- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Failed Federated upgrade
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Failed Federated upgrade
We have two FG200F in active-passive HA config. Recently we tiggered upgrade from 7.2.2 to 7.2.4 using the GUI "wizard" as we have done multiple times before.
When triggering the upgrade our two devices were
"A" Active
"B" Passive
The upgrade started on B and after a short while the role of active was handed over to
the newly upgraded B.
After that nothing seemd to happen on A. Now after waiting more then a day the HA status says that A is Not synchronized.
"get system status" on A says version is still 7.2.2
The components not in sync seems to be:
firewall.internet-service-name
endpoint-control.fctems
system.federated-upgrade
When looking at federated-upgrade on A i find:
config system federated-upgrade
set status confirmed
set upgrade-id 2
config node-list
edit "FG200FTxxxxxxxxx"
set timing immediate
set setup-time 06:00 2023/03/19 UTC
set upgrade-path 7-2-4
next
end
end
That section is empty on B.
It seems that A never tried to perform the upgrade?
Can I trigger another attempt?
Thanks
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved this same situation yesterday.
We were updating 2x FG-600F from v6.4.11 to v6.4.12. Nothing special, except for the non-mainstream build for the new hardware model.
As you've described, after upgrading the secondary and failing over to make the updated FGT primary, the rest of the process stalled. "HA out of sync" of course.
I didn't bother to find the exact difference which deviated in the configs, as prominently the two FGTs were on different firmware versions.
After some trials and some research I found this:
And that procedure solved it.
These are the main steps:
1. Make the FGT with the lower OS version the primary unit (e.g. by CLI on the FGT with the higher OS version: "exec ha reset-uptime").
2. Upload the correct firmware file via GUI.
3. While the upload is proceeding, at ~40-50%, reboot the other FGT ("exec reboot").
4. Update proceeds normally, FGT reboots, one or the other becomes primary.
After that, the cluster syncs and everything looks pretty.
I did not attempt to load the firmware from FortiGuard, never succeeded in this (another topic).
BE AWARE that this procedure will interrupt traffic for a while!! because both FGTs will reboot and be offline for a couple of minutes.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved this same situation yesterday.
We were updating 2x FG-600F from v6.4.11 to v6.4.12. Nothing special, except for the non-mainstream build for the new hardware model.
As you've described, after upgrading the secondary and failing over to make the updated FGT primary, the rest of the process stalled. "HA out of sync" of course.
I didn't bother to find the exact difference which deviated in the configs, as prominently the two FGTs were on different firmware versions.
After some trials and some research I found this:
And that procedure solved it.
These are the main steps:
1. Make the FGT with the lower OS version the primary unit (e.g. by CLI on the FGT with the higher OS version: "exec ha reset-uptime").
2. Upload the correct firmware file via GUI.
3. While the upload is proceeding, at ~40-50%, reboot the other FGT ("exec reboot").
4. Update proceeds normally, FGT reboots, one or the other becomes primary.
After that, the cluster syncs and everything looks pretty.
I did not attempt to load the firmware from FortiGuard, never succeeded in this (another topic).
BE AWARE that this procedure will interrupt traffic for a while!! because both FGTs will reboot and be offline for a couple of minutes.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Related Posts
Labels
-
FortiGate
6,450 -
FortiClient
1,287 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.