Fortigate HA Cluster Out-of-Sync 100F

Leave a Comment / By /

Issue

After initially setting up the Fortigate 100F HA cluster, we got this annoying “out-of-sync” error, dug into it, and found several issues related to the Fortinet firmware version and initial configuration differences. This post is to document the process of troubleshooting and some of the configurations for the Fortinet HA firewall cluster.

Environment

  1. 2x Fortinet Fortigate 100F, the first one is on version 6.4.2 when arrived, the second one is on version 6.2.6.
  2. HA cluster is in Active-Passive mode, configurations are as below

Master:
config system ha
set group-id 10
set group-name FW-HA
set mode a-p
set password GuestMe
set session-pickup enable
set override enable
set override-wait-time 10
set priority 200
set hbdev ha1 10 ha2 24
end

Slave:
config system ha
set group-id 10
set group-name FW-HA
set mode a-p
set password GuestMe
set hbdev ha1 10 ha2 24
set session-pickup enable
set priority 100
end

3. MGMT interface is configured with different IP on each member, but not using separate VDOM

Master
config system ha
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface “mgmt”
set gateway 10.168.91.254
next
end
end
config system interface
edit “mgmt”
set ip 10.168.91.21 255.255.255.0
set allowaccess ping https ssh http
set alias “Dedicated_MGMT”
next
end

Slave
config system ha
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface “mgmt”
set gateway 10.168.91.254
next
end
end
config system interface
edit “mgmt”
set ip 10.168.91.22 255.255.255.0
set allowaccess ping https ssh http
set alias “Dedicated_MGMT”
next
end

Troubleshooting

Update the Firmware so make both members on the same level.

Out-of-sync is on the secondary firewall

fortigate-out-of-sync-error
Fortigate out-of-sync error, output from “get system ha status” command

Check the Checksum of the cluster: diag sys ha checksum cluster, we can see the “GLOBAL” configuration is NOT the same…

diag-sys-ha-checksum-cluster
The output of “diag sys ha checksum cluster” command

We will need to compare config and diag outputs using Notepad++, if you don’t have the plugin, go to the Plug Admin and install it, it is extremely handy for Network Engineers, you can use Beyond Compare for this as well:

notepad++-install-compare-plugin
notepad++-install-compare-plugin

From the “diagnose sys ha checksum show global” output we can see the “system. interface” section is different

diagnose-sys-ha-checksum-show-global
the output of “diagnose sys ha checksum show global”

Now we export the config out from each firewall and use Notepad++ to compare it again, found there are configuration differences in the interface “Fortilink”, get rid of that as we are not using it, the issue goes away.

Fortigate HA Synchronized
Fortigate HA Synchronized after comparing firewall configuration on both members

Fortinet KB:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD40284

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *