Description
This article describes an error when upgrading a FortiGate 90G/91G/120G/121G high availability cluster from FortiOS v7.0.12 to 7.0.14, v7.0.16 to v7.0.17 or higher branches such as v7.2.x, v7.4.x, or v7.6.x.
GUI error: 'Image upgrade failed. The firmware image is not valid.'
CLI error:
This operation will replace the current firmware version!
Do you want to continue? (y/n)y
Verifying the signature of the firmware image.
Warning: Upgrading to an image with Mature maturity notation.
Checking new firmware integrity ... pass
Please wait for system to restart.
Wait for HA to be primary of all clusters....
Send image to HA secondary.
image checking on HA secondary fails, abort upgrade
Scope
FortiGate-90G and 91G, FortiGate-120G and 121G.
Solution
To further investigate with which known issue matches the following debugs can be collected while reproducing the issue and checking if the error below is showing :
diag deb reset
diag deb console timestamp ena
diag debug cli 8
diag debug en
Perform the update steps wait until the error is showing and stop by :
diag deb disable
Wait for HA to be the primary of all clusters. Send the image to HA secondary.
[__master_receive_image_check_result:2790] HA member FG120GTxxxxxx fails image check. <---------
image checking on HA secondary fails, abort upgrade
This is a known issue under investigation.
Workaround 1:
The first workaround is to set the security level of both FortiGate units to 0 via a console port connection. Start with the secondary FortiGate, then repeat the same process on the primary.
Refer to the document for more information: BIOS-level signature and file integrity checking during downgrade
Note: Starting v7.0.16/v7.2.11/v7.4.6/v7.6.1, the Security Level information uses the low/high attributes instead of 0/1/2.
Process example:
- Connect to the console port of the secondary FortiGate.
- Reboot the FortiGate ('execute reboot') and enter the BIOS menu.
- Press [i] to enter the 'System Information' menu.
- Press [u] to enter the 'Set security level' menu.
- Enter the security level 0.
- Continue to boot the device.
- Repeat these steps on the primary FortiGate.
- Proceed with the upgrade via GUI or CLI.
After the update and the cluster is in sync, revert the security level again to 2 (1-to-7 on the process above).
Workaround 2:
The second option is to break the cluster and then upgrade each device individually, then add it back into the cluster once the upgrade is done. Refer to this document for more information: Manual upgrade process for HA cluster device.
Process example:
- Shut down the standby unit, thereafter disconnect the network cables and then the HA cables from the standby unit.
- Turn on the standby unit and upgrade the standby unit to target firmware by taking direct access through the mgmt port and uploading an image file.
- Once the standby unit is upgraded, upgrade the primary device in the cluster (this will cause downtime for a few minutes as there is only one device in HA).
- Once the primary device is upgraded to the target version, re-connect the HA cables and wait for a few minutes.
- Confirm HA is in sync, and connect the network cables on the standby unit.
If upgrading FortiGate-120G/121G to v7.2, v7.4, or v7.6, be mindful of known issue 1056138, which is possible to avoid by preparing the cluster before upgrading.
In some cases, step 4 in workaround 1 is not an option. In this case, proceed with workaround 2 instead.
Fixes are already available and documented. Refer to these articles:
Troubleshooting Tip: FortiGate-120G/121G high availability cluster out of sync after upgrading to v7...
Technical Tip: HA issues after upgrade to v7.2.9 for FortiGate 120G/121G
Related article:
Technical Tip: FortiGate Resource Lists
