FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syadav
Staff
Staff
Article Id 340000
Description

This article describes how to resolve a known issue users might encounter with FortiGate 120G or 121G in a high-availability cluster after upgrading to FortiOS v7.2.9 or 7.2.10.

Scope

FortiGate-120G and 121G, FortiOS v7.2.9 and 7.2.10.

Solution

Known issue#1056138 impacts the FortiGate-120G/121G models on v7.2.9 and 7.2.10 in a high availability cluster when using 'ha' or 'mgmt' port as the heartbeat interface. 


This causes the following issues:
 

  • The high availability cluster does not synchronize configuration changes
  • System -> HA web GUI page gets stuck at loading
  • unable to login to secondary device from primary using 'execute ha manage' command
  • unable to upgrade cluster firmware from the GUI

It does NOT cause split-brain or prevent cluster failover.

Consider the following scenario:

The high availability cluster consists of two FortiGate 120Gs (FG120GTKXXYYZZ50 and FG120GTKXXYYZZ59).


The following output shows the HA cluster is unable to retrieve full information from the secondary:


get sys ha status
 

HA Health Status: OK 

Model: FortiGate-120G 

Mode: HA A-A 

<output omitted>

Primary selected using: 

    <2024/07/16 17:30:22> vcluster-1: FG120GTKXXYYZZ50 FG120GTKXXYYZZ50 is selected as the primary because its override priority is larger than peer member FG120GTKXXYYZZ59. 

    <2024/07/16 17:29:02> vcluster-1: FG120GTKXXYYZZ50 is selected as the primary because it's the only member in the cluster.  

<output omitted>

 Configuration Status: 

    FG120GTKXXYYZZ50(updated 1 seconds ago): in-sync 

    FG120GTKXXYYZZ50 chksum dump: 29 e0 e4 32 6c 76 99 68 2b ed 8b bc c1 2d 2c 37  

   FG120GTKXXYYZZ59(updated 1721194954 seconds ago): out-of-sync 

    FG120GTKXXYYZZ59 chksum dump: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  

System Usage stats: 

    FG120GTKXXYYZZ50(updated 1 seconds ago): 

        sessions=5, average-cpu-user/nice/system/idle=0%/0%/4%/96%, memory=14% 

    FG120GTKXXYYZZ59(updated 1721194954 seconds ago): 

        sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/0%, memory=0% 
HBDEV stats:

    FG120GTKXXYYZZ50(updated 1 seconds ago):

        ha: physical/1000auto, up, rx-bytes/packets/dropped/errors=121750988/234138/0/0, tx=120280738/235391/0/0

    FG120GTKXXYYZZ59 (updated 1721194954 seconds ago):
Primary : FortiGate-120G , FG120GTKXXYYZZ50, HA cluster index = 1
 

Secondary : , FG120GTKXXYYZZ59, HA cluster index = 0 

number of vcluster: 1 

vcluster 1: work 169.254.0.2 

Primary: FG120GTKXXYYZZ50, HA operating index = 0 

Secondary: FG120GTKXXYYZZ59, HA operating index = 1 

 

The output above shows that the status of Secondary FortiGate (FG120GTKXXYYZZ59) was updated 1721194954 seconds ago and the checksum dump is 00. These indicate an issue synchronizing status between the FortiGate units.

 

The issue occurs because the ‘ha’ or ‘mgmt’ fails to update the mac address of the logical HA interface ‘port_ha’.

If the issue was after upgrade, it is possible to recover by reverting each unit to the previous working firmware and configuration.

 

A temporary workaround is not to use ‘ha’ or ‘mgmt’ interfaces as heartbeat interfaces. A maintenance window and local console access are required when making this change since it must be updated on each device.

 

This issue is fixed in 7.4.5 and scheduled for a fix in v7.2.11 and v7.6.1.
However, cluster firmware upgrade jobs will timeout while the cluster is affected by this issue. Instead, the units must be upgraded individually.

For example,  isolate the secondary from the network and upgrade it to an unaffected firmware version such as v7.4.5, then upgrade the primary and reform the cluster once both units are upgraded.