The devices on an HA cluster can get out-of-sync due to different reasons, after an upgrade, after a reboot or a failover, or even if the configuration from primary to secondary takes longer to be pushed.

One of the cases of the cluster getting out-of-sync is due to the 'vpn.certificate.ca' object. 

PrimaryFirewall # diagnose sys ha checksum show root  
vpn.certificate.ca: 307983e23b44f79683890573541f5a91

SecondaryFirewall # diagnose sys ha checksum show root
vpn.certificate.ca: 764d0f8b00ec68405241f910d345a928

In this scenario, the certificates will be shown as present  on the secondary device but will be missing on the primary one, when checking the configuration below in CLI:

show full-configuration vpn certificate ca

As an example:

SecondaryFirewall #  config vpn certificate ca
SecondaryFirewall (ca) # show full-configuration
config vpn certificate ca
    edit "SecureSign_Root_CA14"
        set ca "-----BEGIN CERTIFICATE-----
MIIFcjCCA1qgAwIBAgIUZNtaDCBO6Ncpd8hQJ6JaJ90t8sswDQYJKoZIhvcNAQEM
----------------------
    edit "SecureSign_Root_CA12"
        set ca "-----BEGIN CERTIFICATE-----
MIIDcjCCAlqgAwIBAgIUZvnHwa/swlG07VOX5uaCwysckBYwDQYJKoZIhvcNAQEL
----------------------

    edit "SecureSign_Root_CA15"
        set ca "-----BEGIN CERTIFICATE-----

MIICIzCCAamgAwIBAgIUFhXHw9hJp75pDIqI7fBw+d23PocwCgYIKoZIzj0EAwMw

----------------------

    edit "TWCA_CYBER_Root_CA"
        set ca "-----BEGIN CERTIFICATE-----
MIIFjTCCA3WgAwIBAgIQQAE0jMIAAAAAAAAAATzyxjANBgkqhkiG9w0BAQwFADBQ

----------------------

end

PrimaryFirewall  #config vpn certificate ca

PrimaryFirewall (ca) # show full
config vpn certificate ca
end

If the following command is executed, however, the certificates will show as part of both devices:

diagnose sys ha checksum show global vpn.certificate.ca

Secondary Firewall:

SecureSign_Root_CA12: 74619550cc2dc3fd9783ad34c53a2455
SecureSign_Root_CA14: 74619550cc2dc3fd9783ad34c53a2455
SecureSign_Root_CA15: 74619550cc2dc3fd9783ad34c53a2455
TWCA_CYBER_Root_CA: 74619550cc2dc3fd9783ad34c53a2455

Primary Firewall: 

SecureSign_Root_CA12: fda425633fefe53bf193f8ffc9efdcb2
SecureSign_Root_CA14: fda425633fefe53bf193f8ffc9efdcb2
SecureSign_Root_CA15: fda425633fefe53bf193f8ffc9efdcb2
TWCA_CYBER_Root_CA: fda425633fefe53bf193f8ffc9efdcb2

The following command can also be executed on both firewalls to try and recalculate the checksums:

diagnose sys ha checksum recalculate

If recalculating the checksum does not work, another possible workaround is to delete the extra certificates from the secondary device. Use the following commands: 

config vpn certificate ca

    delete <duplicate_certificate>     <----- Certificate in secondary, but not in primary.

end

The default CA certificates are read-only and therefore cannot usually be modified or deleted. If it is deleted, there will be no impact and the FortiGates should sync as expected. 

If these steps do not resolve the issue, open a ticket with the TAC support team.

The output of the commands below from both members of the cluster (primary/secondary) will be necessary to further troubleshoot the issue with the TAC team:

diagnose debug enable
diagnose debug console timestamp enable
diagnose debug application hasync -1
diagnose debug application hatalk -1
execute ha synchronize start

To disable the debug process:

diagnose debug disable

diagnose debug reset

To resolve the problem, run the 'execute update-now' on the current primary (this guarantees having the most recent certificate bundle) and then reboot the current primary. Then run the same command on the new primary and wait for the cluster to get into sync (if necessary, a synchronization can be manually triggered by running the command 'execute ha synchronize start'). See Technical Tip: HA Synchronization failure due to the 'vpn.certificate.ca' object.