Background:

In a FortiGate HA cluster, health probes and detection events for VIP load balancing are generated and handled by the unit that is currently the HA primary. The HA secondary does not originate or own real server health detection; therefore, its local view may remain 'down' until it becomes primary and receives fresh detection events. This behavior is by design.

Symptoms:

On the HA primary, real server(s) display expected up/down state and statistics.

On the HA secondary, the same real server(s) can appear 'down' or show zeroed counters because the unit is not performing active health checks or receiving detection events.

Verification:

On the secondary unit, list the real server status:

diagnose firewall vip realserver list

Review output characteristics indicating no active health detection on the secondary.

For example:

Alive counters may be zero or status shows down despite the primary being up.

Enable health-check debug to confirm the secondary suppresses detection while in the slave role. Look for messages similar to:

'detect engine heartbeat' followed by 'Suppress detect msg since vf(id=0) on unit is slave...' indicating the unit is not the active detector.

Optionally validate on the primary that health checks are running and counters increment as expected.

Explanation:

Health detection for VIP load balancing is tied to the active HA role. The detection engine issues probes and updates the real server state when the unit is primary. After an HA role change, the newly elected primary begins generating and recording detection events; the secondary remains passive and can retain a nominal 'down' view until it becomes primary and performs its own checks. This avoids duplicated probing and inconsistent decisions across units.

Remediation and Confirmation:

No configuration change is required if traffic distribution and health on the primary are functioning. The observed 'down' on the secondary is expected.

To confirm, perform a controlled HA failover during a maintenance window, allowing the current secondary to become primary, then re-run:

diagnose firewall vip realserver list

The health status should update appropriately when the unit is primary. If health detection still does not operate when the device is primary, troubleshoot standard VIP health check causes (source IP, reachability, monitor type, policy path) per Fortinet guidance.

Additional notes:

Use VIP and virtual server diagnostics to filter on specific objects if needed:

diagnose firewall vip virtual-server filter

diagnose firewall vip virtual-server real-server

Ensure that monitoring IP/ports are reachable from the selected outgoing interface and that the correct source IP is used by the health check. Packet capture can help validate probe traffic and responses.

Related article:

Technical Tip: Configure a virtual server