Description
This article provides details on how to troubleshoot the FortiAnalyzer HA failover issue in the Google Cloud Platform (GCP).
Scope
FortiAnalyzer-VM for GCP.
Solution
- Enable shell access for all FortiAnalyzer HA instances:
FAZ # config system admin settings
(setting)# set shell-access enable
Enter new password:
Confirm new password:
(setting)# end
Note:
Ensure the shell password is not lost, as the password could not be reset/recover
- Enter shell mode in the FortiAnalyzer HA instance and view the FortiAnalyzer HA debug log:
FAZ # exe shell
Enter password:
bash$ vi /drive0/private/clusterd/faz-ha.log
- To perform live debug:
- Run the below CLI command on all the FortiAnalyzer VM shell mode:
bash$ tail -f /drive0/private/clusterd/faz-ha.log
- Proceed to perform HA failover:
FAZ # diag ha failover
- Verify the output of the faz-ha.log for the error message
- Sample error: … tls: failed to verify certificate: x509: …
- Due to Google root CA certificate.
- Verify if the Google root CA certificate has been imported to all FortiAnalyzer VM -> CA Certificates.
- Sample error: ... googleapi: Error 403: Request had insufficient authentication scopes.
- Due to GCP Virtual Machine Compute Engine access.
- Verify if GCP Virtual Machine -> Cloud API -> Compute Engine has Read Write access.
Troubleshooting commands:
diag ha status
diag ha stats
diag test app cluster 1
diag test app cluster 3 conn
diag test app cluster 3 log
diag test app cluster 97 status
execute shell
cat /etc/keepalived/keepalived.cfg
cat /drive0/private/clusterd/faz-ha.log
cat /drive0/private/clusterd/keepalived.log
diag sniff packet portX "vrrp" 3
Related article:
Technical Tip: How to configure FortiAnalyzer HA instance in Google Cloud Platform (GCP)
Technical Tip: FortiAnalyzer HA Configuration and Troubleshooting
