Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jfelix09
Staff
Staff

Created on ‎04-10-2025 03:41 AM Edited on ‎08-21-2025 01:03 AM By Community Manager

Article Id 387127

Technical Tip: FortiGate AWS HA can get the correct HA peer instance info

Description This article provides insights into diagnosing and resolving issues related to HA synchronization, particularly when the primary unit fails to display the correct IP address.
Scope FortiGate-VM AWS.
Solution

To diagnose issues with the FortiGate AWS daemon (awsd) and HA status, execute the following CLI commands on the primary unit:

diagnose debug application awsd -1

diagnose debug enable

diagnose test application awsd 4

These commands will help identify if the 'awsd' process is correctly obtaining HA peer instance information and instance ENI details.

AWS-HA-Active # HA state: primary
awsd get iam role jfelix-IAMrole-ha
awsd didn't get the correct ha peer instances info
awsd failed to collect instance eni info

 

Use the command 'get sys ha status' to verify the HA status. However, note that it may not display the primary IP address correctly, showing 'my_ip=0.0.0.0' in the unicast heartbeat.

 

AWS-HA-Active # get sys ha status
HA Health Status: OK
Model: FortiGate-VM64-AWS
Mode: HA A-P
Group Name: AWS-HA
Group ID: 0
Debug: 0
Cluster Uptime: 0 days 0h:25m:29s
Cluster state change time: 2025-04-10 02:55:12
Primary selected using:
<2025/04/10 02:55:12> vcluster-1: FGTAWS-A is selected as the primary because its override priority is larger than peer member FGTAWS-B.
ses_pickup: enable, ses_pickup_delay=disable
override: enable
unicast_hb: peerip=10.1.1.10, myip=0.0.0.0, hasync_port='port3'
Configuration Status:
FGTAWS-A(updated 3 seconds ago): in-sync
FGTAWS-A chksum dump: 46 0d be 56 28 db 78 44 a3 ac 82 13 99 01 ac 9c
FGTAWS-B(updated 1 seconds ago): in-sync
FGTAWS-B chksum dump: 46 0d be 56 28 db 78 44 a3 ac 82 13 99 01 ac 9c
System Usage stats:
FGTAWS-A(updated 3 seconds ago):
sessions=2, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=19%
FGTAWS-B(updated 1 seconds ago):
sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=19%
HBDEV stats:
FGTAWS-A(updated 3 seconds ago):
port3: physical/00, up, rx-bytes/packets/dropped/errors=26443558/10947/0/0, tx=9460262/9985/0/0
FGTAWS-B(updated 1 seconds ago):
port3: physical/00, up, rx-bytes/packets/dropped/errors=9439521/10314/0/0, tx=26870472/11649/0/0
number of member: 2
AWS-HA-Active , FGTAWS-A, HA cluster index = 1
AWS-HA-Passive , FGTAWS-B, HA cluster index = 0
number of vcluster: 1
vcluster 1: work 0.0.0.0
Primary: FGTAWS-A, HA operating index = 0
Secondary: FGTAWS-B, HA operating index = 1

 

An issue may arise if the FortiGate HA sync port (for example, port3) unexpectedly changes its IP address.

To prevent such issues, it is advisable to use static IP address assignments on FortiGate-VM interfaces instead of relying on DHCP. This ensures consistent IP addressing, which is critical for maintaining HA synchronization.


In some cases, the IP address may not appear in the HA status even after changing from DHCP to Static. In such cases, try disabling and re-enabling the port to ensure the IP is properly reflected.

Make sure the FortiGate is resolving the AWS service URLs.


Related documents:

Connecting to the FortiGate-VM

Deploying FortiGate-VM active-passive HA AWS between multiple zones
581
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.