FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rk1
Staff
Staff
Article Id 192198

Description

 

This article describes how to troubleshoot the HA out-of-sync issue due to 'vpn.certificate.local' object with FortiGate.

Scope

 

FortiGate v6.2.4.

Solution

 

This object 'vpn.certificate.local' holds all the local certificates present in the FortiGate. If a HA cluster goes out of sync due to the object 'vpn.certificate.local', it is necessary to check if the private-data-encryption is enabled or not under global settings.

 

  1. Check if the private-data-encryption is enabled or not using below commands:

 

config system global
show full | grep private

 

Sample output:

 

FW1 # config system global

FW1 (global) # show full | grep private

set private-data-encryption enable    <----- Enabled.

 

  1. Verify if the checksum of certificates are different or not under the object 'vpn.certificate.local' using below command on the cluster units:

 

diagnose sys ha checksum show root vpn.certificate.local

 

  1. If the private-data-encryption is enabled and if the checksum of certificates are different, follow the below steps:

  • Disable private-data-encryption:
  1. exec ha sync start

    diag sys ha checksum cluster <----- If the checksums are same, proceed to step 4.

  2. If the private-data-encryption is disabled and if the checksum of certificates are different, follow the below steps:
  •        Enable private-data-encryption:

      exec ha sync start

      diag sys ha checksum cluster<----- Make sure if the checksums are same.


Note:

if the private data encryption is disabled

 

show full | grep private
    set private-data-encryption disable  <---

 

  • Perform a hard failover to the HA Cluster to resolve the issue.
  • Run the command on the Primary FortiGate:

 

execute ha failover set 1

Caution: This command will trigger an HA failover.
It is intended for testing purposes.
Do you want to continue? (y/n)y

 

  • To stop the Failover run the below command:

 

execute ha failover unset 1

 

  • Run the below commands to recalculate the HA checksums:

 

diagnose sys ha checksum recalculate

diagnose sys ha checksum show global

get sys ha status

Note:
From v 6.2.5, the object 'vpn.certificate.local' should be in sync, and no need to follow the above-mentioned steps.