FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
WinterSnowYap
Article Id 382651
Description This article describes how to troubleshoot FortiManager's failure to form an HA cluster due to ADOM corrupted.
Scope FortiManager.
Solution
  1. There are two FortiManagers: (Primary unit) and (Secondary unit):

 

diagnose debug disable

diagnose debug reset

diagnose debug timestamp enable

diagnose debug application ha 255

diagnose debug enable

 

To stop the debug:

 

diagnose debug disable

 

The debug result is similar to the below:

 

sending file /var/ha/sync/syncsIMboD
[ERROR] back up /var/pm2/adom3 failed
[ERROR] prep buffer write failed

 

  1. At both FortiManager (Primary unit) and FortiManager (Secondary unit), use the following command:

 

diagnose cdb upgrade check +all

 

Do not select 'Y' to perform the next action, just press 'N'.

 

The debug result is similar to the below:

 

sqlite3_backup_step() failed. r1 = 11, copy /var/pm2/adom3 to /var/workspace/adom3/25162.cache, src_error = 11, dst_error = 11 
        General updating - adom root                      ... .100%     An error has occured: (errno=0):invalid value

 

Demystifying the Errors:

  1. sqlite3_backup_step () failed.   <----- This indicates the backup process of the database could not proceed to the Secondary unit in the HA cluster.
  2. r1 = 11   -> 11 corresponds to SQLITE_CORRUPT in SQLite error codes, meaning the database file may be corrupted.
  3. src_error = 11, dst_error = 11 -> Both the source (/var/pm2/adom3) and destination (/var/workspace/adom3/44649.cache) encountered the same error, which indicates that the source database is likely corrupted.

For more information on SQLite errors, please refer to the Result and Error Codes documentation: SQL Lite Error Code - [(11) SQLITE_CORRUPT]

 

After the above verification, it means adom3 (root ADOM) is corrupted. Therefore, check the command result is from FortiManager (Primary unit) or FortiManager (Secondary unit).

 

Go to the FortiManager unit and check the information below:

  1. Issue ADOM must not manage any devices. Eg: FortiGate.

If the issue ADOM manages any devices move to another ADOM.

  1. If there is a VPN manager enabled and the settings then required to reconfigure it back later.

 

Use the ADOM reset CLI command to fix the issue:

 

execute reset adom-settings <adom> <version> <m>

 

For example:

 

execute reset adom-settings root 7 4

 

After that, FortiManager can form an HA cluster.

 

Related articles:

Technical Tip: FortiManager HA cluster setup and troubleshooting

Technical Tip: How to reset ADOM settings in FortiManager/FortiAnalyzer