Fortigate upgrade with HA unsynchronized

achin · ‎10-09-2023

I have two unsynchronized fortigate 200f devices (v7.2.5) hooked up to HA.
After the last update the checksums got so bad that the only path recommended by support was to configure the slave device from scratch. Recalculating the checksums manually didn't do anything.

I concluded that I would hold off until the new firmware was released, hoping that after uploading v7.2.6 the devices would sync up again.

Has anyone used this solution successfully? Should I now start the upgrade with the master or slave?

https://19216811.cam/ https://1921681001.id/

xshkurti · ‎10-09-2023

@achin
If you try to upgrade while fortigates are not in synch, your upgrade most probably will stuck and not go forward.

So the best case is to disconnect secondary unit, upgrade both members separately, factory reset secondary device, and configure cluster settings, then connect HA port cables , wait for it to synch and then connect traffic carrying ports.

esalija · ‎10-09-2023

Hi,

For rebuilding the HA cluster please follow the KBs - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Rebuilding-an-HA-cluster/ta-p/195429

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-add-or-replace-a-unit-in-High-Avail...

Best regards,

Erlin

Toshi_Esumi · ‎10-09-2023

7.2.6 has been out since two weeks ago. But if two many parts of configuration is unsyncable due to conflicts, most unlikely upgrading both units wouldn't help match. I would just isolate the secondary, factory reset, configure HA, then re-reconnect heartbeat connection to the primary to let it sync, which keep watching at the progress of syncing at both primary and secondary console ports.

Toshi

Fortigate upgrade with HA unsynchronized

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website