Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Hsharma
Staff
Staff

Created on ‎05-05-2024 10:06 PM

Article Id 312227

HA Out of Sync due to speed auto in default setting

Description This article explains that the firewalls are out of sync status due to differences in the interface configuration settings speed as auto and how it should be resolved.
Scope FortiGate.
Solution

The firewalls are out of sync due to mismatched checksum of interface objects.

 

diagnose sys ha checksum show global <----- Checksums are different.
FG1 # system.interface: 5n6nd4na500787a76a4f4fcedfasg4dgh3h2
FG2 # system.interface: 6dhjh3hw364ee4e44ad76ca0e32a676df4ft

 

The configuration of interfaces is different due to the default setting speed auto.

 

show sys int port1<----- In the show command it is possible to see the 'set speed' command.
    edit "port1"
        set vdom "global"
        set ip x.x.x.x 255.255.255.0
        set allowaccess ping
        set type physical
        set alias "XYZ"
        set device-identification enable
        set role lan
        set speed auto

Next

 

The '-->ERROR auto' is default and should not be displayed in the show command. However, on the other unit, this speed will not be displayed.

 

Interface setting on the second device:

 

show sys int port1<----- In the show command the 'set speed' command will not be visible.
    edit "port1"
        set vdom "global"
        set ip x.x.x.x 255.255.255.0
        set allowaccess ping
        set type physical
        set alias "XYZ"
        set device-identification enable
        set role lan
     Next

  

This difference in configuration will make the system worse. interface object is different which results in a sync issue.

 

The solution for this issue is as follows:

 

  • Go to the device where speed is not showing as a default setting,
  • Go to the interface and set the speed to any other setting For example: set speed 1000full.
  • Save the setting by coming out from the interface settings
  • Go back to the interface again, set the speed back to auto, then save the configuration.
  • The default speed auto should be seen in the interface settings on both devices.
  • Recalculate the checksum for both primary and secondary devices from the below command:

 

     diag sys ha checksum recalculate

 

After recalculating the checksum, the issue should be resolved and both devices will be in synchronization again. 

 

If the issue is still not resolved, verify the configuration of other objects whose checksum is different. 

Refer to the below article to compare the checksum. 

Technical Tip: Troubleshooting a checksum mismatch in a FortiGate HA cluster
207
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.