Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pieciaq
New Contributor III

Downgrade and recovery after HA update

Hi all,

 

got one question about downgrade and recovery after failed update in HA cluster (A-P).

When update failed and need to downgrade and upload configuration once again the best way for this is to:

1. disconnect slave from HA,

2. downgrade firmware and config to master

3. reconnect HA

4. wait for slave to sync?

 

But what when both units failed with updates and need to downgrade also Slave? 

Only difference is that need also to downgrade slave?

In this scenario should I also upload config on slave or only on master and after connecting to HA wait for sync? 

When making configuration backup notice only got config from Master, is there any scenario I should have config file from Slave?

Pieciaq
1 Solution
Toshi_Esumi
Esteemed Contributor II

If that upgrade was one step and both units are now running the new version (not sure how you determined it "failed" though), what I would do is:

1. isolate the secondary (shut down in/out interfaces on the switch side and shut down HA interface on the primary)

2. swap the boot partition to the previous one, which contains the previous config as well, and boot them up to the previous version for both primary and secondary units following below KB:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Selecting-an-alternate-firmware-for-the-ne...

If override/priority is not used, make sure you do this on the intended primary unit first and the secondary's uptime would be shorter by more than 5 min.

3. recover HA interface first to let them sync.

4. finally normalize in/out interfaces on the secondary.

 

Toshi

View solution in original post

1 REPLY 1
Toshi_Esumi
Esteemed Contributor II

If that upgrade was one step and both units are now running the new version (not sure how you determined it "failed" though), what I would do is:

1. isolate the secondary (shut down in/out interfaces on the switch side and shut down HA interface on the primary)

2. swap the boot partition to the previous one, which contains the previous config as well, and boot them up to the previous version for both primary and secondary units following below KB:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Selecting-an-alternate-firmware-for-the-ne...

If override/priority is not used, make sure you do this on the intended primary unit first and the secondary's uptime would be shorter by more than 5 min.

3. recover HA interface first to let them sync.

4. finally normalize in/out interfaces on the secondary.

 

Toshi