Hot!No synch HA with FG 101E

Author
RisingRose
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/13 02:15:53
  • Status: offline
2018/04/13 02:57:09 (permalink) 5.4
0

No synch HA with FG 101E

Hello, I have 2 Fortigate 101E with fortiOS 5.4.6, I try to do a HA cluster with both but can't manage to synch the configuration between the master and the slave. I tried to recalculate the checksum quite a few times on both devices but it still isn't synchronizing.
#1

6 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 5519
    • Scores: 364
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: No synch HA with FG 101E 2018/04/13 04:51:49 (permalink)
    0
    hi,
     
    and welcome to the forums.
    For HA, you don't need to sync the HA members manually. If the cluster is forming at all, all files and status should sync automatically after some time.
     
    The hardware needs to be identical for HA; that is, same P/N, same BIOS version and running the same FortiOS version. You can check that easily with 'get sys stat'. For instance, a FG-101E will not cluster with a FG-100E as the hardware disk is not present on one.
     
    Does the HA cluster form at all, and you just see that something has not yet been sync'ed? Or is the cluster incomplete (get sys ha stats, GUI, virtual MACs etc.)?

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    RisingRose
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/13 02:15:53
    • Status: offline
    Re: No synch HA with FG 101E 2018/04/13 05:31:12 (permalink)
    0
    I've tried a few more things right now, I've also check that the cluster is formed. For what I've seen so far the cluster is created and is working, but there is no replication between the two devices.
    I've attached the cluster image from the master GUI.
    here is the result of the ha status from the master :
    Cluster Uptime: 0 days 00:04:09
    Master selected using:
        <2018/04/13 14:14:04> FG101E4Q17003852 is selected as the master because it has the largest value of override priority.
        <2018/04/13 14:14:03> FG101E4Q17003852 is selected as the master because it's the only member in the cluster.
    ses_pickup: enable, ses_pickup_delay=disable
    load_balance: enable
    load_balance_udp: disable
    schedule: Round robin.
    upgrade_mode: unset
    override: disable
    Configuration Status:
        FG101E4Q17003852(updated 2 seconds ago): in-sync
        FG101E4Q17003750(updated 2 seconds ago): out-of-sync
    System Usage stats:
        FG101E4Q17003852(updated 2 seconds ago):
            sessions=13, average-cpu-user/nice/system/idle=5%/0%/2%/92%, memory=27%
        FG101E4Q17003750(updated 2 seconds ago):
            sessions=0, average-cpu-user/nice/system/idle=17%/0%/7%/75%, memory=26%
    HBDEV stats:
        FG101E4Q17003852(updated 2 seconds ago):
            ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=2857290/25541/0/0, tx=55945621/38089/0/0
            ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=880372/1228/0/0, tx=888459/1199/0/0
            port1: physical/1000auto, up, rx-bytes/packets/dropped/errors=551452/1751/0/0, tx=1178284/2092/0/0
            wan1: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
        FG101E4Q17003750(updated 2 seconds ago):
            ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=55943556/38086/0/0, tx=2854347/25538/0/0
            ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=886236/1196/0/0, tx=878233/1225/0/0
            port1: physical/00, down, rx-bytes/packets/dropped/errors=319901/1312/0/0, tx=865644/1545/0/0
            wan1: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
    MONDEV stats:
        FG101E4Q17003852(updated 2 seconds ago):
            dmz: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
            ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=2857290/25541/0/0, tx=55945621/38089/0/0
            ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=880372/1228/0/0, tx=888459/1199/0/0
            port1: physical/1000auto, up, rx-bytes/packets/dropped/errors=551452/1751/0/0, tx=1178284/2092/0/0
            wan1: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
        FG101E4Q17003750(updated 2 seconds ago):
            dmz: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
            ha1: physical/1000auto, up, rx-bytes/packets/dropped/errors=55943556/38086/0/0, tx=2854347/25538/0/0
            ha2: physical/1000auto, up, rx-bytes/packets/dropped/errors=886236/1196/0/0, tx=878233/1225/0/0
            port1: physical/00, down, rx-bytes/packets/dropped/errors=319901/1312/0/0, tx=865644/1545/0/0
            wan1: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
    Master: FG101E_HA_MAS   , FG101E4Q17003852
    Slave : FG101E_HA_SLA   , FG101E4Q17003750
    number of vcluster: 1
    vcluster 1: work 169.254.0.1
    Master:0 FG101E4Q17003852
    Slave :1 FG101E4Q17003750
    #3
    ede_pfau
    Expert Member
    • Total Posts : 5519
    • Scores: 364
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: No synch HA with FG 101E 2018/04/15 06:14:48 (permalink)
    0
    Please disable all HA port monitoring until the cluster has formed and is fully synchronized. I see that not all monitored ports are in state 'link up' on the slave unit. If this is commonly so, do not monitor them.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #4
    Maik
    Gold Member
    • Total Posts : 283
    • Scores: 10
    • Reward points: 0
    • Joined: 2008/04/24 04:38:38
    • Status: offline
    Re: No synch HA with FG 101E 2018/04/17 23:37:18 (permalink)
    0
    upgrade to 5.4.8. it has some cluster bugs fixed.
    i did not study the troubleshooting Steps you did in Detail. just read that cluster forms but does not sync.
    post edited by Maik - 2018/04/17 23:41:51
    #5
    RisingRose
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/13 02:15:53
    • Status: offline
    Re: No synch HA with FG 101E 2018/04/17 23:44:14 (permalink)
    0
    I can't upgrade to 5.4.8, my company want to stay with the the 5.4.6 since they just upgraded the infra to it.
    But it's ok now, I've just left the firewalls think by themselves for like 2 hours and the finally synchronized.
    Thanks for your help anyway, hope you have a good day.
    #6
    bendsley
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/03/27 07:08:41
    • Status: offline
    Re: No synch HA with FG 101E 2018/04/18 14:30:13 (permalink)
    0
    # diagnose sys ha checksum show
    Should return something like:
    global: 0a 23 ce 1d f2 76 85 7a f0 8b 43 36 43 84 05 19
    root: 73 cb 94 8d 19 80 e1 1c 8a b0 a1 28 32 0a ed 3a
     
    From the above, find out which is not sycned.  You can do this on both units independently (from global: #execute ha manage <#>
     
    # diagnose sys ha checksum show root
    wireless-controller.hotspot20.anqp-venue-name: 00000000000000000000000000000000
    wireless-controller.hotspot20.anqp-network-auth-type: 00000000000000000000000000000000
    wireless-controller.hotspot20.anqp-roaming-consortium: 00000000000000000000000000000000
    wireless-controller.hotspot20.anqp-nai-realm: 00000000000000000000000000000000
    wireless-controller.hotspot20.anqp-3gpp-cellular: 00000000000000000000000000000000
    wireless-controller.hotspot20.anqp-ip-address-type: 00000000000000000000000000000000
     
    Log the output, or copy/paste, from both firewalls to a different text file.  Use text editor to compare the two files.  You will have something in there that shows what is out of sync. 
     
    When I tested recently, it was wtp-profile.
     
    More info can be found here:
    http://kb.fortinet.com/kb....do?externalID=FD36176
    #7
    Jump to:
    © 2018 APG vNext Commercial Version 5.5