Description
This article describes how to troubleshoot the error received when the HA FortiGate does not have the same license subscription across the cluster units.
Scenario:
- When the FortiGate is on HA the license subscription is not identical.
- What will happen is the Fortiguard details are not reflected in the FortiGate primary. It will not show the current subscription on FortiGuard.
Scope
Any supported version of FortiGate in HA.
Solution
Access FortiGate with putty SSH, through the GUI, or through the CLI and run the following command.
diag debug reset
diag debug disable
diag debug app update -1
diag debug enable
The following is the output of the update daemon log when the Fortigate HA does not have the same license subscription:
------------------------------------------------------------------------------------------------------------------------------------------
do_update[484]-Starting now UPDATE (final try)
upd_act_HA_contract_info[724]-ContractItem (1) does not contain all HA (2): FG6H1Exxxxxxxxxx
do_update[496]-UPDATE failed
do_check_wanip[642]-Starting getting wan ip
upd_comm_connect_fds[458]-Trying FDS 173.243.140.6:443
tcp_connect_fds[234]-Binding to interface 13
[113] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[480] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[486] ssl_ctx_use_builtin_store: Enable CRL checking.
[493] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
If one of the FortiGates has a lower level of licensing, then all the FortiGates in the cluster operate at the lowest licensing level.
Related document:
