- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- HA looks fine on CLI but not on GUI
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Created on
09-14-2018
07:32 AM
Edited on
02-26-2024
06:40 AM
By
Kate_M
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HA looks fine on CLI but not on GUI
Hi!
I am configured HA on my Fortigate 100E running 5.6.
The CLI command get system ha status shows that it looks ok .
HA Health Status: OK
Serial number Device 1(updated 3 seconds ago): in-sync Serial number Device 2(updated 2 seconds ago): in-sync
Master: Primary , FG100E4Q170444845, cluster index = 0 Slave : Secondry , FG100E4Q17044540, cluster index = 1
But on GUI the status is showing as Not Synchronized.
One more thing is that I used device priority for my selection of primary. I know that up time comes before the priority but my thought was that once I set higher priority then it will take that as first option of choice or I am missing point here.
Thanks
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
-
High Availability
3 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, the sequence which parameters are looked at for a HA master decision is not changed by setting those parameters. Nor will a decision process be started.
The only way to alter the sequence is to set 'HA override' on one unit.
Please search the forums for this topic and/or re-read the HA chapter in the Handbook if you want to be sure.
Personally, I would not bother too much about the GUI display. If the info in the CLI tells you the cluster is in-sync then all is good. You could change an unimportant setting in the CLI and watch the sync status to change, and stableize again.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I saw this issue in 5.6.4 and 6.0.1. When I joined the HA cluster, I wait 5 minutes and the GUI still shows that it's unsynced. But when I look at the checksums in the CLI it's synced. I rebooted the primary and confirmed that HA sync correctly. When the primary came back up the GUI showed the correct sync status. I have a feeling it's a GUI bug.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@capricorn80:
HA override does not influence performance in any way. It just changes the sequence of parameters.
But, as you've noticed, it only adds a second short interruption if the master fails which IMHO is unnecessary. HA priority should be set identically then.
Session pickup is off by default, for a reason. Not all sessions can be preserved (e.g. not IPsec), not all traffic is stateful (e.g. UDP), some protocols rely on frequent, short sessions (e.g. HTTP) but for the rest it does make a difference. It costs performance, and bandwidth on the HA link(s). YMMV.
Additionally, monitoring ports is advisable. Without it, the cluster will only fail over on device failure. Port monitoring adds link failure protection which might be more probable.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, the sequence which parameters are looked at for a HA master decision is not changed by setting those parameters. Nor will a decision process be started.
The only way to alter the sequence is to set 'HA override' on one unit.
Please search the forums for this topic and/or re-read the HA chapter in the Handbook if you want to be sure.
Personally, I would not bother too much about the GUI display. If the info in the CLI tells you the cluster is in-sync then all is good. You could change an unimportant setting in the CLI and watch the sync status to change, and stableize again.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Browser refresh CTRL + F5 should display the right status in GUI.
For me this works after every cluster update.
perhaps for you too.
Fortigate 500E HA Fortimail 200 Fortimanager
FortiEMS
FortiSandbox 1000D
FortiSwitch Network Some other Models in use :-) ---------------------------------------------------- FCSE ----------------------------------------------------
Fortigate 500E HA Fortimail 200 Fortimanager
FortiEMS
FortiSandbox 1000D
FortiSwitch Network Some other Models in use :-)
---------------------------------------------------- FCSE
----------------------------------------------------
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The checksum is same as well.
is_manage_master()=1, is_root_master()=1 debugzone global: 80 06 4e 98 1e 6a 5d d3 4d d6 4b fc 83 6f e7 2d root: 80 e0 7e 6b a7 38 0b ec 3d fc 9d 99 f7 65 36 41 all: 1f 49 d0 3e 48 91 b8 85 fb b2 7d 73 c3 1c 30 76
checksum global: 80 06 4e 98 1e 6a 5d d3 4d d6 4b fc 83 6f e7 2d root: 80 e0 7e 6b a7 38 0b ec 3d fc 9d 99 f7 65 36 41 all: 1f 49 d0 3e 48 91 b8 85 fb b2 7d 73 c3 1c 30 76
1. connected monitored interface - I am not monitoring any interface 2. Age - Depends on monitored interface and is the amount of time since the interface disconnected so I am not using the monitored interface. Age also means the up time so the FW which is up from long time will become Master. This is happening in my case. 3. Priority: I set it to 250 but Age is taking over.
So if I restart my primary one then the secondary will take over as its up time will be more than the primary one.
I read couple of threads and people dont use HA override as it will create performance issue and also when the primary comes back online then it will take over that means that few seconds delay.
I think for me it doesnt matter as they are both the same firewall so as long as they are working.
One more thing is the session pickup. I am reading about it but its disable in my case so does that mean if my primary goes down then I will loose all sessions and every session will start again?
Refresh and Crtl + F5 doesnt help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I saw this issue in 5.6.4 and 6.0.1. When I joined the HA cluster, I wait 5 minutes and the GUI still shows that it's unsynced. But when I look at the checksums in the CLI it's synced. I rebooted the primary and confirmed that HA sync correctly. When the primary came back up the GUI showed the correct sync status. I have a feeling it's a GUI bug.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@capricorn80:
HA override does not influence performance in any way. It just changes the sequence of parameters.
But, as you've noticed, it only adds a second short interruption if the master fails which IMHO is unnecessary. HA priority should be set identically then.
Session pickup is off by default, for a reason. Not all sessions can be preserved (e.g. not IPsec), not all traffic is stateful (e.g. UDP), some protocols rely on frequent, short sessions (e.g. HTTP) but for the rest it does make a difference. It costs performance, and bandwidth on the HA link(s). YMMV.
Additionally, monitoring ports is advisable. Without it, the cluster will only fail over on device failure. Port monitoring adds link failure protection which might be more probable.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Enabling override changes the order of primary unit selection. As shown below, if override is enabled, primary unit selection considers device priority before age and serial number. This means that if you set the device priority higher on one cluster unit, with override enabled this cluster unit becomes the primary unit even if its age and serial number are lower than other cluster units. Similar to when override is disabled, when override is enabled primary unit selection checks for connected monitored interfaces first. So if interface monitoring is enabled, the cluster unit with the most disconnected monitored interfaces cannot become the primary unit, even of the unit has the highest device priority. If all monitored interfaces are connected (or interface monitoring is not enabled) and the device priority of all cluster units is the same then age and serial number affect primary unit selection.
Ashu
Ashu
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After few days its showing the status fine on the GUI without making any changes.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
clearing the browser cache or using a different browser will restore the GUI to the expected synced state.
Thanks
Pavan
Related Posts
- Forticlient EMS and AD sync 13 Views
- FortiAuthenticator Realms 43 Views
- Mobile app for VPN 49 Views
- SSL-VPN Bookmarks SSO with SAML auth 46 Views
- Site to Site VPN to 2... 107 Views
Labels
-
FortiGate
6,496 -
FortiClient
1,297 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
332 -
FortiSwitch
331 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
FortiAuthenticator
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.