Description | This article describes the behavior behind the out-of-sync issue due to 'vpn.certificate.ca' on an HA cluster. |
Scope | FortiGate, FortiProxy. |
Solution |
The devices on an HA cluster can get out-of-sync due to different reasons, after an upgrade, after a reboot or a failover, or even if the configuration from primary to secondary takes longer to be pushed.
One of the cases of the cluster getting out-of-sync is due to the 'vpn.certificate.ca' object.
PrimaryFirewall # diag sys ha checksum show root
In this scenario, the certificates will be shown as present on the secondary device but will be missing on the primary one, when checking the configuration below in CLI:
show full-configuration vpn certificate ca
As an example:
SecondaryFirewall # config vpn certificate ca edit "SecureSign_Root_CA15" MIICIzCCAamgAwIBAgIUFhXHw9hJp75pDIqI7fBw+d23PocwCgYIKoZIzj0EAwMw ---------------------- edit "TWCA_CYBER_Root_CA" ---------------------- end
PrimaryFirewall #config vpn certificate ca PrimaryFirewall (ca) # show full
If the following command is executed, however, the certificates will show as part of both devices:
d sys ha checksum show global vpn.certificate.ca
Secondary Firewall:
SecureSign_Root_CA12: 74619550cc2dc3fd9783ad34c53a2455
Primary Firewall:
SecureSign_Root_CA12: fda425633fefe53bf193f8ffc9efdcb2
To mitigate this issue, a reboot of both firewalls usually helps with this behavior. The following command can also be executed on both firewalls to try and recalculate the checksums:
diagnose sys ha checksum recalculate
If these steps are not helpful with the issue, opening a ticket with the TAC support team would be advised. The output of the below commands on both members of the cluster (primary/secondary) would be needed to further troubleshoot the issue with the TAC team:
To disable the debug:
diag debug disable diag debug reset |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.