Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Coworksit1
New Contributor

Created on ‎09-26-2024 05:34 PM

May I know the cause of ha not sync?

Hello.

I have a question about Ha being out of sync.

Added user objects and groups to the portgate.

Immediately after that, it was not synchronized.

I deleted the object I created after HA was out of sync and it was resynchronized normally.

As before, when you create a user object on the master equipment and then use the Run ha Sync Start command to add/delete the user object, the synchronization was not broken.

Does anyone know why HA doesn't sync when creating objects?

If anyone knows about this issue, I would appreciate it if you could let me know the cause and how to respond.

Labels:
329
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser
In response to Coworksit1

Created on ‎09-26-2024 09:02 PM Edited on ‎09-26-2024 09:04 PM

It should be copied over right way. But your screen's refresh might take time. You never need to run "exe ha sync start" unless you intentionally run "exe ha sync stop". 
Again, if you keep watching at the output of "diag debug app" and keep checking the checksum differences, you would know exactly when it was copied and how slow/fast the GUI might be. Just don't rely on GUI to determine what's going on in HA operation.

Once it got stuck and the copy doesn't seem to happen any more, you can use the GUI to see what table is mismatching, which is much easier than CLI.

Toshi

View solution in original post

268
0 Kudos
4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

Created on ‎09-26-2024 06:54 PM

How did you check it was out-of-sync? If GUI, it might take a while to reflect the status change.
You need to keep running
    diag debug app hasync -1
    diag debug app hasync -1

in a CLI window on both units when you make the changes on the primary side.
Then run..
    diag sys ha checksum recalculate
on both units after the change. And then keep checking...
    get sys ha status
    diag sys ha checksum cluster [ | grep all: <if you have too many vdoms>]

If you do this with a handful of changes, you can understand/sense/feel what's going on and what's not happening.

All of these should be described in this KB.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-HA-synchronizati...

Toshi

307
0 Kudos
Coworksit1
New Contributor
In response to Toshi_Esumi

Created on ‎09-26-2024 07:43 PM

Hello

Thank you for your response.

 

1. How did you check it was out-of-sync?
- I checked it in the GUI. It came out like the screen below. (Example)

 

2024-09-27_11-32-03.png

 

2. If GUI, it might take a while to reflect the status change.

- So does the cause of haout of sync occur sometimes when GUI setting reflection is slow?

- In this case, should I use the execute ha synchronize start command to resolve it?
(If it doesn't work out, we will report the URL attached to the reply.)

 

 

Thank you

301
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Coworksit1

Created on ‎09-26-2024 09:02 PM Edited on ‎09-26-2024 09:04 PM

It should be copied over right way. But your screen's refresh might take time. You never need to run "exe ha sync start" unless you intentionally run "exe ha sync stop". 
Again, if you keep watching at the output of "diag debug app" and keep checking the checksum differences, you would know exactly when it was copied and how slow/fast the GUI might be. Just don't rely on GUI to determine what's going on in HA operation.

Once it got stuck and the copy doesn't seem to happen any more, you can use the GUI to see what table is mismatching, which is much easier than CLI.

Toshi

269
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎09-26-2024 06:59 PM Edited on ‎09-26-2024 07:00 PM

It should be in the KB but don't forget:
    diag debug enable
after those "diag debug app" commands, unless you're doing these through the console port.

Toshi

304
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.