Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FortiOS Upgrade - Broken HA Pair

Something went wrong during a firmware upgrade on an HA pair at one of our data centers. The 'B' unit completed the upgrade successfully, but left the 'A' unit on the old firmware version, causing the pair to show out of sync. B unit ended up becoming the primary and so when logging into the GUI, am now connecting to that unit.

Opened a ticket with Fortinet and their recommendation was physically connecting to the A unit, flashing the updated firmware, then restoring the config. This DC is a long drive and their on-site team doesn't have the technical knowledge to assist with this. Is there any way of fixing this remotely? If I run 'execute ha manage 1' I can still connect to the other unit as expected.

Tried running the upgrade to 7.0.11 from the B unit hoping this one would be successful and they would sync, but am getting 'cannot validate firmware version' error from the gui regardless of whether I use file upload or the gate downloads the update from FortiGuard.
Contributor III

Esteemed Contributor III

Based on your description I'm worrying about possible hardware/cabling issues with 'A'-unit. First, you definitely need to have console access to see what's happening. We always have a terminal server at all our DCs where we operate an HA cluster and have remote console access to both units to troubleshoot like this. If you don't, you need to get a remote hand with a laptop connected to the console port, then let the tech to connect the laptop to the internet over wifi so that you can remotely access the tech's laptop. So that the tech doesn't have to be so knowledgeable.

But once you ruled or figured out any hardware issues, you need a machine running a TFTP server software so that the A-unit can download a freshly downloaded image from the machine. That requires some skills if you ask an onsite person. To operate the download after flashing the boot drive on the unit, you need to have a console access as well. 
If you don't have the environment to remotely operate, you might prefer driving 2-3 hours instead of trusting the onsite tech even if they don't deny your request.



Top Kudoed Authors