Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dkhan
Staff
Staff

Created on ‎02-26-2025 09:47 AM

Article Id 376251

Technical Tip: FortiGate HA Mode Mismatch

Description

This article describes how, when configuring a High Availability (HA) cluster with FortiGate firewalls, a mode mismatch can occur if one device is set to Active-Active (A-A) and the other to Active-Passive (A-P). This misconfiguration results in warnings and prevents proper HA synchronization.

HA mode mismatch error messages appear in debug logs:

 

2024-11-14 11:49:22 <hatalk:WARN> 'FG6H0FTB23901025 mode mismatch: hdr_mode=2, my_mode=1
2024-11-14 11:49:32 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1731611802/1731613772
2024-11-14 11:49:32 <hatalk:WARN> 'FG6H0FTB23901025 mode mismatch: hdr_mode=2, my_mode=1
2024-11-14 11:49:42 <hatalk:WARN> 'FG6H0FTB23901025 mode mismatch: hdr_mode=2, my_mode=1
2024-11-14 11:49:42 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1731611802/1731613782
2024-11-14 11:49:52 <hatalk:WARN> 'FG6H0FTB23901025 mode mismatch: hdr_mode=2, my_mode=1
2024-11-14 11:49:52 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1731611802/1731613792
2024-11-14 11:50:02 <hatalk:WARN> 'FG6H0FTB23901025 mode mismatch: hdr_mode=2, my_mode=1
2024-11-14 11:50:02 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1731611802/1731613802
2024-11-14 11:50:12 <hatalk:WARN> 'FG6H0FTB23901025 mode mismatch: hdr_mode=2, my_mode=1
2024-11-14 11:50:12 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1731611802/1731

 

The HA cluster must operate in the same mode across all participating FortiGate devices. A mismatch in HA mode settings leads to synchronization failures, preventing the cluster from functioning correctly.
Scope FortiGate.
Solution

Cause: The HA cluster must operate in the same mode across all participating FortiGate devices. A mismatch in HA mode settings leads to synchronization failures, preventing the cluster from functioning correctly.

 

  1. Verify the current HA Mode:
  • Run the following command on both firewalls:

      

get system ha status

 

  • Check the 'Mode' field to confirm the mismatch.

 

  1. Change the HA Mode to Match:

 

  • On the misconfigured device, set the correct HA mode:

 

config system ha

    set mode active-passive <- Or set mode active-active.

end

 

  • Ensure that both devices are set to the same HA mode.

 

  1. Reboot the Firewalls (if required):

 

  • If the HA cluster does not synchronize after mode correction, reboot both firewalls one at a time.

 

execute reboot  <- First on secondary.

 

  1. Verify HA Synchronization:
  • Once the firewalls are back online, verify synchronization:

 

diagnose sys ha status

 

  • Check if both units are in sync and operational.

Best practices to avoid HA mode mismatch:

  • Always ensure both firewalls have identical firmware versions.

  • Pre-define HA mode before forming the cluster.

  • Perform a controlled HA failover test after configuration.

  • Monitor HA logs regularly for any warnings or errors.

By ensuring proper HA mode configuration, to maintain seamless failover and high availability of FortiGate deployment.
399
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.