Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Secucard
New Contributor III

Created on ‎08-21-2024 04:52 AM

FortiOS 7.2.9 for 120G series seems to break HA

Hi,

updating an active-passive setup for a 120G, from 7.0.15, to 7.2.9 seems to break HA totally.

It looks like the internal network can not be found anymore.

 

I raised a ticket on that. Downgrade is possible, but takes time and nervs.

Take care,

Ronny

 

2024-08-21 13:15:18 <hasync:WARN> conn=0x476086a0 connect(169.254.0.1) failed: 113(No route to host)
2024-08-21 13:15:18 <hasync:WARN> conn=0x476086a0 abort: rt=-1, dst=169.254.0.1, sync_type=3(fib)
2024-08-21 13:15:21 <hasync:WARN> conn=0x476086a0 connect(169.254.0.1) failed: 113(No route to host)
2024-08-21 13:15:21 <hasync:WARN> conn=0x476086a0 abort: rt=-1, dst=169.254.0.1, sync_type=3(fib)
2024-08-21 13:15:23 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1724238681/1724238923
2024-08-21 13:15:24 <hasync:WARN> conn=0x476086a0 connect(169.254.0.1) failed: 113(No route to host)
2024-08-21 13:15:24 <hasync:WARN> conn=0x476086a0 abort: rt=-1, dst=169.254.0.1, sync_type=3(fib)
2024-08-21 13:15:24 <hasync:WARN> conn=0x4760c3d0 connect(169.254.0.1) failed: 113(No route to host)
2024-08-21 13:15:24 <hasync:WARN> conn=0x4760c3d0 abort: rt=-1, dst=169.254.0.1, sync_type=27(capwap)
2024-08-21 13:15:27 <hasync:WARN> conn=0x476086a0 connect(169.254.0.1) failed: 113(No route to host)
2024-08-21 13:15:27 <hasync:WARN> conn=0x476086a0 abort: rt=-1, dst=169.254.0.1, sync_type=3(fib)
2024-08-21 13:15:27 <hasync:WARN> conn=0x4760c3d0 connect(169.254.0.1) failed: 113(No route to host)
2024-08-21 13:15:27 <hasync:WARN> conn=0x4760c3d0 abort: rt=-1, dst=169.254.0.1, sync_type=5(conf)
2024-08-21 13:15:30 <hasync:WARN> conn=0x476086a0 connect(169.254.0.1) failed: 113(No route to host)
2024-08-21 13:15:30 <hasync:WARN> conn=0x476086a0 abort: rt=-1, dst=169.254.0.1, sync_type=3(fib)
2024-08-21 13:15:33 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1724238681/1724238933
2024-08-21 13:15:33 <hasync:WARN> conn=0x476086a0 connect(169.254.0.1) failed: 113(No route to host)
2024-08-21 13:15:33 <hasync:WARN> conn=0x476086a0 abort: rt=-1, dst=169.254.0.1, sync_type=3(fib)
2024-08-21 13:15:36 <hasync:WARN> conn=0x476086a0 connect(169.254.0.1) failed: 113(No route to host)
2024-08-21 13:15:36 <hasync:WARN> conn=0x476086a0 abort: rt=-1, dst=169.254.0.1, sync_type=3(fib)
2024-08-21 13:15:36 <hasync:WARN> conn=0x4760c3d0 connect(169.254.0.1) failed: 113(No route to host)
2024-08-21 13:15:36 <hasync:WARN> conn=0x4760c3d0 abort: rt=-1, dst=169.254.0.1, sync_type=18(byod)
2024-08-21 13:15:40 <hasync:WARN> conn=0x476086a0 connect(169.254.0.1) failed: 113(No route to host)
2024-08-21 13:15:40 <hasync:WARN> conn=0x476086a0 abort: rt=-1, dst=169.254.0.1, sync_type=3(fib)
2024-08-21 13:15:43 <hasync:WARN> conn=0x476086a0 connect(169.254.0.1) failed: 113(No route to host)
2024-08-21 13:15:43 <hasync:WARN> conn=0x476086a0 abort: rt=-1, dst=169.254.0.1, sync_type=3(fib)
2024-08-21 13:15:43 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1724238681/1724238943
2024-08-21 13:15:46 <hasync:WARN> conn=0x476086a0 connect(169.254.0.1) failed: 113(No route to host)
2024-08-21 13:15:46 <hasync:WARN> conn=0x476086a0 abort: rt=-1, dst=169.254.0.1, sync_type=3(fib)
2024-08-21 13:15:49 <hasync:WARN> conn=0x476086a0 connect(169.254.0.1) failed: 113(No route to host)
2024-08-21 13:15:49 <hasync:WARN> conn=0x476086a0 abort: rt=-1, dst=169.254.0.1, sync_type=3(fib)

 

Labels:
4323
0 Kudos
23 REPLIES 23
shpforti
New Contributor

Created on ‎08-25-2024 06:16 PM

We had a related problem yesterday, setting up a new HA, the FortiGates could see each other's serial number but unable to sync ("no route to host").  I decided to abandon the HA ports and selected a different port (port13) and HA synced up right away!

 

Probably something to do with the firmware not accommodating the different internal hardware switch of the HA and MGMT ports in this FortiGate.

1873
decador
New Contributor
In response to shpforti

Created on ‎08-27-2024 02:23 AM

We had the same issue and it worked for us as well. Thank you!

1761
0 Kudos
sferoz
Staff
Staff

Created on ‎08-27-2024 04:07 PM Edited on ‎08-28-2024 03:34 AM

Reg HA Cluster Out-Of-Sync issues and HA GUI page stuck in loading

In FOS 7.2.9, This is a platform specific issue for 120/121G models tracked in mantis #1056138

The fix is currently planned for 7.2.11.

As a workaround in FOS 7.2.9 120/121G,kindly use another port as hbdev other than mgmt and ha ports .

Thanks.

1668
FlavioB1
New Contributor III

Created on ‎08-27-2024 11:40 PM

Anybody got the bug ID for this issue?

In fact the HA port is directly attached to the SP5, as is the MGMT port. All other ports (16x GE RJ45, 4x 10GE SPF+, 8x GE SFP) are on the ISF (Integrated Switch Fabric).

1629
0 Kudos
Secucard
New Contributor III
In response to FlavioB1

Created on ‎08-28-2024 02:35 AM

No, nothing received yet.Some of the support guys when writting a ticket, still ask for logs, or do not even seem to know what happens behind the scenes. Also, this issue is not mentioned yet on the known-issues list. I asked multiple times to add this. I can imagine, many people run such UTM on a datacenter and may get into serious troubles if they do not try before or take care on this issue. Also, first they told us, it will be fixed in 7.2.10, then, now, in 7.2.11, which will be in late 2024 or even 2025. If I buy multiple 120G, I can expect to use at least a firmware with HTTP/2 support. 7.0.15 does not have it. But hey... it is just customers money...

1590
FlavioB1
New Contributor III
In response to Secucard

Created on ‎08-29-2024 11:25 PM

Thanks for your feedback. This confirms what I've been experiencing at least in the past 18 months: QA has become worse, which in turn results in software releases with less quality than in the past. Too many bugs hitting FOS (but not only - don't want to start with FCT!). Customers doing "beta-testing"... sad :(

1425
0 Kudos
Devnull
New Contributor

Created on ‎09-02-2024 06:39 AM

Hello Rony

I had the same problem. I moved to other HA-interface from HA to  "port1" an it works.
regards Gregor

1316
0 Kudos
itsystem
New Contributor

Created on ‎09-07-2024 12:28 AM

I have the same problem!

What is the best way to proceed, what do you advise, change ports (not use the HA port), and stay on version 7.2.9 and wait for the fix in 7.2.11, or leave HA and downgrade to 7.0.15?

1084
0 Kudos
FlavioB1
New Contributor III
In response to itsystem

Created on ‎09-07-2024 01:15 AM

Well, you get to answer it to yourself: do you need the 120G cluster running in production? Then DO NOT use the HA port and use for example port1 and port2.

Do you need the 120G just for playing around in your lab? Suit yourself and use the HA port waiting for the FOS release which will fix it.

I mean... no real need to post this question, as the solution/workaround is given already...

1067
itsystem
New Contributor
In response to FlavioB1

Created on ‎09-07-2024 09:43 AM Edited on ‎09-07-2024 09:45 AM

I'll rephrase the question!

Yes, I need HA in production, and if there are bugs in 7.2.9, and not only with HA, perhaps something else will come out tomorrow, maybe I’ll stay on 7.0.15 for now??

Which firmware is still better in production for 120G?

1037
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.