Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
smaruvala
Staff
Staff

Created on ‎12-11-2024 11:50 PM Edited on ‎12-12-2024 12:24 AM By Moderator

Article Id 364217

Technical Tip: Unable to form the HA cluster in FortiGate due to case sensitivity of the Group Name

Description This article explains the case sensitivity nature of the group name in the HA configuration. 
Scope FortiGate.
Solution
  • One of the conditions to establish the HA between 2 FortiGates is to have the same Group name. The Group name is case-sensitive. Hence mismatching the group name will not bring the HA connection up due to which the user may experience a split-brain scenario. 
  • For an example below is the HA configuration from 2 FortiGate devices. Even though the Group names are the same they are not in the same in terms of letter case.

 

chameleon-kvm183 # show system ha
    config system ha
        set group-id 100
        set group-name "SAmple"
        set mode a-p
        set hbdev "port2" 0
        set override disable
    end


chameleon-kvm182 # show system ha
    config system ha
        set group-id 100
        set group-name "Sample"
        set mode a-p
        set hbdev "port2" 0
        set override disable
    end

 

  • The HA status output from both devices shows that each device considers itself as master which leads to a split-brain scenario.

 

chameleon-kvm182 # get system ha status
HA Health Status: OK
Model: FortiGate-VM64-KVM
Mode: HA A-P
Group Name: Sample
Group ID: 100
Debug: 0
Cluster Uptime: 0 days 0h:1m:21s
Cluster state change time: 2024-12-11 22:08:06
Primary selected using:
<2024/12/11 22:08:06> vcluster-1: xxxxxxxxxxxxxxxxxxx is selected as the primary because it's the only member in the cluster.
<2024/12/11 22:07:55> vcluster-1: xxxxxxxxxxxxxxxxxxx is selected as the primary because it's the only member in the cluster.
ses_pickup: disable
override: disable
System Usage stats:
xxxxxxxxxxxxxxxxxxx(updated 4 seconds ago):
sessions=18, average-cpu-user/nice/system/idle=2%/0%/2%/96%, memory=47%
HBDEV stats:
xxxxxxxxxxxxxxxxxxx(updated 4 seconds ago):
port2: physical/10000full, up, rx-bytes/packets/dropped/errors=117746/273/0/0, tx=179429/445/0/0
number of member: 1
chameleon-kvm182, xxxxxxxxxxxxxxxxxxx, HA cluster index = 0
number of vcluster: 1
vcluster 1: work 169.254.0.1
Primary: xxxxxxxxxxxxxxxxxxx, HA operating index = 0

 

chameleon-kvm183 # get system ha status
HA Health Status: OK
Model: FortiGate-VM64-KVM
Mode: HA A-P
Group Name: SAmple
Group ID: 100
Debug: 0
Cluster Uptime: 0 days 0h:1m:41s
Cluster state change time: 2024-12-11 22:08:19
Primary selected using:
<2024/12/11 22:08:19> vcluster-1: yyyyyyyyyyyyyyyyyyy is selected as the primary because it's the only member in the cluster.
ses_pickup: disable
override: disable
System Usage stats:
yyyyyyyyyyyyyyyyyyy(updated 0 seconds ago):
sessions=17, average-cpu-user/nice/system/idle=3%/0%/3%/93%, memory=47%
HBDEV stats:
yyyyyyyyyyyyyyyyyyy(updated 0 seconds ago):
port2: physical/10000full, up, rx-bytes/packets/dropped/errors=278891/641/0/0, tx=229816/556/0/0
number of member: 1
chameleon-kvm183, yyyyyyyyyyyyyyyyyyy, HA cluster index = 0
number of vcluster: 1
vcluster 1: work 169.254.0.1
Primary: yyyyyyyyyyyyyyyyyyy, HA operating index = 0

 

  • For this issue, debugging the 'talk' process will not show any error pointing to a case mismatch of the HA Group name.

 

chameleon-kvm182 # diagnose debug console timestamp enable

chameleon-kvm182 # diagnose debug application hatalk -1
Debug messages will be on for 30 minutes.

chameleon-kvm182 # diagnose debug enable
chameleon-kvm182 # 2024-12-11 22:17:08 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1733983686/1733984228
2024-12-11 22:17:18 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1733983686/1733984238
2024-12-11 22:17:28 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1733983686/1733984248
2024-12-11 22:17:38 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1733983686/1733984258
2024-12-11 22:17:48 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1733983686/1733984268
2024-12-11 22:17:58 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1733983686/1733984278
2024-12-11 22:18:08 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1733983686/1733984288

 

  • Users have to manually verify the letter case in the Group Name matches between the 2 nodes of the FortiGate.
  • Users can also take a packet capture on the Heartbeat interface to verify the information exchanged between the devices to understand what info is sent by each device.
  • Below is an example of a packet capture on the HB interface. 

 

HA_GroupName_Mismatch_Capture.png
181
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.