Technical Tip: How to fix HA out of sync due to system.admin table without accessing to Secondary unit

vbarrios · ‎10-24-2024

Description

This article describes how to fix HA out of sync which can be caused due to the command 'set password-expire' mismatching and admin credentials do not work on the Secondary unit.

Scope

FortiGate.

Solution

When going to FortiGate -> System -> HA the HA is out of sync due to the system.admin table:

In such a case, proceed to check the system admin section config by running the command: 'show system admin'.

FGVM02TM22026828-VBA~IOS # show system admin
config system admin
edit "admin"
set accprofile "super_admin"
set vdom "root"
set password-expire 2025-01-30 03:10:00
end

Due to there being no access to the SECONDARY unit, it was not possible to confirm what are the dates/times set with the 'password-expire' command on the peer unit which might be mismatching so it was not possible to adjust it manually.

To fix the authentication and HA out-of-sync issues, apply the following:

Remove the 'password-expire' command from the primary unit:

FGVM02TM22026828-VBA~IOS # config system admin

FGVM02TM22026828-VBA~IOS (admin) # edit admin

FGVM02TM22026828-VBA~IOS (admin) # unset password-expire

FGVM02TM22026828-VBA~IOS (admin) # end

Recalculate the checksum:

FGVM02TM22026828-VBA~IOS # diagnose sys ha checksum recalculate

Run the following commands to debug HA synchronization and force a sync:

FGVM02TM22026828-VBA~IOS # diagnose debug app hasync 25
FGVM02TM22026828-VBA~IOS # diagnose debug enable
FGVM02TM22026828-VBA~IOS # execute ha synchronize start

Proceed to check with the command 'get system ha status' until both devices show back to in-sync state.