Description
This article describes how to diagnose and resolve the HA out-of-sync problem caused by the 'vpn.certificate.ca' object in FortiGate.
Scope
FortiGate.
Solution
After receiving the push delivery of the root certificate, the Secondary becomes Out-of-sync. A difference is shown in the vpn.certificate.ca within the GUI.
The HA synchronization status is also shown using the following CLI command:
get system ha status
Verify whether the checksum of the certificates under the 'vpn.certificate.ca' object is different on the cluster units using the following command:
diagnose sys ha checksum show root vpn.certificate.ca
Note:
In most cases, rebooting the Secondary device and running the 'diagnose sys ha checksum recalculate' command results in HA synchronization.
If the issue persists, verify the Certificate Bundle details on the primary and secondary units with the command below and confirm if the versions are identical or different.
diagnose autoupdate versions | grep Bundle -A 6
Certificate Bundle
---------
Version: 1.00054
Contract Expiry Date: n/a
Last Updated using manual update on Tue Dec 31 15:00:00 2024
Last Update Attempt: Fri Feb 21 13:21:08 2025
Result: No Updates
If the secondary device's Certificate Bundle version is the same as the primary (1.00054 from the example output above), rebooting the secondary unit will likely result in HA synchronization, solving the issue.
If the secondary device's Certificate Bundle version is lower, try upgrading the bundle by promoting the secondary unit to primary and running the 'execute update-now' command to check if HA synchronizes.
Execute the 'config vpn certificate ca' command on both units and compare the certificates.
The certificates shown in the image below appear on the primary firewall but are missing from the secondary FortiGate.
The missing certificates cannot be found under the System -> Certificate section in the primary firewall GUI.
Delete the missing certificate through CLI, then recalculate the checksum using 'diagnose sys ha checksum recalculate' and check if HA synchronizes.
If the issue persists, the next step is to roll back to an older partition from the flash list and upgrade the firmware again.
Another option is to isolate the unit, take a configuration backup, back up the primary unit, change the hostname and HA priority, and then reload the configuration onto the secondary unit:
- The initial step is to isolate the unit by disconnecting the cables, with HA override enabled in the HA settings.
- Ensure that the LAN/WAN cables are removed first and later the HA cables.
- Access the management interface of the secondary device via GUI.
- Take a backup from the primary unit, modify the hostname and HA priority, and later load the configuration backup onto the secondary unit.
- Once the unit boots up, verify the configuration and settings
- Later reconnect the HA cables first, then the LAN/WAN cables, and subsequently add the unit back to the cluster.
If the issue persists, logs are required by FortiGate TAC for investigation.
- Capture the below CLI commands on both primary and secondary units:
diag autoupdate versions | grep Bundle -A 6
fnsysctl ls /etc/ca_bundle -l
fnsysctl ls /etc/cert/ca -l
diagnose sys ha checksum show global certificate.ca
diagnose debug console timestamp enable
diagnose debug application hasync -1
diagnose debug application hatalk -1
diagnose debug reset
diagnose debug enable
execute ha sync start
Wait 5 minutes...
diagnose debug reset
diagnose debug disable
print global
diagnose sys ha checksum recalculate
diagnose sys ha history read
- TAC Report:
execute tac report
- The configuration file of both primary and secondary units: Technical Tip: HA cluster out-of-sync issue due to 'vpn.certificate.ca' mismatch
Related articles:
Technical Tip: Procedure for HA manual synchronization
Technical Tip: Verifying and troubleshooting FortiGuard updates status and versions
