Description
This article describes how to troubleshoot the FortiAnalyzer HA failover issue in the Google Cloud Platform (GCP).
Scope
FortiAnalyzer-VM for GCP.
Solution
- Enable shell access for all FortiAnalyzer HA instances:
FAZ # config system admin settings
(setting)# set shell-access enable
Enter new password:
Confirm new password:
(setting)# end
Note:
Ensure the shell password is not lost, as the password cannot be reset/recovered.
As of FortiManager/FortiAnalyzer version 7.6.0 onwards, shell access has been removed and cannot be achieved.
Shell access is not available starting from v7.2.6 onwards or v7.4.4 onwards.
- Enter shell mode in the FortiAnalyzer HA instance and view the FortiAnalyzer HA debug log:
FAZ # exe shell
Enter password:
bash$ vi /drive0/private/clusterd/faz-ha.log
- To perform live debug:
- Run the below CLI command on all the FortiAnalyzer VM shell modes:
bash$ tail -f /drive0/private/clusterd/faz-ha.log
- Proceed to perform HA failover:
FAZ # diagnose ha failover
- Verify the output of the faz-ha.log for the error message
- Sample error: … tls: failed to verify certificate: x509: …
- Due to Google root CA certificate.
- Verify if the Google root CA certificate has been imported to all FortiAnalyzer VM -> CA Certificates.
- Sample error: ... googleapi: Error 403: Request had insufficient authentication scopes.
- Due to GCP Virtual Machine Compute Engine access.
- Verify if GCP Virtual Machine -> Cloud API -> Compute Engine has Read Write access.
Troubleshooting commands:
diagnose ha status
diagnose ha stats
diagnose test app cluster 1
diagnose test app cluster 3 conn
diagnose test app cluster 3 log
diagnose test app cluster 97 status
execute shell
cat /etc/keepalived/keepalived.cfg
cat /drive0/private/clusterd/faz-ha.log
cat /drive0/private/clusterd/keepalived.log
diagnose sniff packet portX "vrrp" 3
Related articles:
Technical Tip: How to configure FortiAnalyzer HA instance in Google Cloud Platform (GCP)
Technical Tip: FortiAnalyzer HA Configuration and Troubleshooting
