Technical Tip: FortiProxy HA mode config-sync-only HA checksum for reference

ssriswadpong · ‎12-13-2023

Description

This article demonstrates a reference result for the checksum of an HA config-sync-only FortiProxy system.

Scope

FortiProxy.

Solution

In Config-Sync HA cluster, each HA member will have different interface settings. This article shows a typical result of an HA checksum in a Config-Sync HA.

HA settings:

show system ha

config system ha

set group-id 777
set group-name "FPX-HA"
set mode config-sync-only
set password ENC 30lF1vJU0NPlizEHkwB0tslau/FjCUcXirgztkKFUZyIr5FDyo4Np89ArXF07JJi7h039GephNERJuGA9O8mKOL++TV/U052P27TFrblsaCojCMNWkW5iBqD3R0uITYCLIZtysMfz/bXPh4uYsuiZPWcr1pDRgc5Qdyg33ykeXqyxc1mWPf1H6CgO983XXRvVJBWKg==
set hbdev "port3" 50
set override disable

end

show system ha

config system ha

set group-id 777
set group-name "FPX-HA"
set mode config-sync-only
set password ENC sSDwyRYdaKUDQOe+JbtR8hO4/YS7S3vLmjj8MvdX0TlCxObhcDU7SzfVPwCW+aSOZHEgQ8sis2efYUdJQYyT8ntw8At4WLBz/uOAOhJjF8x5g8dKz03BoYrl5dN0RLpzobYkYnzXBuK46p28BkZktI4CEnDqdfRJHXYk57AB4rm7T1nikbL3wfteE8sbCAAqhgeV2g==
set hbdev "port3" 50
set override disable
set priority 100

end

HA status is in-sync:

get system ha status
HA Health Status: OK
Model: FortiProxy-KVM
Mode: ConfigSync
Group: 777
Debug: 0
Cluster Uptime: 0 days 5:46:11
Cluster state change time: 2023-12-13 16:58:32
Primary selected using:
<2023/12/13 16:58:32> FPXVULTM23000077 is selected as the primary because its override priority is larger than peer member FPXVULTM23000076.
<2023/12/13 16:58:22> FPXVULTM23000077 is selected as the primary because it's the only member in the cluster.
override: disable
Configuration Status:
FPXVULTM23000077(updated 3 seconds ago): in-sync
FPXVULTM23000076(updated 3 seconds ago): in-sync
System Usage stats:
FPXVULTM23000077(updated 3 seconds ago):
sessions=225, average-cpu-user/nice/system/idle=3%/0%/1%/96%, memory=75%
FPXVULTM23000076(updated 3 seconds ago):
sessions=192, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=38%
HBDEV stats:
FPXVULTM23000077(updated 3 seconds ago):
port3: physical/00, up, rx-bytes/packets=52979450/190963, tx=154587405/194655
FPXVULTM23000076(updated 3 seconds ago):
port3: physical/00, up, rx-bytes/packets=154594960/194741, tx=52964728/190807
Primary : FPX1 , FPXVULTM23000077, HA cluster index = 0
Secondary : FPX2 , FPXVULTM23000076, HA cluster index = 1
number of vcluster: 1
vcluster 1: work 169.254.0.33
Primary: FPXVULTM23000077, HA operating index = 0

The interface settings of FPX1 and FPX2 are not the same:

show system interface

config system interface

edit "port1"

set vdom "root"
set ip 10.47.1.246 255.255.240.0
set allowaccess ping https ssh http fgfm
set type physical
set explicit-web-proxy enable
set alias "Management"
set snmp-index 1

next
edit "port2"

set vdom "root"
set ip 10.207.1.246 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set alias "Server"
set snmp-index 2

next
edit "port3"

set vdom "root"
set ip 10.227.1.246 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set alias "HeartBeat"
set snmp-index 3

next
edit "port4"

set vdom "root"
set ip 10.177.1.246 255.255.240.0
set allowaccess ping https ssh http
set type physical
set explicit-web-proxy enable
set proxy-captive-portal enable
set alias "Data"
set role wan
set snmp-index 7

next
edit "ssl.root"

set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 13

show system interface

config system interface

edit "port1"

set vdom "root"
set ip 10.47.1.243 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 1

set vdom "root"
set ip 10.207.1.243 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 2

next
edit "port3"

set vdom "root"
set ip 10.227.1.243 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 3

next
edit "port4"

set vdom "root"
set ip 10.177.1.243 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 4

next
edit "ssl.root"

set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 5

However, cluster checksum and system.interface checksum will be the same:

diagnose sys ha checksum cluster

================== FPXVULTM23000077 ==================

is_manage_primary()=1, is_root_primary()=1
debugzone
global: 6e 4a 6c ab 54 2c 3b ea 66 ac cc f6 01 7e f8 aa
root: db 4c 92 25 57 f2 cb 73 bf 8d 10 a1 5d 0a 30 38
all: 47 80 21 4d cb a5 db 7b d0 8e 55 4c 80 36 98 6d

checksum
global: 6e 4a 6c ab 54 2c 3b ea 66 ac cc f6 01 7e f8 aa
root: db 4c 92 25 57 f2 cb 73 bf 8d 10 a1 5d 0a 30 38
all: 47 80 21 4d cb a5 db 7b d0 8e 55 4c 80 36 98 6d

================== FPXVULTM23000076 ==================

is_manage_primary()=0, is_root_primary()=1
debugzone
global: 6e 4a 6c ab 54 2c 3b ea 66 ac cc f6 01 7e f8 aa
root: db 4c 92 25 57 f2 cb 73 bf 8d 10 a1 5d 0a 30 38
all: 47 80 21 4d cb a5 db 7b d0 8e 55 4c 80 36 98 6d

checksum
global: 6e 4a 6c ab 54 2c 3b ea 66 ac cc f6 01 7e f8 aa
root: db 4c 92 25 57 f2 cb 73 bf 8d 10 a1 5d 0a 30 38
all: 47 80 21 4d cb a5 db 7b d0 8e 55 4c 80 36 98 6d

diagnose sys ha checksum show global
system.global: 72f8fd8ca067362bcaa7cbbe25d74a3e
system.accprofile: 967a1e9424160e95e202a580198c2b55
system.vdom-link: 00000000000000000000000000000000
system.interface: 05f6b861630b358e9f7322205bdd3b0a
system.password-policy: 00000000000000000000000000000000

The checksum will be the same even when interface settings are not the same.

If there is a checksum mismatch or the HA status is out-of-sync, collect the following information and contact FortiCare Technical Support with it attached:

Configuration files for each HA member.
Output from the following commands for each HA member:

get system status
get system ha status
diagnose sys ha checksum cluster
diagnose sys ha checksum show global
diagnose sys ha checksum show <vdom name>