Description

This article describes that the HA system goes out of sync following a new configuration change and stays out of sync for an extended period.

Even after making manual configuration adjustments to the secondary unit, the HA status can revert to out-of-sync after subsequent configuration changes. 

Scope

FortiGate v7.0, v7.2, v7.4 .

Solution

When this issue occurs, the primary FortiGate enters a state that prevents any new configuration sync to the secondary unit. This state can be identified by running the following command, which will show that the nCfg_ha_skip_sync_flag is set to 1: 

# print global 

head=0x8d88350, acthead=0x8d881c0, cmdb_shm_root=0x7f8a490000, effective_vf=root 

cmdb_shm_header=0x7f8a476000, nCfg_debug_zone=0x7f89f7d000, nCfg=0x8d38590, cwd=/ 

ecli=0x8d76508, psta=0x8d76508, pext=0x8d77e70, username=admin, userfrom=jsconsole(172.16.199.14) 

nCfg_ha_skip_sync_flag=1, nCfg_ha_skip_sync_cmd_flag=0 

ncfg_get_cc_mode()=0, original_tty=(null) 

The flag itself indicates whether the configuration sync has been halted or not. The normal state for this flag is 0. This flag can also be produced by running the following command: 

execute ha sync stop 

This issue occurs when the tunnel to fortigate cloud central management goes down. Engineering found that fgfmd leaves nCfg_ha_skip_sync_flag set to 1 which stops HAsync from synching any new configuration changes until it is manually started again. This BUG ID 1080655 was already fixed on v7.4.8 and will be fixed on v7.6.4. It is a one-time issue, and once resolved by running the command below on the primary unit, there have been no reports of it occurring again. 

execute ha sync start 

After running the command above, the sync flag is changed to 0 from 1 and HA sync continues. After the time necessary for the configuration sync passes, the HA state will turn into ‘in-sync’ automatically. It is possible to monitor this process and re-calculate the checksum manually by running the following command: 

diagnose sys ha checksum recalculate 

In some customer environments the forticloud tunnel frequently goes down leaving the synchronization stopped. In this case, it is recommended to move the central-management type to "none" in order to stabilize the HAsync status.

config sys central-management
set type FortiGuard -> "none"

Sample System Event logs of the FortiGate Cloud tunnel going down.

date=2025-02-19 time=13:55:29 eventtime=1739994928967910968 tz="-0600" logid="0100053400" type="event" subtype="system" level="notice" vd="root" logdesc="Central Management connectivity is active" action="connect" status="success" msg="Connected to FortiGate Cloud 173.243.132.130"
date=2025-02-19 time=13:55:28 eventtime=1739994928704523195 tz="-0600" logid="0100053401" type="event" subtype="system" level="warning" vd="root" logdesc="Central Management connectivity is inactive" action="connect" status="failure" msg="Tunnel to FortiCloud is down"
date=2025-02-19 time=13:55:28 eventtime=1739994928704424822 tz="-0600" logid="0100053401" type="event" subtype="system" level="warning" vd="root" logdesc="Central Management connectivity is inactive" action="connect" status="failure" msg="Failed to connect FortiGate Cloud 173.243.132.130"

Related articles: 

Troubleshooting Tip: How to troubleshoot HA synchronization issue using GUI and CLI on FortiGate/For...

Technical Tip: Procedure for HA manual synchronization