Troubleshooting Tip: FortiGate HA Synchronization Issues due to dynamic-capability parameter Mismatch

ataha · ‎07-01-2025

Description

This article describes the steps to resolve FortiGate High Availability (HA) synchronization issues caused by a dynamic-capability parameter mismatch between the primary and secondary FortiGate. The article provides a solution to identify and resolve the mismatch, ensuring HA synchronization and stability.

Scope

FortiGate, FortiSwitch

Solution

Dynamic capability values are by default and they cannot be changed, it is a non-configurable value. This article has a solution when this value does not match in HA pair.

To resolve the HA synchronization issue due to dynamic-capability parameter mismatch, follow these steps:

Run the command get system status on both FortiGates to verify the system status.
Check the FortiSwitch configuration and ensure that the dynamic-capability parameters match both FortiGate. In this case, Dynamic capability parameters are mismatching between the two firewalls.
Recalculate the checksum.
If the parameters do not match even after recalculating, try rebooting the secondary FortiGate or switching over to the secondary FortiGate as the primary to synchronize the HA cluster.
Monitor the HA cluster for stability after making the changes. Additionally, try running the 'diagnose debug report' command on both switches to gather more information about the issue.

In this example, the checksum does not match:

Dynamic-capability value mismatch:

Troubleshooting Tip: FortiGate HA Synchronization Issues due to dynamic-capability parameter Mismatch

You are leaving our website