Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Fortigate 240D cluster out of sync every time
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate 240D cluster out of sync every time
Hello,
One of our customers has a Fortigate 240d cluster with one unit in Datacenter A and one in Datacenter B.
Software is FortiOS 5.2.2
I have checked with commands
diag debug application hasync -1
diag debug application hatalk -1
diag debug enable
On the master I entered
execute ha synchronize start
diag sys ha status
diag sys ha showcsum
diag sys ha showcsum 1
diag sys ha showcsum 2
diag sys ha showcsum 3
The units get out of sync each time a number of (small) changes are made.
Are there people familar with this issue, is it FortiOS5.2.2 related perhaps?
Kind regards,
Ralph Willemsen
Labels:
- Labels:
-
5.2
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
- Does the checksum value match on both the Master and Slave devices?
- Config is synced only when you run the command 'execute ha synchronize start' or they automatically sync after some time?
Verify if the below settings is enabled or not
config system ha
set sync-config enable --->>> this is enabled by default, verify the same if it is not changed by mistake
end
If the above in place, then look for CPU usage of the Fortigate when the changes are made. If so, the sync will be given least preference over the other tasks handled by the CPU at that time.
Cheers!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, thank you for your reply. The cluster is out of sync and stays out of sync now, even after executing the command "execute ha synchronize start"
See attached the checksums.
Fortinet suggests
Power down the slave unit. Connect only the heartbeat cables to the slave. Turn ON the power of the slave unit. Login to the master web Gui; go to > system > config > HA > if there are 2 images of Fortigate units > HA is formed after few minutes check with below command on BOTH units and compare the result of Master with Slave, if it is same slave is fully synchronized #diag sys ha showcs - If the checksums are same, - then you can connect the LAN/WAN cables to the slave I would recommend to remove the slave unit from cluster, execute factory reset and then plug it back to cluster.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How your NTP settings? And the status?
e.g
diag sys ntp status
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Ralph, Based on the output, you have few things to be verified on : 1) Checksum is different - Yes, resetting the unit to factory defaults and re-building the HA may resolve the issue, but that should be last step - A reboot can be tried - I see there are no VDOMs enabled, it is default VDOM 'root', so below command should help : #diag sys ha showcsum 01 root This command will list the checksum for all the config and objects (like firewall policies, interface settings etc.,). You can get the output from both the devices and use any compare tool to verify which specific config is not syncing and there should be something wrong with that specific setting which can be corrected manually(if needed) 2) The device with lower priority (100) is the master now. - Did you trigger a manual failover to the slave unit? Check if the physical connectivity(monitored ports) on both the Fortigate units is same
As 'emnoc' mentioned in the previous post, check the system time also to be sure on that front.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, thank you for your answers/suggestions.
This morning I executed a factory reset of the slave device and did a rebuilt of the cluster.
The slave says after a while that it synchronized successfully with the master, but after 10 or 20 seconds it is out of sync again.
I did the entire procedure once more (factory reset) but the problem stays the same.
The time is synched via fortiguard ntp services and appears to be correct.May it be caused by the software or does anyone have suggestions?
attached the comparision of master and slave ha checksums which are completely different :(
Thanks for your help,
Ralph
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ralph1973 wrote:Hello, thank you for your answers/suggestions.
This morning I executed a factory reset of the slave device and did a rebuilt of the cluster.
The slave says after a while that it synchronized successfully with the master, but after 10 or 20 seconds it is out of sync again.
I did the entire procedure once more (factory reset) but the problem stays the same.
The time is synched via fortiguard ntp services and appears to be correct.May it be caused by the software or does anyone have suggestions?
attached the comparision of master and slave ha checksums which are completely different :(
Thanks for your help,
Ralph
Checksum confirms that there are several differences in the config.
Now, you can compare the config of both the Master and Slave units with any diff tool like (notepad ++) and verify the settings which are not in sync. See if those settings(like address objects) are custom and has anything unusual like a special character or a space or even in the name or even in the comments section.
Also, as emnoc said, just try an addition of a test object and see if that reflects on the slave.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I personally would not go by that checksum, but capture the conf file from both units and run a "diff" and/or "md5 checksum". You can tell if the 2 are in sync , by doing a same change on the master and ensure it's populated to the slave.
i.e
config firewall address
edit test123
set subnet 192.0.2.1/32
set comment " this is a test "
end
And then jump on the slave and show firewall address test123
Unless your unit is highly CPU/MEM, the changes should be push by the time you execute execute ha man1
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, when extracting the config on master and slave via putty and comparing them, I only notice that entries are in a different place. The config itself looks identical. Also when adding an object on the master, you will see it back on the slave as well.
How strange is it.
Now Fortinet says to factory reset the other unit as well and rebuild the HA. I doubt if this would ever solve this sync issue. I think it may be caused by FortiOS 5.2.2
Thanks for your support.
Ralph
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ralph,
did you ever find out the reason for this? I'm about to form a new cluster with just the same hardware (but probably v5.2.3) and would appreciate your input.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Captive portal 15 Views
- FortiGate Cloud Status: Error Logging In 79 Views
- not opening splash page when connecting... 65 Views
- Fortimail VM - Too many hops 36 Views
- What is exactly "major" version? 187 Views
Labels
-
FortiGate
8,486 -
FortiClient
1,719 -
5.2
801 -
FortiManager
713 -
5.4
639 -
FortiAnalyzer
548 -
FortiAP
460 -
FortiSwitch
458 -
6.0
416 -
FortiClient EMS
408 -
5.6
362 -
FortiMail
309 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
222 -
FortiWeb
200 -
5.0
196 -
IPsec
186 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
39 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.