Firewall Fortigate HA

cardeckmann · ‎01-25-2023

I can't get them to sync in HA, I have already loaded all the same settings in both FWs, please help

Toshi_Esumi · ‎01-25-2023

Please share us two things below:

1. "show sys ha" in CLI

2. "get sys ha status" in CLI

of course, after masking some sensitive info in the outputs.

Toshi

cardeckmann · ‎01-25-2023

PRIMARY

seconday

FW-OT-PY # get sys ha status
HA Health Status: OK
Model: FortiGate-100F
Mode: HA A-P
Group: 0
Debug: 0
Cluster Uptime: 0 days 1:51:52
Cluster state change time: 2023-01-25 17:30:44
Primary selected using:
<2023/01/25 17:30:44> vcluster-1: FG100FTK21003945 is selected as the primary because its uptime is larger than peer member FG100FTK20043686.
<2023/01/25 17:28:52> vcluster-1: FG100FTK21003945 is selected as the primary because it's the only member in the cluster.
ses_pickup: enable, ses_pickup_delay=disable
override: disable
Configuration Status:
FG100FTK21003945(updated 4 seconds ago): in-sync
FG100FTK20043686(updated 2 seconds ago): out-of-sync
System Usage stats:
FG100FTK21003945(updated 4 seconds ago):
sessions=25, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=33%
FG100FTK20043686(updated 2 seconds ago):
sessions=1, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=32%
HBDEV stats:
FG100FTK21003945(updated 4 seconds ago):
ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=32511047/55335/0/0, tx=23629118/57362/0/0
ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=16668822/32938/0/0, tx=17011281/33075/0/0
FG100FTK20043686(updated 2 seconds ago):
ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=23633088/57369/0/0, tx=32516091/55348/0/0
ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=17016435/33085/0/0, tx=16675400/32951/0/0
MONDEV stats:
FG100FTK21003945(updated 4 seconds ago):
ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=32511047/55335/0/0, tx=23629118/57362/0/0
ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=16668822/32938/0/0, tx=17011281/33075/0/0
FG100FTK20043686(updated 2 seconds ago):
ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=23633088/57369/0/0, tx=32516091/55348/0/0
ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=17016435/33085/0/0, tx=16675400/32951/0/0
Primary : FW-OT-PY , FG100FTK21003945, HA cluster index = 0
Secondary : FW-PY-OT-2 , FG100FTK20043686, HA cluster index = 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Primary: FG100FTK21003945, HA operating index = 0
Secondary: FG100FTK20043686, HA operating index = 1

Toshi_Esumi · ‎01-25-2023

First, the monitoring interfaces are supposed to be for monitoring in/out interfaces for user traffic, not for HA/hardbeat interfaces. At this moment, it doesn't seem to be put in production so only port1 seems to be up. So just remove it.

But based on the get sys ha status output, they communicate each other without problem. "HA Health Status: OK".

Therefore, the problem is inside the config. You need to follow the KB below and find out what part is giving the secondary unit a problem(s) not to be able to sync with the primary.

Or if you open a ticket at TAC, they would figure this out for you.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-HA-synchronization-issue-cluster-out...

Toshi

gfleming · ‎01-25-2023

Ideally in HA set up you configure one of the FortiGates and then factory reset the other box and join it to the cluster. That way the configuration is synced from the primary only and there is no room for conflict.

More details at the documentation: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/900885/ha-active-passive-clu...

Cheers,
Graham

amuda · ‎10-18-2023

You may want to try this: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Procedure-for-HA-manual-synchronization/ta...

Amerul
APAC TAC

Firewall Fortigate HA

Nominate a Forum Post for Knowledge Article Creation