Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kaman
Staff
Staff

Created on ‎08-08-2025 03:59 AM Edited on ‎08-12-2025 04:09 AM By Community Manager

Article Id 405484

Troubleshooting Tip: Post-Upgrade, secondary VM Checksum empty after serial number and HA Page fails to load in GUI

Description


This article describes that after upgrading the firmware, the VM device shows no information after the secondary checksum serial number, and the High Availability (HA) page fails to load in the GUI.

Scope


FortiGate.

Solution

 

After upgrading the firmware, the System -> HA page fails to load in the GUI on both primary and secondary devices. The behavior does not impact failover operations or lead to a split-brain scenario

HA-1.jpg
Upon checking HA status through the CLI, one device appears to be out of synchronization.

 

FGTVM # get sys ha status
Configuration Status:
FGVMXXXXXXXX276(updated 1 seconds ago): in-sync
FGVMXXXXXXXX276 chksum dump: 6c c0 35 e2 69 6e 55 51 fd 62 e1 3c 44 80 76 6d
FGVMXXXXXXXX398(updated 1 seconds ago): out-of-sync
FGVMXXXXXXXX398 chksum dump: 06 af 74 ca e3 42 67 a2 24 c4 c2 c2 aa b1 ac 6b

 

When reviewing the HA checksum cluster on both devices, the secondary unit is not appearing in the HA cluster, and checksum verification may show the unit as missing or displaying incomplete output, and the issue is mirrored vice versa.

checksum-1.png
checksum-2.png


This behaviour occurs when HA-Sync fails to establish effective communication between the two devices. Ensure both units are running the same firmware version by using the get system status command.

Use the 'diagnose sys top list | grep hasync' command to confirm that the HA-Sync process is running.

If the HA-Sync process is not running, restart it by executing 'fnsysctl killall hasync', then manually initiate the HA sync process on both FortiGate units with the help of the commands below:


execute ha synchronize start
diagnose sys ha checksum recalculate

The secondary FortiGate can be accessed through the console port or via the dedicated HA management interface (if enabled). It can also be accessed from the primary FortiGate CLI using the command execute ha manage 0 admin: Technical Tip: Managing individual cluster units with the CLI command 'execute ha manage'

 

Note:

Super Admin privilege is required to run the 'fnsysctl' command.


After manually restarting the HA-Sync process, HA synchronization was successfully restored.

ha-syn-1.png

149
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.