When upgrading the 120G/121G FortiGates in the HA cluster from the v7.0 branch to v7.2.9 some devices might experience issues with HA being out of sync, the HA GUI page not loading correctly, or not at all.

Users would need to check the HA configuration under 'config system ha'.

config system ha
    set group-name <name>
    set mode a-p
    set password ENC 
    set hbdev "ha" 0 <------
    set session-pickup enable
    set override disable
    set priority 1
    set monitor "<port1>" "<port2>" 
end

If the 'ha' port or 'mgmt' port is being used as a heartbeat port users will run into this issue after upgrading to v7.2.9. 

In these cases, a valid workaround or a temporary solution is to change the heartbeat port to another port. 

config system ha

    set hbdev "port10"

end

To avoid a split-brain scenario, do not remove the HA interface while it is up and running. Ensure to place a secondary heartbeat interface as displayed below.

config sys ha

    set hbdev “ha” 0 “xxxx” 120  <----- Where 'xxxx' is any available port on the FortiGate to be used as a secondary heartbeat interface.

end

For users that have not yet upgraded to v7.2.9 and have 'ha' or 'mgmt' as heartbeat ports to not encounter this issue in v7.2.9, it would be necessary to change the heartbeat ports before the upgrade.

This issue is investigated under known issue ID 1056138 and the behavior is fixed on versions v7.2.11, v7.4.5 and v7.6.1. If further information regarding the issue is needed, users must open a ticket with the TAC team.

Related article:

Troubleshooting Tip: FortiGate-120G/121G high availability cluster out of sync after upgrading to v7...