Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sgursimran
Staff
Staff

Created on ‎08-07-2024 10:38 PM Edited on ‎03-13-2025 10:29 PM By Community Manager

Article Id 331269

Troubleshooting Tip: FortiGate fails to join HA due to a VDOM License

Description

This article describes how to troubleshoot when FortiGate fails to join HA when a VDOM license is purchased.

This problem is commonly observed when attempting to re-introduce an RMA replacement FortiGate into an existing HA cluster that is already using additional VDOM licenses.
Scope

FortiGate HA cluster.
Solution

While adding the new FortiGate into the HA cluster, it may fail to join the HA cluster even though a valid VDOM license is applied to the device in FortiCare.

 

Debug output for hatalk can be enabled with these CLI commands:

 

diagnose debug reset
diagnose debug application hatalk -1
diagnose debug enable

 

Depending on which device the output is taken from, an hatalk debug will show one of the following messages:

 

  • HA cannot be formed because this box has <M> vdoms. It exceeds the maximum number of vdoms allowed on the HA peer '<serial number>', which only allows maximum <N> vdoms.
  • HA cannot be formed because the HA peer '<serial number>' has <M> vdoms. It exceeds the maximum number of vdoms allowed on this box, which only allows maximum <N> vdoms.

 

VDOM licenses and license keys are specific to a device's serial number. The key must also be re-applied manually if a device is factory reset or has the boot device formatted. If an HA device is replaced because of a hardware fault and had a purchased VDOM license, contact Fortinet Support for assistance with transferring the license to the new device's serial number and acquiring a new license key.

 

Verify on each unit if the number of licensed VDOMs is correctly reflected. Run the command 'get system status' and look for the line 'Max number of virtual domains:'

 

sgursimran_1-1723061188847.png

 

If the number of supported VDOMs is incorrect, the license key must be retrieved and manually applied to the unit following the article Technical Tip: How to activate a VDOM license from CLI.

 

If uploading the license key from the CLI fails, verify the key is correct and the license matches the device's serial number. Verify the administrator account has global scope and permissions to enter diagnostic commands.

 

secondary # config global

secondary (global) # execute upd-vd-license XXXX-YYYY-ZZZZ-X

decode vdom license key failed

Command fail. Return code -1003

 

If the key is correct, upload the same license-key via the Web GUI, under Global VDOM > System > FortiGuard -> Virtual Domain.

 

sgursimran_3-1723061188857.jpeg

 

Verify again by running get system status' and look for the line below:

 

Max number of virtual domains:

 

This shows the current number of configurable VDOMs for the device. Once the VDOM license is applied and matched, the FortiGates will form the HA cluster successfully.

 

Note:

In an already deployed HA cluster where only one member has a valid VDOM license and license key applied, configuring additional VDOMs may cause the cluster not to form and enter a 'split-brain' condition. See the article Technical Tip: Maximum VDOM mismatch causes HA split-brain when additional VDOMs are configured
732
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.