|
After upgrading FortiGate HA, there are a few scenarios in which the secondary HA device is not in sync with the primary. Some default address objects may be missing, such as the ISDB value for Microsoft or Google sites, which causes out-of-sync errors.
- After upgrading the device, check both devices for any configuration errors:
diagnose debug config-error-log read
Related article:
Technical Tip: Internet service name value parse error in config error log
In the following example, the firewall address object checksum value is different on both devices, which causes them to become out of sync.
Checking the 'diag auto-update versions' on both FortiGate, the Internet-service database doesn't match or will show 'Version: 0.00000':
diagnose autoupdate versions | grep Internet-service -A 5
Internet-service Full Database
---------
Version: 0.00000
Contract Expiry Date: n/a
Last Updated using scheduled update on Fri Dec 6 08:03:38 2024
Last Update Attempt: Sat Dec 7 01:03:18 2024
Result: No Updates
If the Internet-service database version remains at 0.00000 after an update attempt, verify connectivity to FortiGuard servers with 'diag debug rating' and ensure DNS is resolving.
- Try to manually sync to the primary in the secondary:
execute ha synchronize start
- Try to manually sync by recalculating the checksum in the primary:
diagnose sys ha checksum recalculate
- If the above step does not work, try to reboot the Secondary FortiGate and wait for synchronization.
- Check for any duplicate entries in the ISDN database by running the following command:
diagnose internet-service-name check-duplicate
- Try to fail over to the secondary it should automatically update the ISDB, if the ISDB is not updated and gives the same error, try the below command:
execute update-now
To debug if the updates are working properly, run the below commands
diagnose debug reset
diagnose debug enable
diagnose debug application update -1
execute update-now
A successful update should show this:
upd_status_save_status[201]-Wrote status file
__upd_act_update[319]-Package installed successfully
upd_comm_disconnect_fds[500]-Disconnecting FDS 208.184.237.67:443
[206] __ssl_data_ctx_free: Done
[1094] ssl_free: Done
[198] __ssl_cert_ctx_free: Done
[1104] ssl_ctx_free: Done
[1085] ssl_disconnect: Shutdown
do_update[684]-UPDATE successful
After the update is completed, stop debugging:
diagnose debug disable
- Check if the database of the ISDB is updated on both devices by running the following command:
diagnose autoupdate versions | grep Internet-service -A 5
Internet-service Full Database
---------
Version: 7.03968
Contract Expiry Date: n/a
Last Updated using scheduled update on Fri Dec 6 08:03:38 2024
Last Update Attempt: Sat Dec 7 01:03:18 2024
Result: No Updates
- Refresh the internet-service database and reboot the secondary.
execute internet-service4 refresh
- Perform a failover when the ISDB database version is the same in both the primary and secondary.
- If the device still shows as out of sync after the failover, modify the primary unit configuration file and restore it to the secondary unit by following the steps in this article: Technical Tip: Correcting an out-of-sync HA cluster by modifying the primary unit configuration file....
- The firewall address object 'firewall-internet-service-name' causes the HA cluster to be out of sync and can also be triggered by the device's Firmware version, because the Internet Service DB will be updated when the new Firmware is upgraded.
get system status
Related articles:
|
