| Solution |
How to verify that the secondary device in the HA cluster receives the image from the primary during the firmware upgrade.
The upgrade process is explained in the following documentation:
Upgrading FortiGates in an HA cluster.
[Location A] FGT-I (Active) -------------------------- FGT-II (Standby) [Location B]
Consider a scenario in which the firewalls are placed in different locations. The intermediate devices may cause some issues when transferring the image from primary to secondary while upgrading the firmware. The FortiGate firewall will generate the following errors.
Fail to append signature.Send image to HA secondary.
....................................................................................................
timeout for sync image with HA secondary
Image sync error.
Receive abort command from primary.
As the firmware upgrade of the HA Cluster was unsuccessful, the device mode needs to be changed from cluster to standalone and each device needs to be upgraded independently.
There are specific commands that need to be toggled on to check if the image is sent and received from primary to secondary in an HA cluster.
diagnose debug enable
diagnose test application hasync 10
diagnose test application hasync 30
diagnose debug application hasync -1
diagnose debug console timestamp enable
These are the main traces during image transfer on the primary device.
Send the image to HA secondary:
<hasync> conn=0x93ea9b0 created, nconnections=3
<hasync> conn=0x93ea9b0 connecting, dst=169.254.0.2
<hasync> conn=0x93ea9b0, flen=93194118, sname=/tmp/upgfile.img, rname=/tmp/upgfile.img
<hasync> conn=0x93ea9b0 connected, dst=169.254.0.2
<hasync> conn=0x93ea9b0, conn_buf=0x938a530, all 39 bytes data is sent, has file to send
<hasync> conn=0x93ea9b0 starts writing file '/tmp/upgfile.img', flen=93194118
On the secondary, it should show:
<hasync> conn=0x8d6e900 created, nconnections=3
<hasync> conn=0x8d6e900 accepted, dst=169.254.0.1
<hasync> conn=0x8d6e900, recv all 39 bytes data. has file data to recv
<hasync> conn=0x8d6e900 starts to recv file '/tmp/upgfile.img', flen=93194118
<hasync> conn=0x8d6e900, recv fname='/tmp/upgfile.img', bytes=1444, fcur_pos=1444, flen=93194118
<hasync> conn=0x8d6e900, recv fname='/tmp/upgfile.img', bytes=7220, fcur_pos=8664, flen=93194118
<hasync> conn=0x8d6e900, recv fname='/tmp/upgfile.img', bytes=4332, fcur_pos=12996, flen=93194118
<hasync> conn=0x8d6e900, recv fname='/tmp/upgfile.img', bytes=1444, fcur_pos=14440, flen=93194118
<hasync> conn=0x8d6e900, recv fname='/tmp/upgfile.img', bytes=4332, fcur_pos=18772, flen=93194118
<hasync> conn=0x8d6e900, recv fname='/tmp/upgfile.img', bytes=7220, fcur_pos=25992, flen=93194118
<hasync> conn=0x8d6e900, recv fname='/tmp/upgfile.img', bytes=4332, fcur_pos=30324, flen=93194118
<hasync> conn=0x8d6e900, recv fname='/tmp/upgfile.img', bytes=7220, fcur_pos=37544, flen=93194118
<hasync> conn=0x8d6e900, recv fname='/tmp/upgfile.img', bytes=4332, fcur_pos=41876, flen=93194118
<hasync> conn=0x8d6e900, recv fname='/tmp/upgfile.img', bytes=7220, fcur_pos=49096, flen=93194118
'upgfile.img' is the image file.
If the secondary is not receiving 'upgfile.img', troubleshooting needs to be done to resolve connectivity issues.
Related article:
Technical Tip: FortiGate HA upgrade procedure and the status during the upgrade.
|
