Troubleshooting Tip: Resolving 'Cannot reassign primary private IP addresses' Error During OCI HA Failover

In OCI, only secondary private IP addresses on a VM’s Virtual Network Interface Card (VNIC) can be reassigned between interfaces (attach/detach). This limitation means that FortiGate HA configurations should avoid using the primary private IP of the OCI VNIC for FortiGate interface configurations.

OCI VMs are assigned one primary private IP address and can have additional secondary private IPs. FortiGate HA configurations should use secondary IPs from the OCI VM, not the primary IP.  Attempting to assign the primary IP of an OCI VNIC to a FortiGate interface will trigger a 'Cannot reassign primary private IP addresses' error.

When this error is observed during a failover, it indicates that the primary private IP address of the OCI VM VNIC has been configured on a FortiGate interface.

To check for this error, use the following debug commands on FortiGate:

diagnose debug application ocid -1
diagnose debug enable

-----output clipped---------

api retrying ...
http response err: 400
{
"code" : "InvalidParameter",
"message" : "Cannot reassign primary private IP addresses"
}
api retrying ...
moving private ip 10.0.12.4 to local failed

-----output clipped---------

Resolution:

• Identify the Primary IP in the OCI Console, note the primary IP address and secondary IPs associated with the VNIC.
• On FortiGate configuration ensure that the primary IP (e.g. 10.0.12.4) is not configured on any FortiGate interface.
  Confirm that the FortiGate interface uses one of the available secondary IPs (10.0.12.3 or 10.0.12.5).
• Reconfigure the FortiGate interface to use only secondary IP addresses provided by OCI.
• In this scenario, the primary IP (e.g., 10.0.12.4) should not be configured on FortiGate interfaces. Instead, secondary IPs such as 10.0.12.3 or 10.0.12.5 should be used.