Description
This article describes how to troubleshoot the HA out-of-sync issue due to 'vpn.certificate.local' object with FortiGate.
Scope
FortiGate v6.2.4.
Solution
This object 'vpn.certificate.local' holds all the local certificates present in the FortiGate. If a HA cluster goes out of sync due to the object 'vpn.certificate.local', it is necessary to check if the private-data-encryption is enabled or not under global settings.
config system global
show full | grep private
Sample output:
FW1 # config system global
FW1 (global) # show full | grep private
set private-data-encryption enable <----- Enabled.
diagnose sys ha checksum show root vpn.certificate.local
exec ha sync start
diag sys ha checksum cluster <----- If the checksums are same, proceed to step 4.
exec ha sync start
diag sys ha checksum cluster<----- Make sure if the checksums are same.
Note:
if the private data encryption is disabled.
show full | grep private
set private-data-encryption disable <---
execute ha failover set 1
Caution: This command will trigger an HA failover.
It is intended for testing purposes.
Do you want to continue? (y/n)y
execute ha failover unset 1
diagnose sys ha checksum recalculate
diagnose sys ha checksum show global
get sys ha status
Note:
From v 6.2.5, the object 'vpn.certificate.local' should be in sync, and no need to follow the above-mentioned steps.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.