- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Fortigate HA in-sync/out-of-sync
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate HA in-sync/out-of-sync
2016-10-04T14:00:20.092804+02:00 date=2016-10-04 time=14: 00:13 devname=FG800C3913801910 devid=FG800C3913801910 logid=0100037903 type=event subtype=system level=information vd="root" msg="The sync status with the master" sync_type=configurations sync_status="in-sync" 2016-10-04T14:00:25.128612+02:00 date=2016-10-04 time=14: 00:19 devname=FG800C3913801910 devid=FG800C3913801910 logid=0100037903 type=event subtype=system level=information vd="root" msg="The sync status with the master" sync_type=configurations sync_status="out-of-sync"
I have a lot of logs like the ones above. In fact it seems that master and slave are not in sync. The synchronization status of the two cluster units :
FG800C3913801256 (global) # di sys ha cluster-csum ================== FG800C3913801256 ================== is_manage_master()=1, is_root_master()=1 debugzone global: 94 ff 8c be 11 c1 c0 57 4d d7 73 dd c0 f0 46 db vdc: 3e 57 22 61 f0 58 af 18 66 9c b1 c9 ae 30 ac 75 root: 74 1b f9 bd 5c 41 a4 64 4f d3 1c b5 5c 5a 2c 84 WiFi: 12 17 17 a0 0c eb 1c 19 a8 4a aa 6d ae 5e b8 54 all: 46 ff b5 f4 54 d7 bf 22 c3 7f 4b 52 fb 03 a3 10 checksum global: 94 ff 8c be 11 c1 c0 57 4d d7 73 dd c0 f0 46 db vdc: 3e 57 22 61 f0 58 af 18 66 9c b1 c9 ae 30 ac 75 root: 74 1b f9 bd 5c 41 a4 64 4f d3 1c b5 5c 5a 2c 84 WiFi: 12 17 17 a0 0c eb 1c 19 a8 4a aa 6d ae 5e b8 54 all: 46 ff b5 f4 54 d7 bf 22 c3 7f 4b 52 fb 03 a3 10 ================== FG800C3913801910 ================== is_manage_master()=0, is_root_master()=0 debugzone global: 94 ff 8c be 11 c1 c0 57 4d d7 73 dd c0 f0 46 db vdc: 3e 57 22 61 f0 58 af 18 66 9c b1 c9 ae 30 ac 75 root: 74 1b f9 bd 5c 41 a4 64 4f d3 1c b5 5c 5a 2c 84 WiFi: 4f 3b c4 89 c9 4d e4 19 c6 24 9d 22 d6 9f 4f 8c all: 1e 56 a9 10 5b 8c c1 6d d6 12 38 fb 4a 3c 93 bc checksum global: 94 ff 8c be 11 c1 c0 57 4d d7 73 dd c0 f0 46 db vdc: 3e 57 22 61 f0 58 af 18 66 9c b1 c9 ae 30 ac 75 root: 74 1b f9 bd 5c 41 a4 64 4f d3 1c b5 5c 5a 2c 84 WiFi: 4f 3b c4 89 c9 4d e4 19 c6 24 9d 22 d6 9f 4f 8c all: 1e 56 a9 10 5b 8c c1 6d d6 12 38 fb 4a 3c 93 bc
However with diagnose sys ha showcsum 01 for each vdom and diagnose sys ha showcsum 1 on both master and slave units I've found there are no differences. So why ??? what shall I check yet ? maybe I should force recalculating checksum on slave or both units with command diag sys ha csum-recalculate ? or just forcing resync on the slave unit with the command exec ha synchronize start ?
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Which firmware do you have ?
I had sometimes this issue with firmware 5.2.3. A diag sys ha csum-recalcutate on both unit will stop these log.
Lucas
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
On this way, check first the hello packets knows as FGCP in Fortinet which number is 703 TCP.
Execute this command and attach the output.
diagnose sniffer packet any 'port 703' 4
Best regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Which firmware do you have ?
I had sometimes this issue with firmware 5.2.3. A diag sys ha csum-recalcutate on both unit will stop these log.
Lucas
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Which firmware do you have ? I had sometimes this issue with firmware 5.2.3. A diag sys ha csum-recalcutate on both unit will stop these log. Lucas
Passing by just to say that we were with this exactly problem.
Just did the recalculate-checksum and aparently it solved our problem.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have exactly the same problem with my 2-Node Cluster Version v5.4.4,build6003 (GA)
once per day we are getting 2 Messages/Mails mostly / always in the same time!
"out-of-sync" and "in-sync" !
Since we have Fortigate and Company!!!5 Months!
di sys ha cluster-csum -- show that Cluster are in-sync!
On other 2-Node Cluster with the same Version v5.4.4,build6003 (GA) we didn't have this kind of messages
till last week!
What I did?:
I create 1 FQDN Address Object and I create Firewall policy with this FQDN FQDN Address Object. FQDN Address Object: albaulicense.alsoft.net (resolved and O.K.)
Now I start getting this messages "out-of-sync" and "in-sync" also on other HA! once per day and mostly always in the same time!
If I disable this policy, that I create above, messages doesn't stops, but if I delete this policy messages stopped coming!
Did somebody have Idea why and how can I resolve this problem and stop this messages coming?
Thanks
gruner-it
-----
Message meets Alert condition date=2017-06-02 time=04:49:37 devname=xxxxxx devid=XXXXXXXXXXXXX logid=0108037903 type=event subtype=ha level=information vd=root logdesc="Synchronization status with master" msg="The sync status with the master" sync_type=external-files sync_status="out-of-sync"
Message meets Alert condition date=2017-06-02 time=04:50:22 devname=xxxxxx devid=XXXXXXXXXXXXX logid=0108037903 type=event subtype=ha level=information vd=root logdesc="Synchronization status with master" msg="The sync status with the master" sync_type=external-files sync_status="in-sync"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I get one out of sync message every night when the unit does it's ips signature update, I just live with it. My units are scheduled to pull updates at 1am and I see the same errors a few mi utes later every night.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TIBarigui wrote:Problem solved here too recalculating checksum in master unit. The problem began when rebooting slave unit for testing. In 5.4 the command is: diagnose sys ha checksum recalculateHi, Which firmware do you have ? I had sometimes this issue with firmware 5.2.3. A diag sys ha csum-recalcutate on both unit will stop these log. Lucas
Passing by just to say that we were with this exactly problem.
Just did the recalculate-checksum and aparently it solved our problem.
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD45183
James_G wrote:This is normal behaviour.
I get one out of sync message every night when the unit does it's ips signature update, I just live with it. My units are scheduled to pull updates at 1am and I see the same errors a few minutes later every night.
José Ignacio Martín Jiménez
José Ignacio Martín Jiménez
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Checksum recalculate worked for me as well. V6.4.4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have the same problem (Cluster in/out of sync) since upgrading from 6.4.7 to 7.0.5.
#diagnose sys ha checksum recalculate command does not help (have tried on both primary and secondary node)
Any suggestions how to fix this?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check first what your logs are about:
sync_type=external-files / configurations / etc
And then isolate that part of configuration that is different.
There is no universal fix for everyone!
- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Related Posts
Labels
-
FortiGate
6,446 -
FortiClient
1,287 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
326 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
57 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.