We have two FG200F in active-passive HA config. Recently we tiggered upgrade from 7.2.2 to 7.2.4 using the GUI "wizard" as we have done multiple times before.
When triggering the upgrade our two devices were
"A" Active
"B" Passive
The upgrade started on B and after a short while the role of active was handed over to
the newly upgraded B.
After that nothing seemd to happen on A. Now after waiting more then a day the HA status says that A is Not synchronized.
"get system status" on A says version is still 7.2.2
The components not in sync seems to be:
firewall.internet-service-name
endpoint-control.fctems
system.federated-upgrade
When looking at federated-upgrade on A i find:
config system federated-upgrade
set status confirmed
set upgrade-id 2
config node-list
edit "FG200FTxxxxxxxxx"
set timing immediate
set setup-time 06:00 2023/03/19 UTC
set upgrade-path 7-2-4
next
end
end
That section is empty on B.
It seems that A never tried to perform the upgrade?
Can I trigger another attempt?
Thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Solved this same situation yesterday.
We were updating 2x FG-600F from v6.4.11 to v6.4.12. Nothing special, except for the non-mainstream build for the new hardware model.
As you've described, after upgrading the secondary and failing over to make the updated FGT primary, the rest of the process stalled. "HA out of sync" of course.
I didn't bother to find the exact difference which deviated in the configs, as prominently the two FGTs were on different firmware versions.
After some trials and some research I found this:
And that procedure solved it.
These are the main steps:
1. Make the FGT with the lower OS version the primary unit (e.g. by CLI on the FGT with the higher OS version: "exec ha reset-uptime").
2. Upload the correct firmware file via GUI.
3. While the upload is proceeding, at ~40-50%, reboot the other FGT ("exec reboot").
4. Update proceeds normally, FGT reboots, one or the other becomes primary.
After that, the cluster syncs and everything looks pretty.
I did not attempt to load the firmware from FortiGuard, never succeeded in this (another topic).
BE AWARE that this procedure will interrupt traffic for a while!! because both FGTs will reboot and be offline for a couple of minutes.
Solved this same situation yesterday.
We were updating 2x FG-600F from v6.4.11 to v6.4.12. Nothing special, except for the non-mainstream build for the new hardware model.
As you've described, after upgrading the secondary and failing over to make the updated FGT primary, the rest of the process stalled. "HA out of sync" of course.
I didn't bother to find the exact difference which deviated in the configs, as prominently the two FGTs were on different firmware versions.
After some trials and some research I found this:
And that procedure solved it.
These are the main steps:
1. Make the FGT with the lower OS version the primary unit (e.g. by CLI on the FGT with the higher OS version: "exec ha reset-uptime").
2. Upload the correct firmware file via GUI.
3. While the upload is proceeding, at ~40-50%, reboot the other FGT ("exec reboot").
4. Update proceeds normally, FGT reboots, one or the other becomes primary.
After that, the cluster syncs and everything looks pretty.
I did not attempt to load the firmware from FortiGuard, never succeeded in this (another topic).
BE AWARE that this procedure will interrupt traffic for a while!! because both FGTs will reboot and be offline for a couple of minutes.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1697 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.