Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

Security Fabric gone after upgrade 7.0.14 -> 7.2.8


First post!

I have a HA cluster which I used as a Fabric Root with FortiOS 7.0.14 along with a downstream Fortigate also on 7.0.14. The security fabric was set over a IPsec VPN. After upgrading both the root and the downstream to 7.2.8 I lost connection with the downstream. The VPN interface seems to be down. Any idea what had changed from 7.0.14 to 7.2.8 in order as regards a security fabric over a VPN?

Thank you in advance.


You didn't mention which FortiGate models you're using, but I'm going to guess your Security Fabric Root HA cluster are a couple of FortiGate 40F, 60E, 60F, 80E or 90E models and you missed this section of the FortiOS 7.2.8 release notes:

FortiGate models with 2 GB RAM cannot be a Security Fabric root | FortiGate / FortiOS 7.2.8 | Fortin...


It's been this way since FortiOS 7.2.6.


Note that Fortinet has relaxed this new restriction slightly in FortiOS 7.4.2+, allowing 2GB models to be Fabric Roots again, but only for up to 5 downstream devices.


FortiGate models with 2 GB RAM can be a Security Fabric root | FortiGate / FortiOS 7.4.2 | Fortinet ...

New Contributor II

Thank you for your answer. I did indeed not provide much information. I was in a hurry. I'm sorry.


It is a HA cluster of 2 200F's with a downstream 40F (3G/4G). The tunnel I used to join the downstream firewall went down after the upgrade. When I look up in the CLI I see there is no security fabric, although on the GUI I do see my old fabric.


diag sys csf downstream -> gives nothing back


I am guessing that I have to setup SD-WAN differently but I don't seem to find any references as to what exactly has changed from 7.0 to 7.2 regarding to this issue. Do I have to enable the Fabric Overlay Orchestrator?


Hi @0xNat


I guess your issue is IPsec tunnel not coming up after upgrading. Please refer to this article to collect ike debugs:



New Contributor II

Thank you @hbac 

The IPsec going down looks like a consequence of upgrading. I have troubleshooted the tunnel but I only see traffic going out from the root fabric to the downstream firewall. I don't get any response. My guess is that it has something to do with how 7.2.x handles SD-WAN because it worked perfectly before upgrading. The Fabric Overlay Orchestrator didn't exist on 7.0.x though.

My other problem is that I can't access physically the downstream firewall right now so I am trying to guess how I have to configure things before getting to it (somewhere next week).

New Contributor II

I'm planning to rebuild the security fabric next week following this technical tip:

I will post my results.

Top Kudoed Authors