Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Zato02
New Contributor II

Created on ‎08-30-2025 06:51 AM

HA sync breaks after upgrading Fortigate 200F from 7.0.5 to 7.2.2.

After upgrading the firmware of a Fortigate 200F in an HA configuration from 7.0.5 to 7.2.2, the HA synchronization was lost. Ideally, we would like to upgrade all the way to version 7.4.3. Please advise on how to resolve the issue if synchronization breaks, and whether there is an upgrade path that avoids this problem.

Labels:
248
0 Kudos
4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

Created on ‎08-30-2025 10:25 AM Edited on ‎08-30-2025 10:26 AM

A general answer would be you need to follow the steps in a KB:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-HA-synchronizati...
Then find out what part of config is not syncing on the secondary, then compare (diff) that part of config between the primary's and the secondary's. 


But before that, did you run "diagnose debug config-error-log read" described in the KB to check any problems happened during the upgrade on both units when each finished upgrading to 7.2.2? That command's output would tell quite a lot about trouble in config conversion, which likely caused the sync problem after upgrade.

However, I generally don't trust upgrading FGT through those earlier versions, like 7.2.2F, 7.2.3F... those might have potential problems. I wouldn't target like 7.4.3F either while the latest 7.4.8M is available. I would recommend upgrading the cluster to like 7.0.13M first, so that the big jumps 7.0.x->7.2.x and 7.2.x->7.4.x wouldn't have to go through those lower F(feature release) versions.
FOSversions.png

 

 Toshi

225
Zato02
New Contributor II
In response to Toshi_Esumi

Created on ‎09-01-2025 05:33 PM

Thank you very much for your advice.
Based on your guidance, I would like to first change the milestone for the firmware upgrade.
While I strongly prefer to set it to 7.4.8M as you suggested, unfortunately, due to instructions from another organization, we have to use 7.4.3F.

Additionally, according to your advice, it would be better to perform "diagnose debug config-error-log read" before and after each firmware upgrade to verify that there are no issues, and to make minor adjustments if problems are found. Is my understanding correct?

I apologize for my beginner's question, but is it possible to run "diagnose debug config-error-log read" while the system is operational?

Thank you in advance.

162
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Zato02

Created on ‎09-01-2025 10:27 PM

Only after each unit finishes upgrade and you see "login:" prompt at the console, you should get in and run "diag debug config-error-log read". a-p HA upgrades always start with the secondary upgrade, then when it finishes the upgrade, or the primary recognize the secondary finished the upgrade, they swap the primary-secondary roles then the previous primary starts upgrading itself. If you keep console connected on both units, you would see the process.
We use terminal servers to get to all HA pair's console ports remotely. Then as soon as I get the login prompt, the secondary(new or temp primary) first then the primary (previous) next, I get in and check the errors. Obviously at that time the unit is operational.

Toshi 

145
Zato02
New Contributor II
In response to Toshi_Esumi

Created on ‎09-04-2025 10:44 PM

Thank you for your response.
I will try it next time I attempt again.
I will also provide an update then.

102
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.