Hello.
I have a question about Ha being out of sync.
Added user objects and groups to the portgate.
Immediately after that, it was not synchronized.
I deleted the object I created after HA was out of sync and it was resynchronized normally.
As before, when you create a user object on the master equipment and then use the Run ha Sync Start command to add/delete the user object, the synchronization was not broken.
Does anyone know why HA doesn't sync when creating objects?
If anyone knows about this issue, I would appreciate it if you could let me know the cause and how to respond.
Solved! Go to Solution.
Created on 09-26-2024 09:02 PM Edited on 09-26-2024 09:04 PM
It should be copied over right way. But your screen's refresh might take time. You never need to run "exe ha sync start" unless you intentionally run "exe ha sync stop".
Again, if you keep watching at the output of "diag debug app" and keep checking the checksum differences, you would know exactly when it was copied and how slow/fast the GUI might be. Just don't rely on GUI to determine what's going on in HA operation.
Once it got stuck and the copy doesn't seem to happen any more, you can use the GUI to see what table is mismatching, which is much easier than CLI.
Toshi
How did you check it was out-of-sync? If GUI, it might take a while to reflect the status change.
You need to keep running
diag debug app hasync -1
diag debug app hasync -1
in a CLI window on both units when you make the changes on the primary side.
Then run..
diag sys ha checksum recalculate
on both units after the change. And then keep checking...
get sys ha status
diag sys ha checksum cluster [ | grep all: <if you have too many vdoms>]
If you do this with a handful of changes, you can understand/sense/feel what's going on and what's not happening.
All of these should be described in this KB.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-HA-synchronizati...
Toshi
Hello
Thank you for your response.
1. How did you check it was out-of-sync?
- I checked it in the GUI. It came out like the screen below. (Example)
2. If GUI, it might take a while to reflect the status change.
- So does the cause of haout of sync occur sometimes when GUI setting reflection is slow?
- In this case, should I use the execute ha synchronize start command to resolve it?
(If it doesn't work out, we will report the URL attached to the reply.)
Thank you
Created on 09-26-2024 09:02 PM Edited on 09-26-2024 09:04 PM
It should be copied over right way. But your screen's refresh might take time. You never need to run "exe ha sync start" unless you intentionally run "exe ha sync stop".
Again, if you keep watching at the output of "diag debug app" and keep checking the checksum differences, you would know exactly when it was copied and how slow/fast the GUI might be. Just don't rely on GUI to determine what's going on in HA operation.
Once it got stuck and the copy doesn't seem to happen any more, you can use the GUI to see what table is mismatching, which is much easier than CLI.
Toshi
It should be in the KB but don't forget:
diag debug enable
after those "diag debug app" commands, unless you're doing these through the console port.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.