In some scenarios, the slave is not accepting any change made by the master, even when the HA status seems to be ok:

diagnose system ha status

HA information:

Model=FortiWeb-2000E 6.3.17,build1195(GA),211130, Mode=active-active-standard Group=1

HA group member information: is_manage_master=1.
LocalSN: FV-2KET6200000XX
MasterSN: FV-2KET6200000YY
FV-2KET620-----0: Master, 4, 0, 10893147, 10586780, FortiWeb_2000E_UIOS
FV-2KET620-----1: Slave, 5, 0, 491751, 0, FortiWeb_2000E_UIOM

If debug HA is run:

diagnose debug app hasync 7

diagnsoe debug enable

It is possible to notice 'Ha pasv sync config status is disable'.

Slave:

(2022-01-20 13:16:10 hb_dev.c:73) Dev info count :11 len: 155
(2022-01-20 13:16:10 hb_timer.c:181) update my status info :
(2022-01-20 13:16:10 hb_packet_option.c:101) pack option type only: type=1(OPTION_END), options_buf=0x7fb9ddde6361, buf_sz=721
(2022-01-20 13:16:10 udp_raw_pkt.c:203) Hb encrtypt is:0
(2022-01-20 13:16:10 hb_send.c:99) Send hb packet: len: 303 magic: 3eb8 version: 1, mode: 2, group_id: 1, port:port3
firmvare: FV-2KE-6.3-FW-build1195 serialno: FV-2KET620-----1 override: 0
(2022-01-20 13:16:11 confd_sync_data_pasv.c:613) Ha pasv sync config status is disable <-----
(2022-01-20 13:16:11 udp_raw_pkt.c:203) Hb encrtypt is:0
(2022-01-20 13:16:11 hb_recv.c:224) Enter Fun : hb_packet_check
(2022-01-20 13:16:11 hb_recv.c:247) mysn : FV-2KET620-----1(1), comesn :, mode: 2

That message means that the HA config synchronization was disabled. It is possible to enable again using the command:

diagnose system ha sync-config set-status enable