Troubleshooting Tip: HA cluster will not sync due ...

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 416007

Description

This article describes the steps to troubleshoot and resolve the issue of an HA not synchronizing due to a wanopt mismatch.

Scope

FortiGate.

Solution

Go to to System -> HA and hover over the Secondary to see what is out of sync.

The 'Not Synchronized' status will show the object 'wanopt.settings' checksum is not matching.

The specific checksum can be checked using the following method.

From CLI:

Run the command below on both units in the cluster and compare the checksum values:

diagnose sys ha checksum show root wanopt.global

If the checksum does not match, verify on each unit in the cluster if there are differences in the settings and ensure they match on both units. If they already are the same on both units, run the following commands to force a recalculation of the checksums.

To resolve the wanopt.settings mismatch, change the default 'default-id' in the WANOpt settings on the primary FortiGate by running the following commands:

config wanopt settings

set host-id temp-id

end

Once the change has been made on the Primary FortiGate, recalculate the checksum with the following command:

diagnose sys ha checksum recalculate

At this point, the cluster should be in sync again.

154

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Troubleshooting Tip: HA cluster will not sync due to wanopt mismatch

You are leaving our website