This is the second time I have come across a Fortigate HA pair that would not sync back up when recalculating the checksums.
The first time was with a pair of 60f units, the standby unit had a Fortilink interface name that started with a capital letter while the primary unit had it in lower case. This was a brand new setup so we broke the HA pair, formatted the standby and redid HA.
This time around, it's a pair of 1500d firewalls in our datacenter. I narrowed the issue down to a missing address group on the standby. This group on the primary is the second to last. If I manually add this missing addrgrp to the standby, the order won't match the primary and the uuid would be different.
What's the solution, unreference this group from the policies on the primary, delete the group, then re-add it?
If an address group is missing, the places referencing the object must be missing too, likely policies, at the sandby unit. If that's true, I can think of two options, or three.
1. do the same resyncing from scratch
2. take the entire copy of primary config and modify those unique parts like host name, management interfaces, HA override, etc. Then upload to the standby.
3. remove the missing part including the dependencies from the primary, then re-configure them again at the primary. Out-of-sync doesn't mean any config changes won't be copied over. Likely that part is still working.
But you need to think about how it happened. Like the script copied and pasted when you address the group might had errors and you had to manually fixed it, or something else.
I appreciate your fast response. I went with option three and was able to get the units to sync back up. The address group creation script was ran from FortiManager against a few dozen firewalls, so I have no idea why this particular one was impacted. I'll review the logs in FortiManager to see if an error was overlooked.