After upgrading to v7.6.3, FortiMail HA goes out-of-sync with the below RADIUS configuration.

config profile authentication radius
    chattr sync-disable server
    chattr sync-disable nas-ip
    chattr sync-disable comment
    edit Clearpass_205
        set server 10.113.12.205
        set auth-prot pap
        set nas-ip 10.113.12.33
        set comment DC
    next

end

The sync-disable option is used to modify the default synchronization behavior of attributes, preventing them from being automatically replicated to other cluster members.

However, it results in the HA going out of sync.

HAsyncd debug:

hasyncd: config_receive: problem running CLI command, error code: -56, errstr: Empty value is not allowed, CLI: config profile authentication radius edit Clearpass_205 set secret abcd set auth-prot pap next
hasyncd: config_receive: problem running CLI command, error code: -284, errstr: CLI parsing error, CLI: config domain edit xxxx.gov.xx next edit xxxx.gov.yy next end 

Workaround:

Among all the attributes in 'config profile authentication radius', only 'chattr sync-disable server' triggers this issue.

To fix this issue, apply the workaround below and reboot the FortiMail unit:

config profile authentication radius
    chattr sync-unset server
end

It resolves the HA sync issue. 

As 'server' is a must-have attribute, it should not be set as sync-disable. This issue will be resolved in FortiMail versions 7.4.6, 7.6.4, and 8.0.0.