FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rk1
Staff
Staff
Article Id 192198
Description
This article describes how to troubleshoot HA out of sync issue due to 'vpn.certificate.local' object with FortiGate.

Scope
From version 6.2.4.

Solution
This object 'vpn.certificate.local' holds all the local certificates present in the FortiGate.

If a HA cluster went out of sync due to the object 'vpn.certificate.local', it is necessary to check if the private-data-encryption is enabled or not under global settings.

1) Check if the private-data-encryption is enabled or not using below commands:
# config system global
# show full | grep private
Sample output:
FW1 # config system global

FW1 (global) # show full | grep private

set private-data-encryption enable    <----- Enabled.
2) Verify if the checksum of certificates are different or not under the object 'vpn.certificate.local' using below command on the cluster units:
# diagnose sys ha checksum show root vpn.certificate.local
3) If the private-data-encryption is enabled and if the checksum of certificates are different, follow the below steps:

- Disable private-data-encryption
- exec ha sync start
- diag sys ha checksum cluster  //if the checksums are same, proceed to step 4
- enable private-data-encryption
- exec ha sync start
- diag sys ha checksum cluster  //make sure if the checksums are same.

Note.
From firmware version 6.2.5, the object 'vpn.certificate.local' should be in sync and no need to follow the above mentioned steps.

Contributors