FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sramachandran

Description


This articles describes how to troubleshoot a checksum mismatch in a FortiGate cluster.
These HA units must be manually synchronized by detecting mismatches and correcting them using the following steps.


Solution

 

Step 1:

 

Check the cluster units checksums and compare for where the mismatch is:

 

# diag sys ha checksum cluster

================== FGT1 =================
is_manage_master()=0, is_root_master()=0

debugzone

global: : 79 24 76 8a a8 03 9a 81 dc c4 3c f8 96 72 59 11
root: cf 85 55 fe a7 e5 7c 6f a6 88 e5 a9 ea 26 e6 92
all: f4 62 b2 ce 81 9a c9 04 8f 67 07 ec a7 44 60 1f

checksum

global: : 79 24 76 8a a8 03 9a 81 dc c4 3c f8 96 72 59 11
root: cf 85 55 fe a7 e5 7c 6f a6 88 e5 a9 ea 26 e6 92
all: f4 62 b2 ce 81 9a c9 04 8f 67 07 ec a7 44 60 1f

================== FGT2 ==================

is_manage_master()=1, is_root_master()=1

debugzone

global: 89 f2 f0 0b e8 eb 0d ee f8 55 8b 47 27 7a 27 1e
root: cf 85 55 fe a7 e5 7c 6f a6 88 e5 a9 ea 26 e6 92
all: a7 8d cc c7 32 b5 81 a2 55 49 52 21 57 f9 3c 3b

checksum

global: 89 f2 f0 0b e8 eb 0d ee f8 55 8b 47 27 7a 27 1e
root: cf 85 55 fe a7 e5 7c 6f a6 88 e5 a9 ea 26 e6 92
all: a7 8d cc c7 32 b5 81 a2 55 49 52 21 57 f9 3c 3b

Step 2:

 

In the above output, there is a mismatch in the global checksum output.

Now execute the following command in both Master and Slave units:

 

# diag sys ha checksum show <VDOM_NAME>

For Example:

# diag sys ha checksum show global

As per the above example, there is a mismatch in the global, so execute the command '#diag sys ha checksum show <>' as shown below:

 

 

 

FGT_1 #diag sys ha checksum cached global

 

system.global: d6c216d8449d75b2cd80110fa02a85e5

 

system.accprofile: 7df6f055a28e5d5216c4d2c2b3ee77d1

 

system.npu: 7df6f055a28e5d5216c4d2c2b3ee77d1

 

system.vdom-link: 7df6f055a28e5d5216c4d2c2b3ee77d1

 

wireless-controller.global: 7df6f055a28e5d5216c4d2c2b3ee77d1

 

wireless-controller.vap: cda65c180c25050eb83398fa23ab7fd1

 

system.switch-interface: cda65c180c25050eb83398fa23ab7fd1

 

system.interface: 56f2362fd69f51a2b6fc22a008c0c755

 

system.password-policy: 56f2362fd69f51a2b6fc22a008c0c755

 

system.sms-server: 56f2362fd69f51a2b6fc22a008c0c755

 

system.fsso-polling: af9c2b4f63e40551e33eabd64436fb3e

 

system.ha: ddfeff2ae037f615fbd83110169b70d2

 

 

 

FGT_2 #diag sys ha checksum cached global

 

system.global: d6c216d8449d75b2cd80110fa02a84e5

 

system.accprofile: 7df6f055a28e5d5216c4d2c2b3ee77d1

 

system.npu: 7df6f055a28e5d5216c4d2c2b3ee77d1

 

system.vdom-link: 7df6f055a28e5d5216c4d2c2b3ee77d1

 

wireless-controller.global: 7df6f055a28e5d5216c4d2c2b3ee77d1

 

wireless-controller.vap: cda65c180c25050eb83398fa23ab7fd1

 

system.switch-interface:cda65c180c25050eb83398fa23ab7fd1

 

system.interface: 56f2362fd69f51a2b6fc22a008c0c755

 

system.password-policy: 56f2362fd69f51a2b6fc22a008c0c755

 

system.sms-server: 56f2362fd69f51a2b6fc22a008c0c755

 

system.fsso-polling: af9c2b4f63e40551e33eabd64436fb3e

 

system.ha: ddfeff2ae037f615fbd83110169b70d2

 

 

 

Then do the difference between the Master and the Slave to find out in which part of the configuration there is a mismatch.

The configuration checksum is mismatched in “Admin Settings” in the above example output.

Step 3:

 

To find out the exact mismatch in the admin settings, execute the command below in both Master and Slave units:

 

# diag sys ha checksum show global <enterobjectname>

 

Copy and paste the path.object from checksum cached output.

 

FGT1 #diag sys ha checksum show global system.global

 

[admin-server-cert]='Fortinet_Factory': f9d23d8f459c415d1742630c4c0cd99d

 

[admintimeout]='380': 8041fc04d56bd268f40fafc37b5fd078

 

[alias]='FGVM010000087496': a47b05f1b3646431fb078469cfca3225

 

[fgd-alert-subscription]='advisory latest-threat': e15ed9aae8a488d992774994c36566b1

 

[timezone]='04': 5af081b7089c3f69917ea509f3cb5e6d

 

FGT2 #diag sys ha checksum show global system.global

 

[admin-server-cert]='Fortinet_Factory': f9d23d8f459c415d1742630c4c0cd99d

 

[admintimeout]='380': 8041fc04d56bd268f40fafc37b5fd079

 

[alias]='FGVM010000087496': a47b05f1b3646431fb078469cfca3225

 

[fgd-alert-subscription]='advisory latest-threat': e15ed9aae8a488d992774994c36566b1

 

[timezone]='04': 5af081b7089c3f69917ea509f3cb5e6d

 

Step 4:

 

In the above output, there is a mismatch in "admin timeout". So manually check the admin timeout configuration in both Master and Slave units and correct it.

 

Manually reconfigure the object that is out of sync and that should trigger the re-synchronization automatically. 

 

Verify that the device is synchronized using the following command:

 

# diag sys ha checksum cluster

================== FGT1 =================
is_manage_master()=0, is_root_master()=0

debugzone

global: : 79 24 76 8a a8 03 9a 81 dc c4 3c f8 96 72 59 11
root: cf 85 55 fe a7 e5 7c 6f a6 88 e5 a9 ea 26 e6 92
all: f4 62 b2 ce 81 9a c9 04 8f 67 07 ec a7 44 60 1f

checksum

global: : 79 24 76 8a a8 03 9a 81 dc c4 3c f8 96 72 59 11
root: cf 85 55 fe a7 e5 7c 6f a6 88 e5 a9 ea 26 e6 92
all: f4 62 b2 ce 81 9a c9 04 8f 67 07 ec a7 44 60 1f

================== FGT2 ==================

is_manage_master()=1, is_root_master()=1

debugzone

global: : 79 24 76 8a a8 03 9a 81 dc c4 3c f8 96 72 59 11
root: cf 85 55 fe a7 e5 7c 6f a6 88 e5 a9 ea 26 e6 92
all: f4 62 b2 ce 81 9a c9 04 8f 67 07 ec a7 44 60 1f

checksum

global: : 79 24 76 8a a8 03 9a 81 dc c4 3c f8 96 72 59 11
root: cf 85 55 fe a7 e5 7c 6f a6 88 e5 a9 ea 26 e6 92
all: f4 62 b2 ce 81 9a c9 04 8f 67 07 ec a7 44 60 1f