Skip to main content
zack
zack
New Member
May 20, 2011
Question

ha sync errors

  • May 20, 2011
  • 7 replies
  • 20576 views
getting this HA error: Message meets Alert condition date=2011-05-20 time=01:13:34 devname=Colo_FW_HA_2 device_id=FG300Axxxxxxxxxx log_id=0105037903 type=event subtype=ha pri=information vd=" root" msg=" The sync status with the master" sync_type=external-files sync_status=out-of-sync I have tried the command: execute ha synchronize all But that did not seem to fix it. Any other ideas? Fortinet said i need to dis-join the slave and rejoin it to the HA pair. these firewalls are in a co-location that is very far away so i would prefer not to have to travel to do this. thanks

    7 replies

    rwpatterson
    rwpatterson
    New Member
    May 20, 2011
    It can be done remotely, as long as you put a valid routeable IP address on the connected port when you break the slave out. You remote into the slave via that interface, and join it back into the stack.
    zack
    zackAuthor
    New Member
    May 20, 2011
    Don' t think I did that. When I joined it to the stack I just added it in right from an out of the box config. I also have the WAN connection as port 1 which I believe is the default LAN connection in an out of the box config. So I would lose connectivity it sounds like if i did this remotely. I do have a server there that has a console cable connection to each firewall in the stack. So I' m not completely without access. I was actually hopeful there was another way via the CLI to force these damn things to sync whatever is different.
    rwpatterson
    rwpatterson
    New Member
    May 20, 2011
    When you disjoin a unit, you are asked to supply an IP address and an Interface to put it on. After it' s been removed, all interface settings (except the one) and routes are removed, but the rest of the config stays in place. So this being the only interface with an IP, you can get to it. I' ve done it several times.
    Don' t think I did that. When I joined it to the stack I just added it in right from an out of the box config.
    NOTE: Were they running the same version of code when you linked them together?
    bmann
    bmann
    New Member
    May 20, 2011
    I have same error. At MR2 patch2. Running for few months, no changes and this error appears cca one a day. I thought that it is soem error after update before the files are synced.
    billp
    billp
    New Member
    May 20, 2011
    I' m also getting this on my HA pair with 4.2.5. Just started with the upgrade to 4.2.x. Happens once a day around lunch time.
    zack
    zackAuthor
    New Member
    May 23, 2011
    What is really strange in your case billp is you' re running an active-active cluster. If something was actually out of sync you would be seeing some issues I would expect as i would think that the firewalls could be handling traffic differently. has anyone found a solution other then blowing up the cluster and recreating it?
    billp
    billp
    New Member
    May 23, 2011
    Message meets Alert condition date=2011-05-20 time=12:29:05 devname=FG10CHxxxxxxx device_id=FG10CHxxxxxxx log_id=0105037903 type=event subtype=ha pri=information vd=" root" msg=" The sync status with the master" sync_type=external-files sync_status=out-of-sync FWIW, my error message above. It arrives at almost the same time every day, although interestingly it didn' t arrive today. I' m in a " freeze" zone now for maintenance, so won' t make any changes until first week of June, at which point I' ll replace the cluster with a single Fortigate 200B. As far as I can tell, firewall service has not been impacted by this error message. -- My problem could be that I' m using 4.2.5 instead of 4.2.6, but since Zack also has the problem with 4.2.6, that doesn' t seem likely.
    rwpatterson
    rwpatterson
    New Member
    May 24, 2011
    Is an update coming down at that time?
    billp
    billp
    New Member
    May 24, 2011
    Bob, Not sure. I have the Fortiguard update set for every 4 hours. So, it' s possible it' s updating, but that would not be the only time it would update.
    connect555
    connect555
    New Member
    May 25, 2011
    A very interesting thread... We have also a 110C A-A Cluster which have the same error. It happens 0 to 3 times per day, mostly at night, when there are <100 Sessions active. Has anyone tried to switch master and slave? (higher/lower priority) Last time we tried this, we got a new error: The cluster reboots itself, every time the error appears. :(
    TopJimmy
    TopJimmy
    New Member
    May 26, 2011
    I' ve gotten this since upgrading to 4.2.x (not sure which build but at least the last 4) and I' ve narrowed it down to the AV/IPS update schedule. As a test, try changing your schedule to a different time and see if you get that notification at that new time. Mine did on every unit that exhibited the problem.
    zack
    zackAuthor
    New Member
    November 14, 2011
    I had suspected AV/IPS definition updates were causing the error. Mine are set to update hourly though and i really don' t want to change to a more infrequent update schedule. As an FYI I did what Fortinet recommended by breaking and recreating the firewall cluster. No change or improvement as i still get the error daily. I got it after upgrading to 4.2.6 and still get it with 4.2.9. Kind of annoying. Since I had suspected this was an error generated by av/ips updates AND those updates always appear to be in sync when I check - i have taken to ignoring he error. I wish they would fix it though... Based on the amount of equipment in your signature TopJimmy I place weight on your thoughts as confirming my opinion. Thanks for the info.
    TopJimmy
    TopJimmy
    New Member
    November 14, 2011
    ORIGINAL: zack I had suspected AV/IPS definition updates were causing the error. Mine are set to update hourly though and i really don' t want to change to a more infrequent update schedule. As an FYI I did what Fortinet recommended by breaking and recreating the firewall cluster. No change or improvement as i still get the error daily. I got it after upgrading to 4.2.6 and still get it with 4.2.9. Kind of annoying. Since I had suspected this was an error generated by av/ips updates AND those updates always appear to be in sync when I check - i have taken to ignoring he error. I wish they would fix it though... Based on the amount of equipment in your signature TopJimmy I place weight on your thoughts as confirming my opinion. Thanks for the info.
    What' s worked for me was essentially what Bob posted above. Break the HA cluster, disconnect the slave completely. Wipe it and reload the same version firmware that the master has using the TFTP process (never had one of those fail but I don' t have any 320' s). When that is done, I boot it into the OS, and plug an ethernet cable from my PC (laptop) into the internal interface (depends on unit), make sure HTTPS for web management is on via the console and then I upload the current config from the master (after editing the system name and HA priority). Then reboot it again (watching from console cable) and check to see if it comes back up without any errors. If it looks good, I power it down, re-cable it back into the cluster (mine is full mesh) and power it back on. It will join the cluster and sync. This process works for me every time. I' ve only had to do a few times in 5 years due to the sync process failing and not correcting itself but I' ve had to do a few other times for adding new slaves into the cluster or replacing bad hardware. I' ve got it down where the whole process, if I have my ducks in a row, is done in less than 15 minutes. This assumes you have physical access to the cluster. I' ve had to travel to do this once or twice but I do it because I want to assure it' s done right.
    Terms & ConditionsAccessibility statement