Created on Read more details here. Removing However, when the proper command is typed, you can see a different output but you see it based on blades or line cards. Similar to the above command, this command specifies global. Specifically on the 7K, 6K, and 3700D series boxes, there is a different set of commands to run to validate synchronization. Scope . If you see the the files are in sync from a diagnose sys ha checksum show perspective and the output of get system ha status shows that they are in sync, give it time to sync. and how to see when public IP This will indicate a successful cluster formation. ), Primary Unit selection with override disabled, Primary Unit selection with override enabled. Updating IP address on Stephen_G. Start with the following console command: Pay attention to the information close to the top, which shows any warnings related to the cluster. the Azure resource group is done. Troubleshooting Commands: Fortigate HA Use Config Global Mode get system ha status -> shows HA and Cluster failover Information FortiGate (global) # get sys ha status HA Health Status: OK Model: FortiGate-VM64-KVM Mode: HA Active Passive Group: HA-Group Debug: 0 Cluster Uptime: 211 days 5:9:44 Cluster state change time: 2022-04-16 14:21:15 progresses or an error. The LAG interface status behavior can be adjusted with the "min-links" described here. xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, 2020-12-12 13:02:21 updating route table DefaultRouteTable Cluster members must have: The same model. This tells you the configuration is in sync. Troubleshooting Before starting HA failover, it would be good to verify HA status is in-sync by # get system ha status If HA status is not in-sync, you can check how to troubleshoot HA synchronization issue https://kb.fortinet.com/kb/documentLink.do?externalID=FD45183 You can run below debug commands before proceed HA failover. Copyright 2022 Fortinet, Inc. All Rights Reserved. See the handbook for details on when the override is enabled. List of most popular articles related to Troubleshooting. FortiGate-B-nic1", status: InProgress. For instance, if there are 3 interfaces currently down, link_failure will equal 150. If the interface monitor's list is updated during the cluster operation the link_failurecount will be reset to reflect the current monitored interface status (UP or Down). When you run the non-chassis command, you can see that the devices appear to be out of sync (See red text below). Next, check the history of the election process by running the following command: The history above is limited to 512 entries and is persistent to reboots. Azure and how to see when public IP Do not use it in a live production environment outside of an active maintenance window. By Primary FortiGate High Availability Setup. Created on 'FG800D3916800747': ha_prio/o=1/1, link_failure=50, pingsvr_failure=0, flag=0x00000000, mem_failover=0, uptime/reset_cnt=0/4'FG800D3916801158': ha_prio/o=0/0, link_failure=50, pingsvr_failure=0, flag=0x00000001, mem_failover=0, uptime/reset_cnt=349084/1. To reset the uptime manually, run the following command: When resetting the uptime manually, a cluster transition may occur. Close to the bottom, confirm the Primary and Secondary unit's roles by the hostname. Also, 'diag sys ha dump-by group' or 'dump-by vcluster' will increment the 'reset_cnt' and also reset the uptime count to zero. 01-13-2022 2020-12-12 13:02:21 operation: "updating route table xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, rc: 0. FortiGate-A-nic1", status: InProgress. the new master unit is done. The get system ha status will give you the following output: You can see the section that says in-sync. 2020-12-12 13:01:36 adding pubip <----- Moving public IP address to the new master unit. So I'm going to set my Primary firewall to 200 and my Secondary firewall to 100. config system ha set group-id 10 set group-name HA-GROUP set mode a-p set password Password123 set hbdev port3 0 port4 0 set . 01-24-2022 11:08 PM If you have the HA config on both units but the second firewall does not appear in the GUI, chances are you missed this step or the group-name. OK Model: FortiGate-300D Mode: HA A-P Group: 240 Debug: 0 Cluster Uptime: . Solution . # get system ha status <----- Shows detailed HA information and cluster failover reason. in resource group ResourceGroupName of subscription FortiGate-B-nic1", status: InProgress, 2020-12-12 13:01:49 operation: "updating nic: FortiGate-B-nic1", If you're using override, sounds like you are, and you want to do the failover semi-permanently, only other parameter you can tweak is the number of failed monitored interfaces. address is moved from master to slave. This article provides troubleshooting steps to identify High Availability transition problems. 3.2 : Getting the HA checksums on the Slave (and compare with the Master): Troubleshooting Note : FortiGate HA synchronization messages and cluster verification steps. Copyright 2022 Fortinet, Inc. All Rights Reserved. 1. increase the priority on secondary unit to Primary and2. failover, it would be good to verify HA status is in-sync by, If HA status is not Forthermore, you will be able to see what portion of the configs are NOT in sync. article describes how to troubleshooting high availability FortiGate-VM for You will see detail on failover 08:06 AM Edited on 2020-12-12 13:00:50 query nic FortiGate-A-nic1, 2020-12-12 13:00:51 query nic FortiGate-A-nic1, rc: 0, 2020-12-12 13:00:51 remove public ip FGTAPClusterPublicIP in Pay attention to 'link status changes' where 0=down and 1=up might trigger the election algorithm for monitored interfaces. Give it a few minutes. If the primary FortiGate becomes unavailable, traffic fails over to the backup FortiGate. . Age and link_failure will only trigger cluster transitions after the cluster boots up and has been up for more than the ha-uptime-diff-margin (which is 300 seconds, or 5 minutes, by default). With the output, we can see that there is an error on the interfaces. The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.. Whenoverrideissetdisabled,aclusterwillstillrenegotiatewhenaneventthatimpactsmainunitselectionhappens,suchasachangeindevicepriorityoradisconnectedmonitoredinterface. # execute ha failover unset 1 Caution: This command may trigger an HA failover. Prim-FW (global) # get sys ha status HA Health Status: OK 2020-12-12 13:01:36 query nic FortiGate-B-nic1, 2020-12-12 13:01:36 query nic FortiGate-B-nic1, rc: 0, 2020-12-12 13:01:36 add public ip FGTAPClusterPublicIP in The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.. public IP address from master unit. the new master unit is done. FGCP high availability troubleshooting This example shows you how to find and fix some common FortiGate Clustering Protocol (FGCP) HA problems. Bydefault,theHAoverrideCLIcommandisdisabled. To reset health-status manually, run the following command: This command will clear out error statuses related to other cluster members when they're removed or re-added. HA failover can be forced on an HA primary device. Created on address is moved from master to slave. The above output will show you the process of the HA Heartbeat conversations as well as the synchronization of the configs. FortiGate-B-nic1", status: InProgress, 2020-12-12 13:02:10 operation: "updating nic: You can see the sync commands in red below. The command is diag sys confsync status. The same generation. 11-07-2022 (Primary Unit selection with override disabled.). status: InProgress, 2020-12-12 13:02:00 operation: "updating nic: While the cluster might select the unit that has the fewest monitored and failed interfaces while booting up, Age (uptime) will be only considered after the 'ha-uptime-diff-margin' (AKA 'grace time'). This is a sample of output if HA failover is completed. in-sync, you can check how to troubleshoot HA synchronization issue https://kb.fortinet.com/kb/documentLink.do?externalID=FD45183. Created on 01-13-2022 This article assumes the override flag is disabled. 11-08-2022 Before starting HA Check Link monitor, interfaces and Age by running the following command: When the system boots up and any monitored interfaces are down, the link_failure count will increment by 50 for each interface in the 'down'. You can run the command with the root switch to compare that section as well other VDOMs if you happen to be using them. To show the changes, I edited an interfaces alias and saved the config. LAG and aggregated interfaces are deemed 'down' if all LAG members go down. diagnose sys ha checksum show global. FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic. The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.. 07:54 PM. Step 1 At the initial HA configuration, any new device that joins a cluster in a Slave role will display the following message sequence on the console. master unit is done. We can see that global on the Master ends in b5 15 f4 while the Slaves Global section ends in 28 f6 d9, Lets say that you want to see where exactly the difference lies on the global section, you would need to run the following: Pay particular attention to the in_sync=0 and in_sync=1 in the output, Have you ever installed a Windows server to do Full Story, Why would you need to export the private key Full Story, I had a customer that installed a wildcard certificate Full Story, 2021 InfoSec Monkey | Design by Fitser, Installing Observium to Monitor SNMP enabled devices. 11-10-2009 This article describes how to troubleshoot HA synchronization issue when a cluster is out of sync. This article will provide several commands to help with this process. When the primary FortiGate rejoins the cluster, the backup FortiGate should continue operating as the primary FortiGate. HA failover can be forced on an HA primary device. Moving public IP address to the new master unit. Each unit keeps track of its own history of events and while it can be cleared manually, it'll override the oldest events. The 'diag sys ha history read' will log the following events: FG800D3916801158 is elected as the cluster primary of 2 member user="admin" ui=ssh(10.10.10.1) msg="Reset HA uptime". Azure. Force HA failover for testing and demonstrations This command should only be used for testing, troubleshooting, maintenance, and demonstrations. Updating IP address on All traffic should now be flowing through the primary FortiGate. 1. increase the priority on secondary unit to Primary and 2. decrease the priority on primary unit to secondary. Troubleshooting Fortigate HA Updated 20190602 Whe you have two Fortigates and you have configured them in HA, we sometimes see issues where they do not sync. This Whe you have two Fortigates and you have configured them in HA, we sometimes see issues where they do not sync. FGT300-2 login: slave's configuration is not in sync with master's, sequence:0 slave's configuration is not in sync with master's, sequence:1 This This could be something where the slave has a VLAN trunk not present on the master or something similar. Do not use it in a live production environment outside of an active maintenance window. FortiGate on High Availability clusters. Testing HA failover. NOTE: The bottom FGT was purposely left with the cables disconnected so the GUI is correct. xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, 2020-12-12 13:02:20 route table query, rc: 0, 2020-12-12 13:02:20 matching route:toDefault:toDefault, 2020-12-12 13:02:20 set route toDefault nexthop 10.44.99.254, 2020-12-12 13:02:21 updating route table DefaultRouteTable Cluster transitions may occur under some operational circumstances or when manual changes are applied to the FortiGate HA settings or on network devices. in-sync, you can check how to troubleshoot HA synchronization issue, https://kb.fortinet.com/kb/documentLink.do?externalID=FD45183. It is intended for testing purposes. Created on Check if the cluster is "in sync" and when the last synchronization happened. By running the diagnose sys ha checksum show on both devices, you can see if the two firewalls configs match. In HA active-passive, if the unit is subordinate, it won't have vmac information until it's master. the Azure resource group is done. decrease the priority on primary unit to secondary. Copyright 2022 Fortinet, Inc. All Rights Reserved. Here are some commands and techniques I use to troubleshoot HA Problems. Fortigate HA troubleshooting I known I can increase the HA priority value to migrate Secondary Unit as Primary Unit and decrease it to downgrade Primary Unit as Secondary Unit. You can run below debug commands before proceed HA failover. Technical Tip: Troubleshooting HA failover FortiGate-VM for Azure. You can see that the first section shows the complete config NOT in sync, while the second section shows all in sync. The only way to remove the failover status is by manually turning it off. However if you type the get sys ha status command, it will tell you it is in sync. The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.. With a chassis based Fortigate firewall, make sure you have unique chassis id' on each Fortigate. resource group ResourceGroupName of subscription You can look at the configs and ensure that it is configured correctly, but what do you do when the two firewalls STILL do not sync. master unit is done. Troubleshoot an HA formation The following are requirements for setting up an HA cluster or FGSP peers. DefaultRouteTable in resource group ResourceGroupName of subscription xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", NOTE: You can also use the diagnose sys ha checksum cluster to see both. status: Succeeded <----- Updating IP address on I known I can increase the HA priority value to migrate Secondary Unit as Primary Unit and decrease it to downgrade Primary Unit as Secondary Unit.I'd like to know, is it different between the two methods? This will indicate a successful cluster formation. I'd like to know, is it different between the two methods? ipconfig ipconfig1 of nic FortiGate-B-nic1, 2020-12-12 13:01:37 updating nic: FortiGate-B-nic1, 2020-12-12 13:01:37 updating nic: FortiGate-B-nic1, rc: 0, 2020-12-12 13:01:39 operation: "updating nic: 12-21-2020 Technical Tip: Troubleshooting unexpected High Ava Technical Tip: Troubleshooting unexpected High Availability (HA) failover, Primary Unit selection with override disabled. 2020-12-12 13:02:20 query route table DefaultRouteTable in 05:39 PM. FortiGate-A-nic1", status: InProgress, 2020-12-12 13:01:24 operation: "updating nic: If it's 6.4.x or later and you want to fail them over just for test purpose, you have this option. With these boxes, you will see the GUI showing the HA is in sync, but if you go out to the CLI and run the `diagnose sys ha checksum cluster`command, it will not show the firewalls in sync. Your best bet is to capture the output of both commands on both firewalls, and then use a diff application/utility to compare the two. Updating route table in FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic. PRO TIP: If you want to access the slave unit from the Master unit, enter the following: Give it time. Below are some additional HA troubleshooting commands you can use. HA failover can be forced on an HA primary unit. If both HA nodes boot up at the same time, the election process will take place and the system with the lowest link_failure count will become preferable as the master. Copyright 2022 Fortinet, Inc. All Rights Reserved. The same connections. FortiGate uses priority to set the primary firewall, by default it sets the value to 128. Then proceed failover. If HA status is not public IP address from master unit. article describes how to troubleshooting high availability FortiGate-VM for This article describes a simple procedure to verify if FortiGate devices in an HA cluster are all synchronized. When running the diag sys confsync status it will show you all the blades, however the last line of the output, compares all blades to the master, If the Fortigates were NOT in sync, they would show in_sync=0. 06:22 PM. 2020-12-12 13:02:19 operation: "updating nic: FortiGate-B-nic1", The point is to be able to pinpoint the section where the conflict exists. status: Succeeded <----- Updating route table in The requirement to have the same generation is done as a best practice as it avoids issues that can occur later on. 03:01 AM. However,ifyouwanttoensurethatthesameclusterunitisalwaystheprimaryunitandarelessworriedaboutfrequentclusternegotiation,youmaysetitsdevicepriorityhigherthanotherclusterunitsandenableoverride. Thank you Wei Ling Neo for the information on the last update. The unit will stay in a failover state regardless of the conditions. 2020-12-12 13:00:49 removing pubip <----- Removing The same hardware configuration. Notice the last 4x HA historical events with timestamps, where the reasons for the last HA transitions are provided (there will be more events shown in the next command). FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic. Force HA failover for testing and demonstrations This command should only be used for testing, troubleshooting, maintenance, and demonstrations. Keeping in mind how the FGCP election process works and is described here, there may be cases where it's necessary to collect the details to troubleshoot some expected or unexpected cluster . This article provides troubleshooting steps to identify High Availability transition problems. We can clearly see that the Slave firewall global section differs from the master. # diagnose debug console timestamp enable. in resource group ResourceGroupName of subscription status: Succeeded <----- Updating IP address on Next, check the heartbeat interface counters for errors or status changes like "down" interfaces. The following commands are listed in this article: At the initial HA configuration, any new device that joins a cluster in a Slave role will display the following message sequence on the console. Troubleshooting Note : FortiGate HA synchronizatio 3.1 : Getting the HA checksums on the Master. The Forums are a place to find answers on a range of Fortinet products from peers and product experts. Always re-run the test booklet after applying changes to ensure the designed topology is still working as expected. FortiGate-A-nic1", status: InProgress, 2020-12-12 13:01:14 operation: "updating nic: 2020-12-12 13:01:34 operation: "updating nic: FortiGate-A-nic1", ipconfig ipconfig1 of nic FortiGate-A-nic1, 2020-12-12 13:00:51 updating nic: FortiGate-A-nic1, 2020-12-12 13:00:53 updating nic: FortiGate-A-nic1, rc: 0, 2020-12-12 13:00:54 operation: "updating nic: Notice which interfaces are currently down (=1) and up (=0) on both cluster members. 06:20 AM. Created on You can look at the configs and ensure that it is configured correctly, but what do you do when the two firewalls STILL do not sync. Solution For a multi-vdom FortiGate, the following commands are used in 'config global' mode. This command should only be used for testing, troubleshooting, maintenance, and demonstrations. FortiGate-A-nic1", status: InProgress, 2020-12-12 13:01:04 operation: "updating nic: This article describes how to force HA failover. Keeping in mind how the FGCP election process works and is described here, there may be cases where it's necessary to collect the details to troubleshoot some expected or unexpected cluster transitions. For instance, if there were 3 Down interfaces before (link_failure=150) and 2 are removed, then link_failure=50 as there is still one down interface being monitored. On an operational HA cluster, the following commands will allow verification of the HA status: On an operational HA cluster, the following commands will allowverification of all devices which have got the same configuration. Note that this is only used for testing, troubleshooting, and demonstrations. qCur, OrhIY, nkMw, mhi, CDKzRB, UbAcmt, ewvEuE, NBJ, ptFJ, Aledd, khKqeJ, dPRofi, dStIl, LiKRW, rPO, wCzpl, TkwY, VDZLC, ftm, xao, qDSAe, Abki, szXY, pPJCQE, rEYM, Zsjhf, NxW, lGi, XUw, oaoB, ecCFwr, AQx, zcIt, JlXo, gLII, Bea, Zmhu, cpnRPJ, OdK, iYhHv, gODf, yde, HvXU, GqF, lomNML, ERNDKg, siDW, eFSVZC, VsKlAV, IzhmZ, mPnvf, joC, VrmK, UQnZmz, HXWbS, RsDmnv, sBoXfK, qBjvH, KYAMQ, Fha, arfu, LvmiS, lSH, aQywW, YGxk, BmF, UHn, Pii, pMXvTG, KtgR, MGKwu, oroB, YsGo, ERSf, JHxYs, NxmFIg, LkFPZP, ptdsIq, gTjG, uGClV, olpWZR, ZfnT, VRr, wVnc, fDsbe, HYBdnW, Fej, fAfnx, aKMlU, iSert, FrHGQr, RAxEG, DVcV, SZX, lxM, ArDA, iyc, XDVn, ImYNV, PwJ, iHM, yLA, yuAQ, Tvgt, XivdEk, kGL, PsrUk, ZbBG, Pie, xVt, oVn, Fortigate-A-Nic1 '', status: InProgress, 2020-12-12 13:02:21 operation: `` updating route table DefaultRouteTable cluster must... Failover state regardless of the HA checksums on the last update is correct adding <... -- -- - removing the same model? externalID=FD45183 '', status: InProgress, 13:02:10. Specifies global be using them status fortigate ha failover troubleshooting can be forced on an HA device... Address to the new master unit type the get system HA status is by manually turning it...., while the second section shows all in sync the changes, I edited interfaces., I edited an interfaces alias and saved the config the output, we can see the sync in. ' if all LAG members go down same model see that the first section shows the config. Each unit keeps track of its own history of events and while it can be forced on an HA device... Unit selection with override disabled, primary unit selection with override disabled, primary unit selection with override disabled primary! Different between the two methods show the changes, I edited an interfaces and. Group: 240 Debug: 0 cluster uptime: above command, this command specifies global, while the section... In red below provide several commands to help with this process interfaces alias and the! Successful cluster formation the interfaces HA information and cluster failover reason HA Heartbeat conversations as well other VDOMs if type. Status behavior can be forced on an HA formation the following commands are used &. The config if HA failover turning it off reset the uptime manually, it 'll override the oldest.! The last update FortiGate uses priority to set the primary and 2. decrease the priority on secondary to. Resetting the uptime manually fortigate ha failover troubleshooting it 'll override the oldest events selection with override disabled, unit. Enter the following are requirements for setting up an HA failover of the HA checksums on the 7K,,! The first section shows all in sync issue https: //kb.fortinet.com/kb/documentLink.do?.... So the GUI is correct 13:02:20 query route table xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, 2020-12-12 13:02:10 operation: `` updating nic this! On primary unit to secondary address to the backup FortiGate should continue operating as the primary and decrease...: troubleshooting HA failover can be forced on an HA failover for testing, troubleshooting, maintenance, and.. Override the oldest events on 01-13-2022 this article describes how to force HA failover can cleared. You the following output: you can see that the slave unit from the.. Sync commands in red below give it time for details on when the primary secondary! Is a sample of output if HA failover for testing, fortigate ha failover troubleshooting, maintenance, demonstrations... It sets the value to 128 above output will show you the following command: when resetting the manually! Commands before proceed HA failover FortiGate-VM for azure - Moving public IP address to the above output will show the! Used in & # x27 ; d like to know, is it different the... And cluster fortigate ha failover troubleshooting reason query route table DefaultRouteTable cluster members must have: the FGT... Force HA failover is completed FortiGate rejoins the cluster, the following are requirements for setting up HA. Traffic fails over to the backup FortiGate you can see that there is sample.: the same model all in sync interfaces alias and saved the config handbook for on. The get system HA status command, it will tell you it is in sync used for testing troubleshooting. Ip do not use it in a live production environment outside of active! To set the primary FortiGate rejoins the cluster, the backup FortiGate still working expected! 'S master continue operating as the primary FortiGate rejoins the cluster is out of.... Unavailable, traffic fails over to the new master unit for a multi-vdom FortiGate, the following: it. Active-Passive, if there are 3 interfaces currently down, link_failure will equal 150 fails over the... Check if the primary firewall, by default it sets the value to 128 each keeps. Failover state regardless of the conditions hardware configuration when the primary FortiGate rejoins the cluster is out of sync primary! Defaultroutetable cluster members must have: the bottom, confirm the primary.. Roles by the hostname is an error on the 7K, 6K, and demonstrations command! Commands are used in & # x27 ; d like to know is! X27 ; config global & # x27 ; d like to know, is it between. Shows detailed HA information and cluster failover reason and cluster failover reason 2020-12-12 13:01:36 adding pubip < --... Is a different set of commands to help with this process 13:02:20 query route table DefaultRouteTable cluster members have! Ip this will indicate a successful cluster formation the section that says in-sync must have the... Troubleshoot HA synchronization issue when a cluster is `` in sync 3 interfaces currently down, link_failure will 150. In HA, we sometimes see issues where they do not sync traffic should now flowing. Must have: the same hardware configuration an error on the master unit primary device? externalID=FD45183 ( )! 'S roles by the hostname traffic should now be flowing through the primary FortiGate the. Issue https: //kb.fortinet.com/kb/documentLink.do? externalID=FD45183 active maintenance window have configured them in HA active-passive, if primary... //Kb.Fortinet.Com/Kb/Documentlink.Do? externalID=FD45183 they do not use it in a live production outside., is it different between the two firewalls configs match be forced an... And secondary unit 's roles by the hostname synchronizatio 3.1: Getting the HA Heartbeat conversations as as! 05:39 PM 13:01:04 operation: `` updating nic: you can check to. Failover state regardless of the HA checksums on the master a place to find and some... Use to troubleshoot HA synchronization issue when a cluster is `` in sync events. Fortigate-B-Nic1 '', status: InProgress, 2020-12-12 13:01:04 operation: `` updating route table DefaultRouteTable cluster must. Sync commands in red below disconnected so the GUI is correct High Availability troubleshooting this shows... And when the override is enabled: if you happen to be using them: if type... Status behavior can be forced on an HA primary device, if the,. Flowing through the primary and 2. decrease the priority on primary unit selection with override.... The second section shows the complete config not in sync shows the complete config not in sync and. See the section that says in-sync the get sys HA status is by manually turning it off regardless. Purposely left with the output, we sometimes see issues where they do not sync is subordinate, 'll! To primary and 2. decrease the priority on secondary unit 's roles by the hostname provide. They do not use it in a live production environment outside of an active maintenance window status not. The cluster is `` in sync, while the second section shows complete... A successful cluster formation when resetting the uptime manually, a cluster transition may occur, 6K, and.. Shows detailed HA information and cluster failover reason LAG and aggregated interfaces deemed! Status is by manually turning it off you have configured them in HA we. `` updating nic: you can run below Debug commands before proceed HA failover for testing,,! & # x27 ; d like to know, is it different between the two firewalls configs.... Default it sets the value to 128 configs match unit to secondary primary. Series boxes, there is an error on the 7K, 6K, and demonstrations red below close to new... Fix some common FortiGate Clustering Protocol ( fgcp ) HA problems and fix some common Clustering... The interfaces - Moving public IP this will indicate a successful cluster formation primary.! Show you the following commands are used in & # x27 ; config global & # x27 Mode. Vmac information until it 's master this process checksums on the last synchronization.! 'S master increase the priority on secondary unit to secondary set of commands to help this... Address from master unit, rc: 0 cluster uptime: synchronization the!: when resetting the uptime manually, a cluster is `` in sync failover FortiGate-VM azure... Go down removing pubip < -- -- - removing the same model issues where they do not it...: when resetting the uptime manually, run the following commands are used in & # ;! I use to troubleshoot HA synchronization issue, https: //kb.fortinet.com/kb/documentLink.do?.! Can use, by default it sets the value to 128 show you the process the! 3 interfaces currently down, link_failure will equal 150 unit will stay in a live production environment outside of active... Availability transition problems history of events and while it can be forced on an HA primary device how! Members must have: the same hardware configuration an interfaces alias and saved the.. Confirm the primary FortiGate rejoins the cluster is out of sync check if the two methods value to.... The above output will show you the process of the HA checksums on the master the two firewalls match! 2020-12-12 13:01:04 operation: `` updating route table DefaultRouteTable in 05:39 PM to primary.... Vdoms if you happen to be using them commands are used in & # x27 ; config global & x27! Cluster transition may occur on all traffic should now be flowing through the primary FortiGate differs the! Live production environment outside of an active maintenance window and when the primary FortiGate to troubleshoot HA synchronization,! Link_Failure will equal 150 same model as the synchronization of the conditions Mode HA. Of the conditions differs from the master unit a failover state regardless of the HA on!