|
Logical SN is enabled under HA config as per the CLI Reference guide: config system ha
config system ha
...
set logical-sn enable
...
end
By default, the setting is logical-sn disable. However, the feature would not work as expected: The license would not be reflected on the FortiGate. The command 'get system ha status’ output does not reflect the logical Serial Number.
diagnose debug disable
diagnose debug reset
diagnose debug app update -1
diagnose debug enable
execute update-now
Enabling the above debugs would generate the following logs.
upd_act_HA_contract_info[739]-Error updating FSCI -1
No valid cluster key as logical-sn is enabled.
No valid cluster key as logical-sn is enabled.
To disable debug:
diagnose debug disable
diagnose debug reset
The feature was originally implemented in v6.2.0 but was disabled due to errors. The command would still appear; however feature is disabled.
The support was added back in v7.2.9; however, 100F and 101F do not yet support the feature. This is added as a known issue in v7.2.9 and a known issue in v7.2.10.
This known issue with ID 1137565 for 10xF models, where the logical-sn command is missing and is fixed in versions 7.2.12 (expected release in the first week of September 2025), v7.4.8, and v7.6.3. Refer to the release notes for further information.
Note:
If the FortiGate can not be upgraded to the fixed FortiOS version due to a license issue, as shown in the screenshot below, here are the steps to resolve this issue:
- Disassociate the FortiGate from the VSN SN. It looks like this: FG100FHA250----From the FortiCloud portal, use the 'Dismiss HA' button to try to remove the VSN, or if needed, open a ticket with CS. CS will help to de-register the FortiGate in question.
- Upgrade the firmware to the GA build, which has the fix, and ensure that the logical-sn is properly configured under the HA setting.
- Generate an HA cluster using a preregistered FortiGate serial number as per the document: Generating an HA cluster - FortiCloud documentation.
- Run the command 'get system ha status' to verify if the logical serial is seen:
get system ha status
HA Health Status: OK
Model: FortiGate-100F
Mode: HA A-P
Group Name: Branch1-HA
Group ID: 100
Debug: 0
Cluster Uptime: 0 days 2h:33m:2s
Cluster state change time: 2024-11-19 13:57:31
Primary selected using:
<2024/11/19 13:57:31> vcluster-1: FGT100FTK22023xxx is selected as the primary because its override priority is larger than peer member FGT100FTK20000xxx.
<2024/11/19 11:26:06> vcluster-1: FGT100FTK22023xxx is selected as the primary because it's the only member in the cluster.
ses_pickup: enable, ses_pickup_delay=disable
override: enable
Configuration Status:
FGT100FTK22023xxx(updated 1 seconds ago): in-sync
FGT100FTK22023xxx chksum dump: 0e 4c b5 56 80 be bf 20 8e e5 ad d5 59 ea 5d b3
FGT100FTK20000xxx(updated 0 seconds ago): out-of-sync
FGT100FTK20000xxx chksum dump: d1 31 59 fc 0b 91 12 ca 92 69 62 d2 9f b7 a3 c3
System Usage stats:
FGT100FTK22023xxx(updated 1 seconds ago):
sessions=18, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=26%
FGT100FTK20000xxx(updated 0 seconds ago):
sessions=4, average-cpu-user/nice/system/idle=6%/0%/6%/87%, memory=24%
HBDEV stats:
FGT100FTK22023xxx(updated 1 seconds ago):
internal3: physical/1000auto, up, rx-bytes/packets/dropped/errors=1492065/22100/0/0, tx=20442845/47022/0/0
FGT100FTK20000xxx(updated 0 seconds ago):
internal3: physical/1000auto, up, rx-bytes/packets/dropped/errors=24954361/57802/0/0, tx=1804396/27277/0/0
number of member: 2
80FASAAA , FGT100FTK22023xxx, HA cluster index = 0
FGT-D , FGT100FTK20000xxx, HA cluster index = 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Primary: FGT100FTK22023xxx, HA operating index = 0
Secondary: FGT100FTK20000xxx, HA operating index = 1
Logical Serial Number: FGT100FHA24090xxx
Related article:
Single FortiGuard license for FortiGate A-P HA cluster - FortiGate 7.4.8 administration guide
|
