- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Unexpected HA failover issues
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unexpected HA failover issues
Hello all,
i have an issue with two Fortigate 60B configured in HA active-passive mode
heartbeat interfaces:
- WAN1 connected through a switch with dedicated vlan ports (untagged)
- WAN2 connected directly with a cross cable
Randomly several times a day the cluster start an HA failover with these logs:
Message meets Alert condition
The following critical firewall event was detected: Critical Event.
date=2012-04-13 time=22:49:27 devname=company-fw2 device_id=FGT60B3908650580 log_id=0105037901 type=event subtype=ha pri=critical fwver=040010 vd=" root" msg=" Heartbeat device(interface) down" ha_role=slave hbdn_reason=neighbor info lost devintfname=wan2
Message meets Alert condition
The following critical firewall event was detected: Critical Event.
date=2012-04-13 time=22:49:27 devname=company-fw2 device_id=FGT60B3908650580 log_id=0105037901 type=event subtype=ha pri=critical fwver=040010 vd=" root" msg=" Heartbeat device(interface) down" ha_role=slave hbdn_reason=neighbor info lost devintfname=wan1
Message meets Alert condition
The following critical firewall event was detected: Critical Event.
date=2012-04-13 time=22:49:28 devname=company-fw1 device_id=FGT60B3908670675 log_id=0105037901 type=event subtype=ha pri=critical fwver=040010 vd=" root" msg=" Heartbeat device(interface) down" ha_role=master hbdn_reason=neighbor info lost devintfname=wan2
Message meets Alert condition
The following critical firewall event was detected: Critical Event.
date=2012-04-13 time=22:49:28 devname=company-fw1 device_id=FGT60B3908670675 log_id=0105037901 type=event subtype=ha pri=critical fwver=040010 vd=" root" msg=" Heartbeat device(interface) down" ha_role=master hbdn_reason=neighbor info lost devintfname=wan1
- no power outage (firewalls and swithes are connected to an ups, switches are always online)
- no switch problems (no evidence of restart or problems in their logs)
I' ve tried to enable alternatively only one heartbeat interface, first wan1 then wan2, with no success.
When the HA failover occurr, clients inside lan lost their internet connection and all vpn tunnels are brought down causing big connectivity troubles
Initially there was only one firewall connected, working perfectly. When i added the second firewall in HA mode the problems started immediatley.
In the past I' ve configured several others units in HA mode with no problems. I cannot explain the reason of this malfunctioning.
I opened a support ticket more than one month ago, only to discovered that the technical support is very poor (one answer every 4-5 days) and it' s totally useless because they don' t have any idea how to solve the problem.
Thanks in advance for your support, you' re my last chance :)
Bye
Gianf
Bye Gianf
- « Previous
-
- 1
- 2
- Next »
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok thanks all, l' ll let you know
What about upgrading to 4.0 MR3? Is it yet ready for production?
Bye
Gianf
Bye Gianf
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Personally, I would stick with MR2. Get the kinks ironed out, then move up if you feel you need the newer features.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Bob
i' ll follow your advice :)
Bye
Gianf
Bye Gianf
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, yesterday i' ve upgraded the firmware of the cluster to 4.0 MR2 Patch 12
I' ll wait to see if the problem still persist.
In the meantime there' s a new problem, the units do not synchronize between them.
Here is the console log:
company-fw2 login: slave' s external files are not in sync with master, sequence:0. (type CERT_LOCAL)
slave' s external files are not in sync with master, sequence:0. (type CERT_LOCAL)
slave' s external files are not in sync with master, sequence:1. (type CERT_LOCAL)
slave' s external files are not in sync with master, sequence:2. (type CERT_LOCAL)
slave' s external files are not in sync with master, sequence:3. (type CERT_LOCAL)
slave' s external files are not in sync with master, sequence:4. (type CERT_LOCAL)
slave succeeded to sync external files with master
slave' s configuration is not in sync with master' s, sequence:0
slave' s configuration is not in sync with master' s, sequence:1
slave' s configuration is not in sync with master' s, sequence:2
slave' s configuration is not in sync with master' s, sequence:3
slave' s configuration is not in sync with master' s, sequence:4
slave starts to sync with master
logout all admin users
slave failed to sync with master, will try again in a moment
slave' s configuration is not in sync with master' s, sequence:0
slave' s configuration is not in sync with master' s, sequence:1
slave' s configuration is not in sync with master' s, sequence:2
slave' s configuration is not in sync with master' s, sequence:3
slave' s configuration is not in sync with master' s, sequence:4
slave starts to sync with master
logout all admin users
slave failed to sync with master, will try again in a moment
slave' s configuration is not in sync with master' s, sequence:0
slave' s configuration is not in sync with master' s, sequence:1
slave' s configuration is not in sync with master' s, sequence:2
slave' s configuration is not in sync with master' s, sequence:3
slave' s configuration is not in sync with master' s, sequence:4
slave starts to sync with master
logout all admin users
slave failed to sync with master, will try again in a moment
here the synchronization stop, to resume it i need to reboot the slave unit, but the problem still persist:
company-fw2 login: admin
Password: *********
Welcome !
company-fw2 # execute reboot
This operation will reboot the system !
Do you want to continue? (y/n)y
The system is going down NOW !!
System is rebooting...
company-fw2 #
Please stand by while rebooting theFGT60B (15:29-09.06.2007)
Ver:04000006
Serial number:FGT60B9999999999
RAM activation
Total RAM: 256MB
Enabling cache...Done.
Scanning PCI bus...Done.
Allocating PCI resources...Done.
Enabling PCI resources...Done.
Zeroing IRQ settings...Done.
Verifying PIRQ tables...Done.
Boot up, boot device capacity: 64MB.
Press any key to display configuration menu...
......
Reading boot image 1817002 bytes.
Initializing firewall...
System is started.
company-fw2 login: slave' s external files are not in sync with master, sequence:0. (type CERT_LOCAL)
slave' s external files are not in sync with master, sequence:1. (type CERT_LOCAL)
slave' s external files are not in sync with master, sequence:2. (type CERT_LOCAL)
slave' s external files are not in sync with master, sequence:3. (type CERT_LOCAL)
slave' s external files are not in sync with master, sequence:4. (type CERT_LOCAL)
slave succeeded to sync external files with master
slave' s configuration is not in sync with master' s, sequence:0
slave' s configuration is not in sync with master' s, sequence:1
slave' s configuration is not in sync with master' s, sequence:2
slave' s configuration is not in sync with master' s, sequence:3
slave' s configuration is not in sync with master' s, sequence:4
slave starts to sync with master
logout all admin users
slave failed to sync with master, will try again in a moment
slave' s configuration is not in sync with master' s, sequence:0
slave' s configuration is not in sync with master' s, sequence:1
slave' s configuration is not in sync with master' s, sequence:2
slave' s configuration is not in sync with master' s, sequence:3
slave' s configuration is not in sync with master' s, sequence:4
slave starts to sync with master
logout all admin users
slave failed to sync with master, will try again in a moment
slave' s configuration is not in sync with master' s, sequence:0
slave' s configuration is not in sync with master' s, sequence:1
slave' s configuration is not in sync with master' s, sequence:2
slave' s configuration is not in sync with master' s, sequence:3
slave' s configuration is not in sync with master' s, sequence:4
slave starts to sync with master
logout all admin users
slave failed to sync with master, will try again in a moment
and the synchronization stops again.
I' ve followed this kb:
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31379&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=34334483&stateId=0 0 34336209
without success, the command " execute ha synchronize config" does not start any synchronization.
I didn' t restart the primary unit yet, i' m afraid that if i will restart it i will lose access to the cluster because i don' t know how correctly the slave unit will work.
Bye
Gianf
Bye Gianf
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you log into the slave, check the firmware version. Make sure it upgraded as well.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems all ok:
company-fw1 # get system status
Version: Fortigate-60B v4.0,build0346,120606 (MR2 Patch 12)
Virus-DB: 15.00748(2012-06-24 15:28)
Extended DB: 15.00734(2012-06-22 07:33)
IPS-DB: 3.00203(2012-06-20 22:19)
FortiClient application signature package: 1.503(2012-06-22 17:58)
Serial-Number: FGT60XXXXXXXXXX
BIOS version: 04000009
Log hard disk: Not available
Internal Switch mode: switch
Hostname: company-fw1
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: a-p, master
Distribution: International
Branch point: 346
Release Version Information: MR2 Patch 12
System time: Mon Jun 25 11:36:55 2012
company-fw1 # execute ha manage 1
company-fw2 $ get system status
Version: Fortigate-60B v4.0,build0346,120606 (MR2 Patch 12)
Virus-DB: 15.00748(2012-06-24 15:28)
Extended DB: 15.00734(2012-06-22 07:33)
IPS-DB: 3.00203(2012-06-20 22:19)
FortiClient application signature package: 1.503(2012-06-22 18:05)
Serial-Number: FGT60BYYYYYYYYYYYY
BIOS version: 04000006
Log hard disk: Not available
Internal Switch mode: switch
Hostname: company-fw2
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: a-p, backup
Distribution: International
Branch point: 346
Release Version Information: MR2 Patch 12
System time: Mon Jun 25 11:37:20 2012
Only the BIOS version it' s different, do you think it' s a problem?
Bye
Gianf
Bye Gianf
- « Previous
-
- 1
- 2
- Next »
Related Posts
- Dual WAN remote access IPSec VPN... 248 Views
- FortiGate Link Monitor Failover Issue 2877 Views
- AWS IPSEC on BGP routing (how... 3294 Views
- WAN Failover not working 603 Views
- TTL of session at hardware FortiGate... 673 Views
Labels
-
FortiGate
6,947 -
FortiClient
1,369 -
5.2
801 -
5.4
639 -
FortiManager
600 -
FortiAnalyzer
440 -
6.0
416 -
5.6
362 -
FortiAP
362 -
FortiSwitch
359 -
FortiClient EMS
281 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
168 -
6.4
128 -
FortiNAC
123 -
FortiGuard
111 -
IPsec
99 -
FortiGateCloud
92 -
FortiSIEM
91 -
SSL-VPN
87 -
FortiCloud Products
85 -
FortiToken
76 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
FortiEDR
42 -
SD-WAN
42 -
Fortivoice
41 -
FortiDNS
37 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
High Availability
28 -
FortiAuthenticator
27 -
VLAN
27 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
FortiConverter
21 -
DNS
20 -
FortiGate v5.2
19 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
SAML
17 -
LDAP
17 -
Certificate
17 -
BGP
16 -
VDOM
16 -
FortiMonitor
14 -
FortiLink
14 -
Interface
14 -
Logging
14 -
Authentication
13 -
FortiGate v5.0
13 -
Routing
13 -
FortiDDoS
13 -
FortiCASB
12 -
NAT
11 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Fortigate Cloud
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
SSID
8 -
FortiBridge
8 -
WAN optimization
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
IP address management - IPAM
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
Web application firewall profile
6 -
Proxy policy
5 -
Packet capture
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 999 | |
| 832 | |
| 468 | |
| 440 | |
| 136 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.