As part of the new feature for the new firmware, HA SKU devices have been deployed which consist of 2 FortiGate HA A-P clusters with a single FortiGuard service license.

Note:

Follow the following guide to configure HA SKU devices to obtain the logical SN: Single FortiGuard license for FortiGate A-P HA cluster

config system ha

    set mode a-p

    set group-id <id>

    set group-name <group-name>

    set password ********

    set hbdev <HA interface 1> <priority 1> [HA interface 2] [priority 2]

    set logical-sn enable

end

In this scenario, the HA SKU devices did not go through the proper way of registering as the logical-sn was not initially enabled before connecting the FortiGates in the HA cluster. With this, FortiGates need to be de-registered: Deregistering a FortiGate

As per the admin guide, FortiGate can be manually deregistered if the device has been registered for more than three years. If in case that the devices are newly purchased and have been registered, a customer service ticket can be created for assistance with deregistering.

Once the device has been deregistered, follow the admin guide for registration. However, in some instances similar to this, the user did not receive the logical SN after following the admin guide.

Below are steps to follow.

1. A customer support ticket may be raised for assistance with registering the HA SKU devices. Once registered, logical SN will be visible on the customer’s registration dashboard.

Sample:

• Logic SN: FGT71FHA25xxxxxx
• Device 1: FGT71FTK22xxxxx0
• Device 2: FGT71FTK22xxxxx4

2. Verify if the Logical SN or vSN would appear on the HA status.

In the scenario below, the Logical SN is not appear on the HA status on CLI and GUI. The licenses do not seem to sync on the FortiGate.

Sample output:

diag sys ha dump-by debug-zone

            HA information.

is_manage_primary=1,manage_vd=root,ip=169.254.0.1,num=2,nvcluster=1,jiffies=7498132.

No logical serial number,retry times=10

     FGT71FTK22xxxxx0, 0,0,00,10,0,7.6.3462,0,0,1,0.

     FGT71FTK22xxxxx4, 1,5,00,10,0,7.6.3462,1,17,1,0.

vcluster_id=1.

     FGT71FTK22xxxxx0, 0,0.

     FGT71FTK22xxxxx4, 1,1.

            wan1 ifindex=5    phyindex=0    mac=94.f3.92.52.e1.66

            wan2 ifindex=6    phyindex=1    mac=94.f3.92.52.e1.67

             dmz ifindex=7    phyindex=2    mac=94.f3.92.52.e1.68

       internal1 ifindex=8    phyindex=3    mac=94.f3.92.52.e1.69

       internal2 ifindex=9    phyindex=4    mac=94.f3.92.52.e1.6a

       internal3 ifindex=10   phyindex=5    mac=94.f3.92.52.e1.6b

       internal4 ifindex=11   phyindex=6    mac=94.f3.92.52.e1.6c

       internal5 ifindex=12   phyindex=7    mac=94.f3.92.52.e1.6d

               a ifindex=13   phyindex=8    mac=94.f3.92.52.e1.6e

               b ifindex=14   phyindex=9    mac=94.f3.92.52.e1.6f

ha_upgrade_state=0,ha_managed_by_fmg=0

‘get sys ha status’ also does not reflect the logical SN.

In this case, run the debug commands below.

diag debug reset

diag debug dis

diag debug app update -1

diag debug en

exec update-now

Output:

upd_act_HA_contract_info[725]-ContractItem FGT71FTK22xxxxx0* FGT71FTK22xxxxx4

upd_comm_connect_fds[457]-Trying FDS 173.243.129.6:443

tcp_connect_fds[260]-select() timed out

upd_comm_connect_fds[472]-Failed TCP connect

upd_act_HA_contract_info[747]-Error updating FSCI -1

upd_comm_connect_fds[457]-Trying FDS 173.243.140.6:443

tcp_connect_fds[260]-select() timed out

upd_comm_connect_fds[472]-Failed TCP connect

upd_act_HA_contract_info[747]-Error updating FSCI -1

__update_upd_comp_by_settings[511]-Disabling FMWPDB components.

do_update[755]-UPDATE failed

If the same error is being encountered after ensuring that the FortiGates are registered via the HA SKU process, try to reboot the firewalls.