To diagnose issues with the FortiGate AWS daemon (awsd) and HA status, execute the following CLI commands on the primary unit:

diagnose debug application awsd -1

diagnose debug enable

diagnose test application awsd 4

These commands will help identify if the 'awsd' process is correctly obtaining HA peer instance information and instance ENI details.

AWS-HA-Active # HA state: primary
awsd get iam role jfelix-IAMrole-ha
awsd didn't get the correct ha peer instances info
awsd failed to collect instance eni info

Use the command 'get sys ha status' to verify the HA status. However, note that it may not display the primary IP address correctly, showing 'my_ip=0.0.0.0' in the unicast heartbeat.

AWS-HA-Active # get sys ha status
HA Health Status: OK
Model: FortiGate-VM64-AWS
Mode: HA A-P
Group Name: AWS-HA
Group ID: 0
Debug: 0
Cluster Uptime: 0 days 0h:25m:29s
Cluster state change time: 2025-04-10 02:55:12
Primary selected using:
<2025/04/10 02:55:12> vcluster-1: FGTAWS-A is selected as the primary because its override priority is larger than peer member FGTAWS-B.
ses_pickup: enable, ses_pickup_delay=disable
override: enable
unicast_hb: peerip=10.1.1.10, myip=0.0.0.0, hasync_port='port3'
Configuration Status:
FGTAWS-A(updated 3 seconds ago): in-sync
FGTAWS-A chksum dump: 46 0d be 56 28 db 78 44 a3 ac 82 13 99 01 ac 9c
FGTAWS-B(updated 1 seconds ago): in-sync
FGTAWS-B chksum dump: 46 0d be 56 28 db 78 44 a3 ac 82 13 99 01 ac 9c
System Usage stats:
FGTAWS-A(updated 3 seconds ago):
sessions=2, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=19%
FGTAWS-B(updated 1 seconds ago):
sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=19%
HBDEV stats:
FGTAWS-A(updated 3 seconds ago):
port3: physical/00, up, rx-bytes/packets/dropped/errors=26443558/10947/0/0, tx=9460262/9985/0/0
FGTAWS-B(updated 1 seconds ago):
port3: physical/00, up, rx-bytes/packets/dropped/errors=9439521/10314/0/0, tx=26870472/11649/0/0
number of member: 2
AWS-HA-Active , FGTAWS-A, HA cluster index = 1
AWS-HA-Passive , FGTAWS-B, HA cluster index = 0
number of vcluster: 1
vcluster 1: work 0.0.0.0
Primary: FGTAWS-A, HA operating index = 0
Secondary: FGTAWS-B, HA operating index = 1

An issue may arise if the FortiGate HA sync port (for example, port3) unexpectedly changes its IP address.

To prevent such issues, it is advisable to use static IP address assignments on FortiGate-VM interfaces instead of relying on DHCP. This ensures consistent IP addressing, which is critical for maintaining HA synchronization.

In some cases, the IP address may not appear in the HA status even after changing from DHCP to Static. In such cases, try disabling and re-enabling the port to ensure the IP is properly reflected.

Make sure the FortiGate is resolving the AWS service URLs. Additionally, ensure that both the primary and secondary FortiGate instances have an attached IAM role with the required permissions to make EC2 API calls, as missing permissions will prevent awsd from gathering peer and ENI information.

Related documents:

Connecting to the FortiGate-VM

Deploying FortiGate-VM active-passive HA AWS between multiple zones