- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No synch HA with FG 101E
Hello, I have 2 Fortigate 101E with fortiOS 5.4.6, I try to do a HA cluster with both but can't manage to synch the configuration between the master and the slave. I tried to recalculate the checksum quite a few times on both devices but it still isn't synchronizing.
- Labels:
-
5.4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
and welcome to the forums.
For HA, you don't need to sync the HA members manually. If the cluster is forming at all, all files and status should sync automatically after some time.
The hardware needs to be identical for HA; that is, same P/N, same BIOS version and running the same FortiOS version. You can check that easily with 'get sys stat'. For instance, a FG-101E will not cluster with a FG-100E as the hardware disk is not present on one.
Does the HA cluster form at all, and you just see that something has not yet been sync'ed? Or is the cluster incomplete (get sys ha stats, GUI, virtual MACs etc.)?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've tried a few more things right now, I've also check that the cluster is formed. For what I've seen so far the cluster is created and is working, but there is no replication between the two devices.
I've attached the cluster image from the master GUI.
here is the result of the ha status from the master :
Cluster Uptime: 0 days 00:04:09
Master selected using:
<2018/04/13 14:14:04> FG101E4Q17003852 is selected as the master because it has the largest value of override priority.
<2018/04/13 14:14:03> FG101E4Q17003852 is selected as the master because it's the only member in the cluster.
ses_pickup: enable, ses_pickup_delay=disable
load_balance: enable
load_balance_udp: disable
schedule: Round robin.
upgrade_mode: unset
override: disable
Configuration Status:
FG101E4Q17003852(updated 2 seconds ago): in-sync
FG101E4Q17003750(updated 2 seconds ago): out-of-sync
System Usage stats:
FG101E4Q17003852(updated 2 seconds ago):
sessions=13, average-cpu-user/nice/system/idle=5%/0%/2%/92%, memory=27%
FG101E4Q17003750(updated 2 seconds ago):
sessions=0, average-cpu-user/nice/system/idle=17%/0%/7%/75%, memory=26%
HBDEV stats:
FG101E4Q17003852(updated 2 seconds ago):
ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=2857290/25541/0/0, tx=55945621/38089/0/0
ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=880372/1228/0/0, tx=888459/1199/0/0
port1: physical/1000auto, up, rx-bytes/packets/dropped/errors=551452/1751/0/0, tx=1178284/2092/0/0
wan1: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
FG101E4Q17003750(updated 2 seconds ago):
ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=55943556/38086/0/0, tx=2854347/25538/0/0
ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=886236/1196/0/0, tx=878233/1225/0/0
port1: physical/00, down, rx-bytes/packets/dropped/errors=319901/1312/0/0, tx=865644/1545/0/0
wan1: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
MONDEV stats:
FG101E4Q17003852(updated 2 seconds ago):
dmz: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=2857290/25541/0/0, tx=55945621/38089/0/0
ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=880372/1228/0/0, tx=888459/1199/0/0
port1: physical/1000auto, up, rx-bytes/packets/dropped/errors=551452/1751/0/0, tx=1178284/2092/0/0
wan1: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
FG101E4Q17003750(updated 2 seconds ago):
dmz: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=55943556/38086/0/0, tx=2854347/25538/0/0
ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=886236/1196/0/0, tx=878233/1225/0/0
port1: physical/00, down, rx-bytes/packets/dropped/errors=319901/1312/0/0, tx=865644/1545/0/0
wan1: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
Master: FG101E_HA_MAS , FG101E4Q17003852
Slave : FG101E_HA_SLA , FG101E4Q17003750
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 FG101E4Q17003852
Slave :1 FG101E4Q17003750
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please disable all HA port monitoring until the cluster has formed and is fully synchronized. I see that not all monitored ports are in state 'link up' on the slave unit. If this is commonly so, do not monitor them.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can't upgrade to 5.4.8, my company want to stay with the the 5.4.6 since they just upgraded the infra to it.
But it's ok now, I've just left the firewalls think by themselves for like 2 hours and the finally synchronized.
Thanks for your help anyway, hope you have a good day.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
# diagnose sys ha checksum show
Should return something like:
global: 0a 23 ce 1d f2 76 85 7a f0 8b 43 36 43 84 05 19 root: 73 cb 94 8d 19 80 e1 1c 8a b0 a1 28 32 0a ed 3a
From the above, find out which is not sycned. You can do this on both units independently (from global: #execute ha manage <#>
# diagnose sys ha checksum show root wireless-controller.hotspot20.anqp-venue-name: 00000000000000000000000000000000 wireless-controller.hotspot20.anqp-network-auth-type: 00000000000000000000000000000000 wireless-controller.hotspot20.anqp-roaming-consortium: 00000000000000000000000000000000 wireless-controller.hotspot20.anqp-nai-realm: 00000000000000000000000000000000 wireless-controller.hotspot20.anqp-3gpp-cellular: 00000000000000000000000000000000 wireless-controller.hotspot20.anqp-ip-address-type: 00000000000000000000000000000000
Log the output, or copy/paste, from both firewalls to a different text file. Use text editor to compare the two files. You will have something in there that shows what is out of sync.
When I tested recently, it was wtp-profile.
More info can be found here: