Technical Tip: Understanding configuration synchronization inside a chassis-based FortiGate

FortiOS chassis version 6.0.6 has introduced a new concept for configuration synchronization between elements inside a chassis as well as between 2 chassis of a FGCP cluster. This is called the 2 layer confsync.

The two layer confsync mechanism is based on two configuration synchronizations.

One is performed locally within the chassis and the other is performed remotely between chassis.

The primary chassis will sync the configuration inside its own chassis. It will also send the configuration change to the secondary chassis. After, the primary FIM / MBD on the secondary chassis will push the change inside its own chassis.

Configuration sync within a chassis is one of the two layers, and the configuration sync between chassis is the other layer.

2 layers confsync diagram for a 7000E chassis:

This process is based on TCP connection over port 720.

Connections can be dumped with the following command:

diagnose test application confsyncd 1 

Below is an example of connections between chassis, network is 169.254.0.X:

diagnose test application confsyncd 1 <- On the primary unit.

dump connections:

FG76SNSNSNSN:

        fd=17, state=2(ready), hbdev='elbc-base-ctrl', peer_ip=169.254.0.2, keepalive_nr=59575, last_keepalive_time=107256.24

        small_recv_buf=0x194dafdc, large_recv_buf=(nil), recv_buf=0x194dafdc, recv_buf_sz=32768, use_large_recv_buf_nr=0

diagnose test application confsyncd 1 <- On the secondary unit.

dump connections:

FG76ESNSNSNSN:

        fd=22, state=2(ready), hbdev='elbc-base-ctrl', peer_ip=169.254.0.1, keepalive_nr=54134, last_keepalive_time=108348.48

        small_recv_buf=0x1b39994c, large_recv_buf=(nil), recv_buf=0x1b39994c, recv_buf_sz=32768, use_large_recv_buf_nr=22

Below is an example of connections within one chassis. The network is 169.254.2.X.

diagnose test application confsyncd 1

FIM01SNSNSNSN:

        fd=18, state=2(ready), hbdev='elbc-b-chassis', peer_ip=169.254.2.16, keepalive_nr=22669, last_keepalive_time=107255.05

        small_recv_buf=0x194e30ac, large_recv_buf=(nil), recv_buf=0x194e30ac, recv_buf_sz=32768, use_large_recv_buf_nr=0

FPM20SNSNSNSN:

        fd=24, state=2(ready), hbdev='elbc-b-chassis', peer_ip=169.254.2.6, keepalive_nr=22517, last_keepalive_time=107254.52

        small_recv_buf=0x199e897c, large_recv_buf=(nil), recv_buf=0x199e897c, recv_buf_sz=32768, use_large_recv_buf_nr=0

FPM20SNSNSNSN:

        fd=19, state=2(ready), hbdev='elbc-b-chassis', peer_ip=169.254.2.3, keepalive_nr=22406, last_keepalive_time=107253.02

        small_recv_buf=0x199caf9c, large_recv_buf=(nil), recv_buf=0x199caf9c, recv_buf_sz=32768, use_large_recv_buf_nr=0

FPM20SNSNSNSN:

        fd=21, state=2(ready), hbdev='elbc-b-chassis', peer_ip=169.254.2.4, keepalive_nr=22619, last_keepalive_time=107253.04

        small_recv_buf=0x199e08ac, large_recv_buf=(nil), recv_buf=0x199e08ac, recv_buf_sz=32768, use_large_recv_buf_nr=0

FPM20SNSNSNSN:

        fd=25, state=2(ready), hbdev='elbc-b-chassis', peer_ip=169.254.2.5, keepalive_nr=22411, last_keepalive_time=107253.02

        small_recv_buf=0x199f0a4c, large_recv_buf=(nil), recv_buf=0x199f0a4c, recv_buf_sz=32768, use_large_recv_buf_nr=0

To troubleshoot any confsync issue, checksum should be used:

• confsync checksums are locally significant. This means they are not used to check synchronization between multiple chassis.
• HA checksum should be used to compare checksum between multiple chassis.
• The value from the command 'diagnose sys ha checksum cluster' should match.
• The command to get the checksum is diagnose sys confsync showcsum

This can be confirmed with the output of the following command:

get system ha status