or disables the ADOM feature altogether and observes issues as follows.

Symptom:
Partial configuration won’t synchronize to a peer device.

FortiWeb # diagnose system ha sync-stat
Image SUCCESS
Config SUCCESS
System SUCCESS
CLI SUCCESS
Signature SUCCESS
GeoDB SUCCESS
AV SUCCESS
IpReputation SUCCESS
HarvestCredentials SUCCESS
CertificateBundle SUCCESS
Tsl-ca SUCCESS <----- HA status not in Sync even HA sync stats show as ‘SUCCESS’.

FortiWeb # diagnose system ha confd_status
HA information
Model=FortiWeb-3000F 7.2.10,build0409(GA),240802, Mode=active-passive Group=15

HA group member information: is_manage_master=1. cfg_state:Not sync
LocalSN: FV-3KFTE******** confd
member cnt: 2
msg_queue:0 file_queue:0 md5_rep_ignore:0 do_md5sum:1338
FV-3KFTE********: Primary
pending:0 update:0 time:0 sync:0 cfg_state:Not sync
SYS: 9489DB39B6ABD9A89490C60F15FB8857
CLI: 1AB4A832C9BC633EAB445A1707ABDE28
FV-3KFTE********: Secondary
pending:3685737 update:3685738 time:3606047 sync:4 cfg_state:Not sync
SYS: 27F3230B254190554C5E6D1D9A6ED926
CLI: 1AB4A832C9BC633EAB445A1707ABDE28 <-----Notice CLI checksum are matched but not System checksum.

Cause:
Scripting files in disabled/deleted ADOM exist in Primary but ADOM is missing in peer device.

Workaround:

Re-enable ADOM or create the same ADOM name.

Properly delete each ADOM or the problematic ADOM name.
Let HA synchronize its configuration(or run CLI 'execute ha synchronize all').
Once HA is in sync, disable the ADOM feature.

Reset problematic unit configuration:

Change the priority to let the current Secondary be the new primary(HA override has to be enabled): Technical Tip: How to trigger HA failover with Override enabled
Configuration factory reset on old Primary device:

FortiWeb # exe factoryreset
This operation will reset the system to factory default, and all data will lost!(y/n)

Set the basic HA settings in old Primary and let the old Primary join the HA again as Secondary(lower device priority): Configuring High Availability basic settings
HA is in Sync.

Solution:
Upgrade FortiWeb to v7.4.6, v7.6.1 or later. internally discovered bug fixed by removing all relevant config and files when ADOM is disabled or deleted.

HA synchronization debugging commands for further troubleshooting:

diagnose debug timestamp enable
diagnose debug application hasync 7
diagnose debug application hasync-base 7
execute ha md5sum
execute ha synchronize all
diagnose debug enable

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded