Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RisingRose
New Contributor

No synch HA with FG 101E

Hello, I have 2 Fortigate 101E with fortiOS 5.4.6, I try to do a HA cluster with both but can't manage to synch the configuration between the master and the slave. I tried to recalculate the checksum quite a few times on both devices but it still isn't synchronizing.

6 REPLIES 6
ede_pfau
Esteemed Contributor III

hi,

 

and welcome to the forums.

For HA, you don't need to sync the HA members manually. If the cluster is forming at all, all files and status should sync automatically after some time.

 

The hardware needs to be identical for HA; that is, same P/N, same BIOS version and running the same FortiOS version. You can check that easily with 'get sys stat'. For instance, a FG-101E will not cluster with a FG-100E as the hardware disk is not present on one.

 

Does the HA cluster form at all, and you just see that something has not yet been sync'ed? Or is the cluster incomplete (get sys ha stats, GUI, virtual MACs etc.)?


Ede

"Kernel panic: Aiee, killing interrupt handler!"
RisingRose

I've tried a few more things right now, I've also check that the cluster is formed. For what I've seen so far the cluster is created and is working, but there is no replication between the two devices.

I've attached the cluster image from the master GUI.

here is the result of the ha status from the master :

Cluster Uptime: 0 days 00:04:09
Master selected using:
    <2018/04/13 14:14:04> FG101E4Q17003852 is selected as the master because it has the largest value of override priority.
    <2018/04/13 14:14:03> FG101E4Q17003852 is selected as the master because it's the only member in the cluster.
ses_pickup: enable, ses_pickup_delay=disable
load_balance: enable
load_balance_udp: disable
schedule: Round robin.
upgrade_mode: unset
override: disable
Configuration Status:
    FG101E4Q17003852(updated 2 seconds ago): in-sync
    FG101E4Q17003750(updated 2 seconds ago): out-of-sync
System Usage stats:
    FG101E4Q17003852(updated 2 seconds ago):
        sessions=13, average-cpu-user/nice/system/idle=5%/0%/2%/92%, memory=27%
    FG101E4Q17003750(updated 2 seconds ago):
        sessions=0, average-cpu-user/nice/system/idle=17%/0%/7%/75%, memory=26%
HBDEV stats:
    FG101E4Q17003852(updated 2 seconds ago):
        ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=2857290/25541/0/0, tx=55945621/38089/0/0
        ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=880372/1228/0/0, tx=888459/1199/0/0
        port1: physical/1000auto, up, rx-bytes/packets/dropped/errors=551452/1751/0/0, tx=1178284/2092/0/0
        wan1: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
    FG101E4Q17003750(updated 2 seconds ago):
        ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=55943556/38086/0/0, tx=2854347/25538/0/0
        ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=886236/1196/0/0, tx=878233/1225/0/0
        port1: physical/00, down, rx-bytes/packets/dropped/errors=319901/1312/0/0, tx=865644/1545/0/0
        wan1: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
MONDEV stats:
    FG101E4Q17003852(updated 2 seconds ago):
        dmz: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
        ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=2857290/25541/0/0, tx=55945621/38089/0/0
        ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=880372/1228/0/0, tx=888459/1199/0/0
        port1: physical/1000auto, up, rx-bytes/packets/dropped/errors=551452/1751/0/0, tx=1178284/2092/0/0
        wan1: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
    FG101E4Q17003750(updated 2 seconds ago):
        dmz: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
        ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=55943556/38086/0/0, tx=2854347/25538/0/0
        ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=886236/1196/0/0, tx=878233/1225/0/0
        port1: physical/00, down, rx-bytes/packets/dropped/errors=319901/1312/0/0, tx=865644/1545/0/0
        wan1: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
Master: FG101E_HA_MAS   , FG101E4Q17003852
Slave : FG101E_HA_SLA   , FG101E4Q17003750
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 FG101E4Q17003852
Slave :1 FG101E4Q17003750
ede_pfau
Esteemed Contributor III

Please disable all HA port monitoring until the cluster has formed and is fully synchronized. I see that not all monitored ports are in state 'link up' on the slave unit. If this is commonly so, do not monitor them.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Maik
New Contributor

upgrade to 5.4.8. it has some cluster bugs fixed. i did not study the troubleshooting Steps you did in Detail. just read that cluster forms but does not sync.
RisingRose
New Contributor

I can't upgrade to 5.4.8, my company want to stay with the the 5.4.6 since they just upgraded the infra to it.

But it's ok now, I've just left the firewalls think by themselves for like 2 hours and the finally synchronized.

Thanks for your help anyway, hope you have a good day.

bendsley
New Contributor II

# diagnose sys ha checksum show

Should return something like:

global: 0a 23 ce 1d f2 76 85 7a f0 8b 43 36 43 84 05 19 root: 73 cb 94 8d 19 80 e1 1c 8a b0 a1 28 32 0a ed 3a

 

From the above, find out which is not sycned.  You can do this on both units independently (from global: #execute ha manage <#>

 

# diagnose sys ha checksum show root wireless-controller.hotspot20.anqp-venue-name: 00000000000000000000000000000000 wireless-controller.hotspot20.anqp-network-auth-type: 00000000000000000000000000000000 wireless-controller.hotspot20.anqp-roaming-consortium: 00000000000000000000000000000000 wireless-controller.hotspot20.anqp-nai-realm: 00000000000000000000000000000000 wireless-controller.hotspot20.anqp-3gpp-cellular: 00000000000000000000000000000000 wireless-controller.hotspot20.anqp-ip-address-type: 00000000000000000000000000000000

 

Log the output, or copy/paste, from both firewalls to a different text file.  Use text editor to compare the two files.  You will have something in there that shows what is out of sync. 

 

When I tested recently, it was wtp-profile.

 

More info can be found here:

http://kb.fortinet.com/kb....do?externalID=FD36176