- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Slave shutdown during ha cluster upgrade due to di...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Slave shutdown during ha cluster upgrade due to different hdisk status (internal storage)
edit
TL;DR: If you upgrade a HA cluster by inserting a USB stick into one of the members and running 'exec restore image usb', the cluster will upgrade but will then likely to crash due to 'different hdisk status'. The cause seems to be that the usb stick is mounted after reboot and the other member gets sad because it doesn't have one too. Removing the USB and rebooting all units restores the cluster, but that's not cool if you're hundreds of kilometres away.
Note internal storage was suspected but is not actually relevant to the problem.
Workaround - install identical USB sticks in each cluster member (only tested with a cluster of two).
/edit.
I've previously posted regarding `system internal storage` issues when loading configurations using exec restore config usb onto a standalone FGT60D. In that case the issue is merely annoying. Our current preference is to delete this section completely.
We have two methods we use to build a cluster and both result in a working configuration.
We always prep each new unit by formatting from the boot menu and loading firmware via tftp.
After this step, each unit has a system storage entry.
We always make sure that the hardware revision of the cluster members matches.
Method 1 (legacy due to issues with repeatability, included only for completeness):
View master default config, add system storage to target configuration file, especially the partition value.
Load config into master, set override and priority.
Make slight modifications to the slave unit (primarily to convert to interface mode), configure HA without override and priority
Connect, allow config to sync to slave.
Check cluster formed OK.
Method 2:
Load config (with no system storage) into master, set override and priority.
Load config (with no system storage) into master, unset override and priority.
Connect.
Check cluster formed OK.
Beer.
Following method 2, the cluster looks fine and both units report no system storage. There is so far no known way to identify that an upgrade might fail...
Then upgrade the firmware from 5.2.3 to 5.2.5 (upgrade path to 5.4)
The result is that when the master upgrade completes, the slave unit shuts down due to different hdisk status.
Once the slave is disconnected and restarted, it has an entry for system storage, but the master does not.
We do not know why the system storage for the slave has re-appeared.
The failure is repeatable and we don't actually know how to restore the cluster other than using a workaround from TAC. The
TAC workaround is exec ha ignore-hardware-revision enable on both units but that's not very satisfactory since we can't see any difference beforehand.
If the TAC workaround is applied, the firmware upgrade succeeds. If the workaround is removed from the upgraded cluster (because there seems to be no need for it), we see the same result - slave shutdown after the restart.
Does anyone know how to avoid this?
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I now believe that the problem is the usb used for the firmware upgrade, awaiting confirmation from TAC.
The hypothesis is that the FGT mounts any USB detected at startup and therefore when the cluster tries to form, one has a mounted usb and one does not, they have a hdisk mismatch and it's game over.
Presuming this is the case, does anyone know a way to prevent a USB being mounted at startup, whilst allowing normal usb usage? Is there a command to do this? Note that if the usb is inserted whilst the FGT is running, fnsysctl df does not show the USB is mounted but it is still available.
Backup genius idea - install identical USBs in both cluster members *runs off to try it*
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
*happy dance* installing identical USB sticks did the trick. See edit to original post.
Still taking offers for a better way to prevent this issue...
Related Posts
- Automatically Ban Malicious Inbound IPs using... 111 Views
- Cisco Trunk port to Fortiswitch 381 Views
- upd_act_update[515]-won't retry due to install error 220 Views
- Geo location issue - Internal server... 145 Views
- System file integrity check failed 209 Views
Labels
-
FortiGate
6,461 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
55 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.