FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
MigenaM
Staff
Staff
Article Id 371774
Description This article describes the behavior behind the out-of-sync issue due to 'vpn.certificate.ca' on an HA cluster.
Scope FortiGate, FortiProxy.
Solution

The devices on an HA cluster can get out-of-sync due to different reasons, after an upgrade, after a reboot or a failover, or even if the configuration from primary to secondary takes longer to be pushed.

 

One of the cases of the cluster getting out-of-sync is due to the 'vpn.certificate.ca' object. 

 

PrimaryFirewall # diag sys ha checksum show root  
vpn.certificate.ca: 307983e23b44f79683890573541f5a91

SecondaryFirewall # diag sys ha checksum show root
vpn.certificate.ca: 764d0f8b00ec68405241f910d345a928

 

In this scenario, the certificates will be shown as present  on the secondary device but will be missing on the primary one, when checking the configuration below in CLI:

 

show full-configuration vpn certificate ca

 

As an example:

 

SecondaryFirewall #  config vpn certificate ca
SecondaryFirewall (ca) # show full-configuration
config vpn certificate ca
    edit "SecureSign_Root_CA14"
        set ca "-----BEGIN CERTIFICATE-----
MIIFcjCCA1qgAwIBAgIUZNtaDCBO6Ncpd8hQJ6JaJ90t8sswDQYJKoZIhvcNAQEM
----------------------
    edit "SecureSign_Root_CA12"
        set ca "-----BEGIN CERTIFICATE-----
MIIDcjCCAlqgAwIBAgIUZvnHwa/swlG07VOX5uaCwysckBYwDQYJKoZIhvcNAQEL
----------------------

    edit "SecureSign_Root_CA15"
        set ca "-----BEGIN CERTIFICATE-----

MIICIzCCAamgAwIBAgIUFhXHw9hJp75pDIqI7fBw+d23PocwCgYIKoZIzj0EAwMw

----------------------

    edit "TWCA_CYBER_Root_CA"
        set ca "-----BEGIN CERTIFICATE-----
MIIFjTCCA3WgAwIBAgIQQAE0jMIAAAAAAAAAATzyxjANBgkqhkiG9w0BAQwFADBQ

----------------------

end

 

PrimaryFirewall  #config vpn certificate ca

PrimaryFirewall (ca) # show full
config vpn certificate ca
end

 

If the following command is executed, however, the certificates will show as part of both devices:

 

d sys ha checksum show global vpn.certificate.ca

 

Secondary Firewall:

 

SecureSign_Root_CA12: 74619550cc2dc3fd9783ad34c53a2455
SecureSign_Root_CA14: 74619550cc2dc3fd9783ad34c53a2455
SecureSign_Root_CA15: 74619550cc2dc3fd9783ad34c53a2455
TWCA_CYBER_Root_CA: 74619550cc2dc3fd9783ad34c53a2455

 

Primary Firewall: 

 

SecureSign_Root_CA12: fda425633fefe53bf193f8ffc9efdcb2
SecureSign_Root_CA14: fda425633fefe53bf193f8ffc9efdcb2
SecureSign_Root_CA15: fda425633fefe53bf193f8ffc9efdcb2
TWCA_CYBER_Root_CA: fda425633fefe53bf193f8ffc9efdcb2

 

To mitigate this issue, a reboot of both firewalls usually helps with this behavior.

The following command can also be executed on both firewalls to try and recalculate the checksums:

 

diagnose sys ha checksum recalculate

 

If these steps are not helpful with the issue, opening a ticket with the TAC support team would be advised.

The output of the below commands on both members of the cluster (primary/secondary) would be needed to further troubleshoot the issue with the TAC team:


diagnose debug enable
diagnose debug console timestamp enable
diagnose debug application hasync -1
diagnose debug application hatalk -1
execute ha synchronize start

 

To disable the debug:

 

diag debug disable

diag debug reset