Hello, I have 2 Fortigate 101E with fortiOS 5.4.6, I try to do a HA cluster with both but can't manage to synch the configuration between the master and the slave. I tried to recalculate the checksum quite a few times on both devices but it still isn't synchronizing.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hi,
and welcome to the forums.
For HA, you don't need to sync the HA members manually. If the cluster is forming at all, all files and status should sync automatically after some time.
The hardware needs to be identical for HA; that is, same P/N, same BIOS version and running the same FortiOS version. You can check that easily with 'get sys stat'. For instance, a FG-101E will not cluster with a FG-100E as the hardware disk is not present on one.
Does the HA cluster form at all, and you just see that something has not yet been sync'ed? Or is the cluster incomplete (get sys ha stats, GUI, virtual MACs etc.)?
I've tried a few more things right now, I've also check that the cluster is formed. For what I've seen so far the cluster is created and is working, but there is no replication between the two devices.
I've attached the cluster image from the master GUI.
here is the result of the ha status from the master :
Cluster Uptime: 0 days 00:04:09
Master selected using:
<2018/04/13 14:14:04> FG101E4Q17003852 is selected as the master because it has the largest value of override priority.
<2018/04/13 14:14:03> FG101E4Q17003852 is selected as the master because it's the only member in the cluster.
ses_pickup: enable, ses_pickup_delay=disable
load_balance: enable
load_balance_udp: disable
schedule: Round robin.
upgrade_mode: unset
override: disable
Configuration Status:
FG101E4Q17003852(updated 2 seconds ago): in-sync
FG101E4Q17003750(updated 2 seconds ago): out-of-sync
System Usage stats:
FG101E4Q17003852(updated 2 seconds ago):
sessions=13, average-cpu-user/nice/system/idle=5%/0%/2%/92%, memory=27%
FG101E4Q17003750(updated 2 seconds ago):
sessions=0, average-cpu-user/nice/system/idle=17%/0%/7%/75%, memory=26%
HBDEV stats:
FG101E4Q17003852(updated 2 seconds ago):
ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=2857290/25541/0/0, tx=55945621/38089/0/0
ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=880372/1228/0/0, tx=888459/1199/0/0
port1: physical/1000auto, up, rx-bytes/packets/dropped/errors=551452/1751/0/0, tx=1178284/2092/0/0
wan1: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
FG101E4Q17003750(updated 2 seconds ago):
ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=55943556/38086/0/0, tx=2854347/25538/0/0
ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=886236/1196/0/0, tx=878233/1225/0/0
port1: physical/00, down, rx-bytes/packets/dropped/errors=319901/1312/0/0, tx=865644/1545/0/0
wan1: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
MONDEV stats:
FG101E4Q17003852(updated 2 seconds ago):
dmz: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=2857290/25541/0/0, tx=55945621/38089/0/0
ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=880372/1228/0/0, tx=888459/1199/0/0
port1: physical/1000auto, up, rx-bytes/packets/dropped/errors=551452/1751/0/0, tx=1178284/2092/0/0
wan1: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
FG101E4Q17003750(updated 2 seconds ago):
dmz: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=55943556/38086/0/0, tx=2854347/25538/0/0
ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=886236/1196/0/0, tx=878233/1225/0/0
port1: physical/00, down, rx-bytes/packets/dropped/errors=319901/1312/0/0, tx=865644/1545/0/0
wan1: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
Master: FG101E_HA_MAS , FG101E4Q17003852
Slave : FG101E_HA_SLA , FG101E4Q17003750
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 FG101E4Q17003852
Slave :1 FG101E4Q17003750
Please disable all HA port monitoring until the cluster has formed and is fully synchronized. I see that not all monitored ports are in state 'link up' on the slave unit. If this is commonly so, do not monitor them.
I can't upgrade to 5.4.8, my company want to stay with the the 5.4.6 since they just upgraded the infra to it.
But it's ok now, I've just left the firewalls think by themselves for like 2 hours and the finally synchronized.
Thanks for your help anyway, hope you have a good day.
# diagnose sys ha checksum show
Should return something like:
global: 0a 23 ce 1d f2 76 85 7a f0 8b 43 36 43 84 05 19 root: 73 cb 94 8d 19 80 e1 1c 8a b0 a1 28 32 0a ed 3a
From the above, find out which is not sycned. You can do this on both units independently (from global: #execute ha manage <#>
# diagnose sys ha checksum show root wireless-controller.hotspot20.anqp-venue-name: 00000000000000000000000000000000 wireless-controller.hotspot20.anqp-network-auth-type: 00000000000000000000000000000000 wireless-controller.hotspot20.anqp-roaming-consortium: 00000000000000000000000000000000 wireless-controller.hotspot20.anqp-nai-realm: 00000000000000000000000000000000 wireless-controller.hotspot20.anqp-3gpp-cellular: 00000000000000000000000000000000 wireless-controller.hotspot20.anqp-ip-address-type: 00000000000000000000000000000000
Log the output, or copy/paste, from both firewalls to a different text file. Use text editor to compare the two files. You will have something in there that shows what is out of sync.
When I tested recently, it was wtp-profile.
More info can be found here:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.