This article describes how to correct an out-of-sync HA cluster by modifying the primary unit configuration file and restoring it to the secondary unit.

The HA cluster is out of sync, which was confirmed by running the 'diagnose system ha checksum cluster' command.

Troubleshooting a checksum mismatch in a FortiGate HA cluster did not work.

Related article:

Technical Tip: Troubleshooting a checksum mismatch in a FortiGate HA cluster

Drilling down in the CLI using the 'diagnose system ha checksum show <vdom> <config parameter>' command on both HA cluster members, the cluster still shows many configuration items out of sync.

FortiGate.

Instead of trying to correct each configuration item that is out of sync individually, which could be very time-consuming depending on the number of items out of sync, do the following:

1. Download a copy of the primary unit configuration file by selecting the admin user name in the top right corner of the GUI, selecting 'Configuration', and then selecting 'Backup'.
2. Open the saved file in a text editor such as Notepad++.
3. Change the hostname of the device to that of the secondary device hostname, which can be found at the top of the configuration file by searching for the following commands.

config system global

    set hostname <hostname>  <----- Hostname will be shown here.

end

4. Change the HA priority to a lower value than what is currently showing in the primary unit configuration file. The HA 'priority' setting can be found in the configuration file by searching for the following commands.

config system ha

    set priority <priority value>  <----- The HA priority value will be shown here.

end

5. Save the modified configuration file with a different file name so as not to confuse the original file and the modified file.
6. The above process is for an HA cluster that does not have the HA management interface feature enabled. If the HA management interface feature is enabled, ensure that the IP address of the HA management interface is changed, as well as the address that is used for the secondary cluster member. 

This can be done by first verifying the interface being used for HA management by searching for the following commands in the configuration file.

config system ha

    config ha-mgmt-interface

        set interface <interface name> <----- The interface name will be shown here.
    end

end

Once the 'ha management interface' is known, it is then possible to change the IP by searching for the following commands in the configuration file.

config system interface

    edit <ha management interface name>

        set ip x.x.x.x  <----- IP address and subnet will be shown here.

end

7. Physically isolate the secondary device from the cluster by first disconnecting any data/network-facing cables, and only then disconnecting the HA heartbeat cables. For further reference, see the article Technical Tip: Precautions to take while breaking the HA and adding the device again.
8. Access the second device via the GUI through a directly connected laptop, or the HA reserved management interface if one is configured, see Technical Tip: HA Reserved Management Interface. This can be done by connecting a laptop to the relevant interface, ensuring that the laptop is on the same subnet as the FortiGate interface IP address.
9. Once GUI access has been attained, restore the modified configuration file by selecting the admin user name in the top right corner of the GUI and selecting 'Configuration' and then selecting 'Restore'. 
   
   

Note: 

Restoring a global configuration backup causes the devices and any connected cluster members to reboot. If the secondary device was not correctly isolated from the cluster as described in Step 7, this will cause the primary to reboot as well. See the article Technical Tip: How to restore a configuration backup on a FortiGate HA cluster.

After the secondary device has been rebooted, it will have the identical configuration file as the primary cluster member, plus any manual modifications.

Note:

If there is any error in the config file that has been imported, then the following command can be run to verify:

diagnose debug config-error-log read

Verify the secondary's configuration and connect the HA heartbeat cables. Wait two minutes and verify configuration sync.

If the configuration is synchronized, reconnect the secondary's data/network-facing cables.

Note:

If the HA Pair is still out of sync after restoring the identical configuration file to the secondary device, recalculate the checksum manually on both devices:

diagnose sys ha checksum recalculate

diagnose sys ha checksum test

Or, more specifically:

diagnose sys ha checksum recalculate [vdom_name> | global]

Note: Use the keyword 'sys' after diagnose. The keyword 'system' is invalid and will result in an error in the CLI command.

If the configuration is still not in sync after following the steps above:

Follow any troubleshooting steps from Technical Tip: Troubleshooting a checksum mismatch in a FortiGate HA cluster not completed previously, take a configuration backup of each device, and open a ticket with Fortinet Support under an existing support contract.