FortiGate HA out of sync troubleshooting
HTML-код
- Опубликовано: 21 авг 2024
- Troubleshooting HA Cluster out of syn.
How to access secondary unit of HA cluster via CLI
Syntax
execute ha manage [ID] [username]
exec ha manage ?
Command
exec ha manage 1 admin
Check HA Cluster out of sync Status
#get sys ha status
To Compare Checksum between 2 HA Cluster
diag sys ha checksum cluster
Recalculate the Checksum
diag sys ha checksum recalculate
Note: Recalculating the Checksum on both HA units will fix the out-of-syn issue
Optional
FortiGate HA Troubleshooting
Run the following commands to check the mismatch right away:
diag debug config-error-log read -- (1)
diag hardware device disk -- (2)
show sys storage -- (3)
show wanopt storage -- (4)
(1): Check the output to identify issues with configuration lines that were not accepted. Try to manually configure the device configuration item listed.
(2): Check the device disk on both devices as the size and availability should match.
(3): Check the size of storage disk as it should match on both device.
(4): Check the size of wanopt disk as size should match.
To determine why HA synchronization does not occur
1. Connect to each cluster unit CLI by connected to the console port.
2. Enter the following commands to enable debugging and display HA out of sync messages.
#diagnose debug enable
#diagnose debug console timestamp enable
#diagnose debug application hatalk -1
#diagnose debug application hasync -1
Collect the console output and compare the out of sync messages
3. Enter the following commands to turn off debugging.
diagnose debug disable
diagnose debug reset
tks a loot !!!!
Great video!
Hi, Thanks for offer this and very helpful!
I don't understand why will happen HA out of sync, sometimes my Fortigate will happen it.
Am glad it helps
Thanks I have solved same issue .
Am glad it helped.
Great video. I'm New with Fortinet and in my new job I have to manage several branch offices with Forti 40F. today I performed the firmware upgrade from 7.2.2 to 7.2.4 and lost the HA sync (out of sync). so, with the diag sys ha checksum recalculate command it should bring back up the HA? I already check the checksum and is different in both the FW. Thanks in advance. Regards
Yes that should fix it, but ensure that the firmware is same on both device. The most common issue is when there is a different configuration on the firewall that is not configured on the other that will cause the out-of-sync issue not to be resolved.
@@techy-world3716 thanks. Righ now the secundary is with the 7.2.4 and the primary with the 7.2.2. Should I upgrade the primary first? Regards
As long as both of them are on same version you should be fine, it doesn't matter which is upgrade first. But I will upgrade the lower version first to match the higher version. Either way it should work once they are on same version.
Does it require devices to reboot?
Yes it does. But most times it will reboot itself once HA is established.