Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kaurg_FTNT
Staff
Staff

Created on ‎09-05-2024 10:44 PM

Article Id 339427

Troubleshooting Tip: FortiGate in an HA configuration goes out of synchronization due to a split-port interface on FortiSwitch

Description The article discusses the issue of out-sync HA after upgrading to v7.2.6 and v7.4.4.
Scope FortiGate v7.2, v7.4.
Solution
  • After upgrading to FortiOS v7.2.6 or v7.4.4, synchronization issue occurs in High Availability (HA) setups.
  • The problem is identified as a checksum mismatch related to split-port interfaces on managed FortiSwitches.
  • Checksum calculation shows a mismatch with the split-port interfaces on managed FortiSwitch.
  • The difference in the checksum is attributed to a different orders of command 'set fec-capable'.

Sample config.

 

Primary Firewall Configuration:

 

Primary.JPG

 

Secondary Firewall Configuration:

 

Secondary.JPG

 

  • There is no workaround. Therefore, it is recommended to disable split-port on FortiSwitches.
  • The issue is resolved in v7.2.10, v7.4.5 and v7.6.0.
210
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.