This article describes an issue seen in HA deployment on the cloud. HA goes out of sync when an IP address is configured on an IPsec interface.

config system interface

edit "IPsec interface"

set vdom "root"

set ip 10.255.255.1 255.255.255.255

set type tunnel

set remote-ip 10.255.255.254 255.255.255.0

next

end

On cloud platforms, FortiGates may reside on different networks depending on the deployment. By design, interface IP addresses are not synchronized for these platforms. However, the remote-ip setting requires an IP address to be already configured on the tunnel interface. The 'remote-ip' setting fails. This parameter requires that an IP address first be defined using the set-ip parameter.

Below are the platforms that do not sync the interface's IP:

• FGT_ARM64_AZURE
• FGT_ARM64_GCP
• FGT_VM64_ALI
• FGT_VM64_AZURE
• FGT_VM64_GCP
• FGT_VM64_IBM
• FGT_VM64_RAXONDEMAND

The issue can be verified by running the following debug on the secondary unit:

diagnose debug reset
diagnose debug cli 7
diagnose debug cmdb-trace 1
diagnose debug enable

FGT-B #  0: config system interface
0: edit " IPsec interface "
0: set ip 10.255.255.1 255.255.255.255
0: set remote-ip 10.255.255.254 255.255.255.0
-118: end
cmdbsvr recv req_type=21(CMDB_REQ_WRITE_CONFIG) from pid=2403(/bin/hasync)
cmdbsvr recv req_type=21(CMDB_REQ_WRITE_CONFIG) from pid=2403(/bin/hasync)

The line -118: end indicates an error while committing the changes. 

The workaround is to manually configure the IP fields ('set ip' and 'set remote-ip') on the secondary unit.

A fix to allow synchronizing the 'remote-ip' without checking for a value in the 'set ip' parameter is planned for v8.0.0. Note that even when this fix is applied, the tunnel local IP address will not be synced between HA FortiGates on a Cloud platform.