Description
This article describes a simple procedure to verify if FortiGate devices in an HA cluster are all synchronized.
Note that all commands are passed in global mode if VDOMs are enabled (as shown in the following examples).
The following commands are listed in this article:
get system ha status
diagnose sys ha checksum cluster
execute ha synchronize start/stop
execute ha manage <id> <admin name>
Reminder: The following command can be used to connect to the Secondary device CLI from the Primary CLI:
execute ha manage <id><admin name>
Here, <id> is the subsidiary unit listed with the command 'execute ha manage ?'.
Step 1:
At the initial HA configuration, any new device that joins a cluster in a Secondary role will display the following message sequence on the console. This will indicate a successful cluster formation.
secondary's configuration is not in sync with primary's, sequence:0
secondary's configuration is not in sync with primary's, sequence:1
secondary's configuration is not in sync with primary's, sequence:2
secondary's configuration is not in sync with primary's, sequence:3
secondary's configuration is not in sync with primary's, sequence:4
secondary starts to sync with primary
logout all admin users
secondary succeeded to sync with primary
Step 2:
On an operational HA cluster, the following commands will allow verification of the HA status:
- Output example from the Primary:
get system ha status
Model: 300
Mode: a-p
Group: 30
Debug: 0
ses_pickup: disable
Primary:200 FGT300-5 FG300A3906550380 0
Secondary :128 FGT300-2 FG300A2904500186 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Primary:0 FG300A3906550380
Secondary :1 FG300A2904500186
- Output example from the Secondary:
get system ha status
Model: 300
Mode: a-p
Group: 30
Debug: 0
ses_pickup: disable
Secondary:128 FGT300-2 FG300A2904500186 1
Primary:200 FGT300-5 FG300A3906550380 0
number of vcluster: 1
vcluster 1: standby 169.254.0.1
Secondary:1 FG300A2904500186
Primary:0 FG300A3906550380
Step 3:
On an operational HA cluster, the following commands will allow verification of all devices that have the same configuration.The following example shows a FortiGate running with multiple VDOMs, and the configuration checksum being similar on both devices for all of the VDOMs.
- Getting the HA checksums on the Primary.
diagnose sys ha checksum cluster
global: e5 45 87 ff 9d 4b d5 dc 37 98 ce bd 53 c0 75 70
root: f3 a7 72 9a f8 8a 42 f3 80 77 89 a3 eb d9 09 2b
LAN: a5 f8 cf 4c 98 3b 25 b7 22 3b 17 f6 76 8e b0 3c
INTERNET: f9 32 66 b4 d6 6d 2e 0a 42 59 11 c2 4c 85 53 f8
DMZ: 30 96 97 69 ff 07 32 bd 6c 84 0c 5c 4a 13 78 92
all: 4b a1 24 73 2b 3a 86 71 a8 9a 98 22 15 1c 76 65
checksum
global: e5 45 87 ff 9d 4b d5 dc 37 98 ce bd 53 c0 75 70
root: f3 a7 72 9a f8 8a 42 f3 80 77 89 a3 eb d9 09 2b
LAN: a5 f8 cf 4c 98 3b 25 b7 22 3b 17 f6 76 8e b0 3c
INTERNET: f9 32 66 b4 d6 6d 2e 0a 42 59 11 c2 4c 85 53 f8
DMZ: 30 96 97 69 ff 07 32 bd 6c 84 0c 5c 4a 13 78 92
all: 4b a1 24 73 2b 3a 86 71 a8 9a 98 22 15 1c 76 65
- Getting the HA checksums on the Secondary (and comparing with the Primary):
diagnose sys ha checksum cluster
global: e5 45 87 ff 9d 4b d5 dc 37 98 ce bd 53 c0 75 70
root: f3 a7 72 9a f8 8a 42 f3 80 77 89 a3 eb d9 09 2b
LAN: a5 f8 cf 4c 98 3b 25 b7 22 3b 17 f6 76 8e b0 3c
INTERNET: f9 32 66 b4 d6 6d 2e 0a 42 59 11 c2 4c 85 53 f8
DMZ: 30 96 97 69 ff 07 32 bd 6c 84 0c 5c 4a 13 78 92
all: 4b a1 24 73 2b 3a 86 71 a8 9a 98 22 15 1c 76 65
checksum
global: e5 45 87 ff 9d 4b d5 dc 37 98 ce bd 53 c0 75 70
root: f3 a7 72 9a f8 8a 42 f3 80 77 89 a3 eb d9 09 2b
LAN: a5 f8 cf 4c 98 3b 25 b7 22 3b 17 f6 76 8e b0 3c
INTERNET: f9 32 66 b4 d6 6d 2e 0a 42 59 11 c2 4c 85 53 f8
DMZ: 30 96 97 69 ff 07 32 bd 6c 84 0c 5c 4a 13 78 92
all: 4b a1 24 73 2b 3a 86 71 a8 9a 98 22 15 1c 76 65
Any checksum difference between Primary and Secondary will depict a synchronization problem. Configuration synchronization can be forced with the following command:
execute ha synchronize start
If further problems are experienced, it is recommended to open a ticket with Fortinet TAC and attach the information that has been gathered.
Related articles:
