Technical Tip: Correcting an out-of-sync HA cluster by modifying the primary unit configuration file and restoring it to the secondary unit

This article describes how to correct an out-of-sync HA cluster by modifying the primary unit configuration file and restoring it to the secondary unit.

• The HA cluster is out of sync which was confirmed by running the 'diag sys ha checksum cluster' command.

• Troubleshooting a checksum mismatch in a FortiGate HA cluster did not work.

Related article:

Technical Tip: Troubleshooting a checksum mismatch in a FortiGate HA cluster

• Drilling down in the CLI using the ' diag sys ha checksum show <vdom> <config parameter>'command on both HA cluster members, the cluster still shows many configuration items out of sync.

FortiGate

 Instead of trying to correct each configuration item that is out of sync individually which could be very time-consuming depending on the number of items out of sync,  do the following:

1. Download a copy of the primary unit configuration file by selecting the admin user name in the top right corner of the GUI, selecting 'Configuration' and then selecting 'Backup'.
2. Open the saved file in a text editor such as Notepad++.
3. Change the hostname of the device to that of the secondary device hostname which can be found at the top of the configuration file by searching for the following commands.

config system global

    set hostname <hostname>  <----- Hostname will be shown here.

end

4. Change the HA priority to a lower value than what is currently showing in the primary unit configuration file. The HA 'priority' setting can be found in the configuration file by searching for the following commands.

config system ha

    set priority <priority value>  <----- The HA priority value will be shown here.

end

5. Save the modified configuration file with a different file name so as to not confuse the original file and the modified file.
6. The above process is for an HA cluster that does not have the HA management interface feature enabled. If the HA management interface feature is enabled, ensure that the IP address of the HA management interface is changed as well as the address that is used for the secondary cluster member. 

This can be done by first verifying the interface being used for HA management by searching for the following commands in the configuration file.

config system ha

config ha-mgmt-interface

    set interface <interface name> <----- The interface name will be shown here.

end

Once the ha management interface is known, it is then possible to change the IP by searching for the following commands in the configuration file.

config system interface

    edit <ha management interface name>

        set ip x.x.x.x  <----- IP address and subnet will be shown here.

    end

7. Once all changes have been made and the modified configuration file saved, it will be necessary to access the second device via the GUI.

This can be done by connecting a laptop to one of the interfaces ensuring that the laptop is on the same subnet as the interface wanted to connect to.

Once the laptop is on the same subnet, it is possible to access the GUI using the ip address of the interface connected to it.

8. Once GUI access has been attained, it is then possible to restore the modified configuration file by selecting the admin user name in the top right corner of the GUI and selecting 'Configuration' and then selecting 'Restore'.
9. After the secondary device has been rebooted, it will have the identical configuration file as the primary cluster member and the cluster should then be able to successfully synchronize.

Note:

If the HA Pair is still out of sync after restoring the identical configuration file to the secondary device, it is possible to resolve the issue by running the following commands (run on both units):

diagnose sys ha checksum recalculate

Or, more specific:

diagnose sys ha checksum recalculate [<your_vdom_name> | global]