Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Nivedha
Staff
Staff

Created on ‎12-19-2022 12:19 AM Edited on ‎05-21-2025 06:03 AM By Moderator

Article Id 240140

Troubleshooting Tip: HA devices out of sync after a firmware upgrade

Description This article discusses HA devices that are out of sync after a firmware upgrade.
Scope FortiGate.
Solution

While upgrading HA using Uninterrupted upgrade, both devices should upgrade simultaneously:

Uninterrupted upgrade

 

After the upgrade device may be out of sync when the following occurs:

  1. Only one of the devices is upgraded to the next firmware version.

 

For example, if upgrading HA devices from v7.0.1 to v7.0.3, the primary gets upgraded to v7.0.3, and the secondary stays in 7.0.1, then:

  1. Boot the primary device to the previous version by selecting the alternate firmware version to boot.
    Technical Tip: Selecting an alternate firmware for the next reboot

    Or:

  2. Remove the secondary from the cluster (Technical Tip: Disconnect a member from a cluster (remove a device from an HA cluster)), upgrade the secondary device, and join it back to the cluster.

 

  1. Due to configuration differences, recalculate HA checksum on both devices primary and secondary using: diagnose sys ha checksum recalculate.

     

Technical Tip: Troubleshooting a checksum mismatch in a FortiGate HA cluster


Run the following commands:

execute ha synchronize stop
diagnose debug reset
diagnose debug enable
diagnose debug console timestamp enable
diagnose debug application hasync -1
diagnose debug application hatalk -1
execute ha synchronize start

diagnose sys ha checksum recalculate

 

diagnose debug disable   --> To stop the debugs.

 

Allow a couple of minutes to verify the differences in the cluster.

 

  1. Compare the configuration between the two FortiGates in the HA cluster and update the configuration.

Troubleshooting Tip: Allocate config disparity for HA out-of-sync

Procedure for HA manual synchronization - Fortinet Community

Note:
To confirm uninterruptible-upgrade is enabled, use the following command:

 

show full system ha | grep uninterruptible-upgrade

 

From FortiOS v7.4.1 and later, the option uninterruptible-upgrade has been replaced with upgrade-mode.

config system ha

    set upgrade-mode {simultaneous | uninterruptible | local-only | secondary-only}

end

 

The default setting for upgrade-mode is uninterruptible, which follows the same behavior as the previous set uninterruptible-upgrade enable. Similarly, the behavior of set uninterruptible-upgrade disable is now mapped to set upgrade-mode simultaneous.

 

Related article:

Troubleshooting Tip: How to troubleshoot HA synchronization issue using GUI and CLI on FortiGate/For...
Labels:
19199
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.