Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
roadhouse1387
New Contributor

odd HA issue 1500D

Hi,

 

Hoping someone can help or has seen this before.

basically, 2 factory default 1500D units, basic management interface config applied and working. vdom support enabled but nothing other than that defined on the boxes.

 

Trying to cluster them in an active-standby pair and im seeing that the master and the slave recognize each other as cluster members (get system ha status), cluster status is OK, but the slave is showing not-synced. However, the issue looks like its a bit more basic than an out of sync config.

Also, on the primary GUI, if I select system, HA, only the primary box appears but if I select 'show HA stats' in the top right corner, both units are shown but the slave unit is all zero counters and although the serial number is there, the hostname isn't. So looks like some level of basic comms isn't happening

 

Looking a bit deeper, the reason seems to be that they are not passing sync traffic to each other, even though they have learned about each other over the same ha cables ( 2 x point to point cables, direct, no switch inbetween, both up/up).

a debug seems to show that they are trying to sync but both are failing to communicate using the built in IP addresses, and reporting the following.....

 

<WARN> ............ connect(169.x.x.x) failed: 113(no route to host)

<WARN>...........abort: rt=-1, dst=169.x.x.x,  sync-type=3(fib)

 

For the HA config, I followed the basic cook book instructions.

 

The boxes are running 5.4.4

 

im new to fortigates, but it looks like it may be learning about the cluster at layer 2 but the actual sync traffic is going at layer 3 and failing for some reason... split brain ? not sure.

 

Can anyone offer any advice as to what to look for etc. ?

 

Many Thanks

RH

2 REPLIES 2
makco10
Contributor II

Hello, 

 

To check that all the secondary configurations are synchronized with the primary configuration:

 

 Execute the follow command to view the checksums of all cluster  members from any FortiGate in a cluster. 

diagnose sys ha checksum cluster  

The follow command shows the checksum of the individual FortiGate  from which this command is executed.

diagnose sys ha Checksum show 

 

You can also run the follow command from any cluster member  to recalculate the HA checksums.:

diagnose sys ha checksum recalculate 

Defend Your Enterprise Network With Fortigate Next Generation Firewall
Defend Your Enterprise Network With Fortigate Next Generation Firewall
Maik
New Contributor II

upgrade to 5.4.10 (at least 5.4.8) known bug
Labels
Top Kudoed Authors