The devices on an HA cluster can get out-of-sync due to different reasons, after an upgrade, after a reboot or a failover, or even if the configuration from primary to secondary takes longer to be pushed.

One of the cases of the cluster getting out-of-sync is due to the 'vpn.certificate.ca' object. 

PrimaryFirewall # diagnose sys ha checksum show root  
vpn.certificate.ca: 307983e23b44f79683890573541f5a91

SecondaryFirewall # diagnose sys ha checksum show root
vpn.certificate.ca: 764d0f8b00ec68405241f910d345a928

In this scenario, the certificates will be shown as present  on the secondary device but will be missing on the primary one, when checking the configuration below in CLI:

show full-configuration vpn certificate ca

As an example:

SecondaryFirewall #  config vpn certificate ca
SecondaryFirewall (ca) # show full-configuration
config vpn certificate ca
    edit "SecureSign_Root_CA14"
        set ca "-----BEGIN CERTIFICATE-----
MIIFcjCCA1qgAwIBAgIUZNtaDCBO6Ncpd8hQJ6JaJ90t8sswDQYJKoZIhvcNAQEM
----------------------
    edit "SecureSign_Root_CA12"
        set ca "-----BEGIN CERTIFICATE-----
MIIDcjCCAlqgAwIBAgIUZvnHwa/swlG07VOX5uaCwysckBYwDQYJKoZIhvcNAQEL
----------------------

    edit "SecureSign_Root_CA15"
        set ca "-----BEGIN CERTIFICATE-----

MIICIzCCAamgAwIBAgIUFhXHw9hJp75pDIqI7fBw+d23PocwCgYIKoZIzj0EAwMw

----------------------

    edit "TWCA_CYBER_Root_CA"
        set ca "-----BEGIN CERTIFICATE-----
MIIFjTCCA3WgAwIBAgIQQAE0jMIAAAAAAAAAATzyxjANBgkqhkiG9w0BAQwFADBQ

----------------------

end

PrimaryFirewall  #config vpn certificate ca

PrimaryFirewall (ca) # show full
config vpn certificate ca
end

If the following command is executed, however, the certificates will show as part of both devices:

diagnose sys ha checksum show global vpn.certificate.ca

Secondary Firewall:

SecureSign_Root_CA12: 74619550cc2dc3fd9783ad34c53a2455
SecureSign_Root_CA14: 74619550cc2dc3fd9783ad34c53a2455
SecureSign_Root_CA15: 74619550cc2dc3fd9783ad34c53a2455
TWCA_CYBER_Root_CA: 74619550cc2dc3fd9783ad34c53a2455

Primary Firewall: 

SecureSign_Root_CA12: fda425633fefe53bf193f8ffc9efdcb2
SecureSign_Root_CA14: fda425633fefe53bf193f8ffc9efdcb2
SecureSign_Root_CA15: fda425633fefe53bf193f8ffc9efdcb2
TWCA_CYBER_Root_CA: fda425633fefe53bf193f8ffc9efdcb2

The following command can also be executed on both firewalls to try and recalculate the checksums:

diagnose sys ha checksum recalculate

If these steps are not helpful with the issue, opening a ticket with the TAC support team would be advised.

The output of the below commands on both members of the cluster (primary/secondary) would be needed to further troubleshoot the issue with the TAC team:

diagnose debug enable
diagnose debug console timestamp enable
diagnose debug application hasync -1
diagnose debug application hatalk -1
execute ha synchronize start

To disable the debug:

diagnose debug disable

diagnose debug reset

To resolve the problem, run the 'execute update-now' on the current primary to guarantee that having the most recent bundle and reboot the current primary. Then running the same command on the new primary and after the former primary joins the cluster will be in sync: Technical Tip: HA Synchronization failure due to the 'vpn.certificate.ca' object.