|
After upgrading FortiGate HA, there are a few scenarios in which the secondary HA device is not in sync with the primary. Some default address objects may be missing, such as the ISDB value for Microsoft or Google sites, which causes out-of-sync errors.
- After upgrading the device, check both devices for any configuration errors:
diagnose debug config-error-log read
Related article:
Technical Tip: Internet service name value parse error in config error log
In the following example, the firewall address object checksum value is different on both devices, which causes them to become out of sync.
Checking the 'diag auto-update versions' on both FortiGate, the Internet-service database doesn't match or will show 'Version: 0.00000':
diagnose autoupdate versions | grep Internet-service -A 5
Internet-service Full Database
---------
Version: 0.00000
Contract Expiry Date: n/a
Last Updated using scheduled update on Fri Dec 6 08:03:38 2024
Last Update Attempt: Sat Dec 7 01:03:18 2024
Result: No Updates
- Try to manually sync by recalculating the checksum:
diagnose sys ha checksum recalculate
- If the above step does not work, try to reboot the Secondary FortiGate and wait for synchronization.
- Try to fail over to the secondary it should automatically update the ISDB, if the ISDB is not updated and gives the same error, try the below command:
execute update-now
To debug if the updates are working properly, run the below commands
diag debug reset
diag debug enable
diag debug application update -1
execute update-now
A successful update should show this
upd_status_save_status[201]-Wrote status file
__upd_act_update[319]-Package installed successfully
upd_comm_disconnect_fds[500]-Disconnecting FDS 208.184.237.67:443
[206] __ssl_data_ctx_free: Done
[1094] ssl_free: Done
[198] __ssl_cert_ctx_free: Done
[1104] ssl_ctx_free: Done
[1085] ssl_disconnect: Shutdown
do_update[684]-UPDATE successful
After the update is completed, stop debugging:
diag debug disable
- Check if the database of the ISDB is updated on both devices by running the following command:
diagnose autoupdate versions | grep Internet-service -A 5
Internet-service Full Database
---------
Version: 7.03968
Contract Expiry Date: n/a
Last Updated using scheduled update on Fri Dec 6 08:03:38 2024
Last Update Attempt: Sat Dec 7 01:03:18 2024
Result: No Updates
- Perform a failover when the ISDB database version is the same in both the primary and secondary.
- If the device still shows as out of sync after the failover, modify the primary unit configuration file and restore it to the secondary unit by following the steps in this article: Technical Tip: Correcting an out-of-sync HA cluster by modifying the primary unit configuration file....
- The firewall address object 'firewall-internet-service-name' causes the HA cluster to be out of sync and can also be triggered by the device's Firmware version, because the Internet Service DB will be updated when the new Firmware is upgraded.
get system status
Related Article :
Troubleshooting Tip: Failure on update or contact FortiGuard
Technical Tip: Procedure for HA manual synchronization
|
