Description

This article describes the possible causes and troubleshooting steps for FortiGate HA heartbeat packet loss, where one device's heartbeat

packets do not reach the secondary unit. It covers common issues such as interface failures, cable or switch-related problems, misconfigurations, and high CPU utilization that can impact HA synchronization.

Scope

FortiGate.

Solution

An issue may occur in an HA setup with a split-brain scenario where only one member appears under HA due to a heartbeat communication failure:

<2025/03/21 08:31:12> FGVM02TM22003990 is selected as the primary because it's the only member in the cluster.

There could be several reasons for heartbeat communication failure. If the HA connectivity is between the switch there is a high chance the ethernet packets are getting dropped.

Take a sniffer:

diagnose sniff packet any 'ether proto 0x8890' 4 0 l <----- Here 8890 ethertype is the default value used for heartbeat communication.

2025-03-24 08:07:56.185613 port9 out Ether type 0x8890 printer hasn't been added to sniffer.

2025-03-24 08:07:56.385616 port9 out Ether type 0x8890 printer hasn't been added to sniffer.

2025-03-24 08:07:56.585609 port9 out Ether type 0x8890 printer hasn't been added to sniffer.

2025-03-24 08:07:56.785587 port9 out Ether type 0x8890 printer hasn't been added to sniffer.

The heartbeat packet is going out of 'FortiGateA', but there is no response. A similar sniffer can be taken on 'FortiGateB' to confirm if the heartbeat packet is being received over there or not.

There is a high chance the Ethernet frames are being dropped on the switch whenever the switch is connected between the FortiGate for HA connectivity (verify if any specific VLAN is configured to carry heartbeat traffic and that this traffic is not blocked e.g. ACL, STP).

FortiGate can be connected directly to each other, or the ethertype can be adjusted under HA settings to resolve conflicts with the switch.

config system ha

    set ha-eth-type "8897"

end

Post the above changes, now the heartbeat communication works on EtherType 8897:

chen-esx48 (root) # diagnose sniff packet any 'ether proto 0x8897' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[ether proto 0x8897]
2025-03-24 08:19:53.992312 port9 in Ether type 0x8897 printer hasn't been added to sniffer.
2025-03-24 08:19:54.060486 port9 out Ether type 0x8897 printer hasn't been added to sniffer.
2025-03-24 08:19:54.192430 port9 in Ether type 0x8897 printer hasn't been added to sniffer.
2025-03-24 08:19:54.260500 port9 out Ether type 0x8897 printer hasn't been added to sniffer.
2025-03-24 08:19:54.392532 port9 in Ether type 0x8897 printer hasn't been added to sniffer.
2025-03-24 08:19:54.460476 port9 out Ether type 0x8897 printer hasn't been added to sniffer.

There is 2-way communication for the heartbeat packet using ethertype 8897 and HA is forming.

To verify the HA sync status, the below command can be used:

FortiGate# get system ha status      

Configuration Status:

FGVMXXXXXXXXXXXX(updated N seconds ago): in-sync
FGVMXXXXXXXXXXXX(updated M seconds ago): in-sync

Related article:

Troubleshooting Tip: How to troubleshoot HA 'Heartbeat packet lost' issues in a FortiGate HA Cluster