Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
SAJUDIYA
Staff
Staff

Created on ‎11-17-2024 11:35 PM Edited on ‎03-14-2025 05:33 AM By Moderator

Article Id 357787

Troubleshooting Tip: HA status 'Unknown' and 'No route to host' error when accessing secondary device from CLI

Description

This article describes how to resolve HA out-of-sync issues with the 'Unknown' error, as well as cases where, when trying to access the secondary from the CLI, the following error is encountered:

 

execute ha manage 1 <user-name>
ssh: connect to host 169.254.0.2 port 22: No route to host
Scope FortiGate v7.2 and above version.
Solution

System HA status output will also show cluster checksum is 0000 for the secondary device:

 

get sys ha status
Primary selected using:
HA Health Status: OK
Model: FortiGate-120G
Mode: HA A-P
Group Name: Hub1
Group ID: 0
Debug: 0
Cluster Uptime: 109 days 22:9:15
Cluster state change time: 2024-10-29 03:54:15
    <2024/10/29 03:54:15> vcluster-1: FG120GTK00000001 is selected as the primary because its uptime is larger than peer member FG120GTK00000002.
    <2024/10/29 03:51:22> vcluster-1: FG120GTK00000001 is selected as the primary because it's the only member in the cluster. <--- The secondary member is not listed in the cluster.
    <2024/10/29 03:51:16> vcluster-1: FG120GTK00000001 is selected as the primary because SET_AS_SECONDARY flag is set on peer member FG120GTK00000002.

ses_pickup: disable
override: disable
Configuration Status:
    FG120GTK00000001(updated 0 seconds ago): in-sync
    FG120GTK00000001 chksum dump: 03 0a 0f 9d d3 e8 02 63 10 3f 71 a1 ef 20 31 90
    FG120GTK00000002(updated 1730208767 seconds ago): out-of-sync
    FG120GTK00000002 chksum dump: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <--- Checksum Cluster is 00.

 

ICMP packets show 'ICMP: host 169.254.0.2 unreachable' error:

 

filters=[host 169.254.0.1 or host 169.254.0.2]
2024-09-14 10:58:11.251632 vsys_ha out 169.254.0.1 -> 169.254.0.1: icmp: host 169.254.0.2 unreachable

 

GUI showing HA status as 'Unknown'.

HA-unknown.png
Note: HA status 'Unknown' error also shows up if Secondary device is on different firmware version (OR) if split brain is happening.
See this article for more info on split brain issue: High Availability - Split Brain - Fortinet Community.

When running hatalk and hasync debug, it shows the below error:

 

diag deb application hatalk -1
diag deb application hasync -1
diag deb en

2024-09-19 17:22:58 <hatalk> vcluster_1: ha_prio=1(secondary), state/chg_time/now=3(standby)/1726790186/1726791778
ag de2024-09-19 17:22:59 <hasync:WARN> conn=0xd46a160 connect(169.254.0.1) failed: 113(No route to host)

 

Workaround:

  • Use another port as hbdev other than HA and mgmt ports.
  • The permanent fix will be on v7.2.11, v7.4.5, v7.6.1.

Note: If FortiGate is hosted in VMware and having the same issue then it requires enabling MAC address spoofing on the virtual switches that connect heartbeat interfaces from VMware; or, simply configuring the unicast-ip method to make the firewall in sync.
3459
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.