In Config-Sync HA cluster, each HA member will have different interface settings. This article shows a typical result of an HA checksum in a Config-Sync HA.
HA settings:
show system ha
config system ha
set group-id 777 set group-name "FPX-HA" set mode config-sync-only set password ENC 30lF1vJU0NPlizEHkwB0tslau/FjCUcXirgztkKFUZyIr5FDyo4Np89ArXF07JJi7h039GephNERJuGA9O8mKOL++TV/U052P27TFrblsaCojCMNWkW5iBqD3R0uITYCLIZtysMfz/bXPh4uYsuiZPWcr1pDRgc5Qdyg33ykeXqyxc1mWPf1H6CgO983XXRvVJBWKg== set hbdev "port3" 50 set override disable
end
show system ha
config system ha
set group-id 777 set group-name "FPX-HA" set mode config-sync-only set password ENC sSDwyRYdaKUDQOe+JbtR8hO4/YS7S3vLmjj8MvdX0TlCxObhcDU7SzfVPwCW+aSOZHEgQ8sis2efYUdJQYyT8ntw8At4WLBz/uOAOhJjF8x5g8dKz03BoYrl5dN0RLpzobYkYnzXBuK46p28BkZktI4CEnDqdfRJHXYk57AB4rm7T1nikbL3wfteE8sbCAAqhgeV2g== set hbdev "port3" 50 set override disable set priority 100
end
HA status is in-sync:
get system ha status HA Health Status: OK Model: FortiProxy-KVM Mode: ConfigSync Group: 777 Debug: 0 Cluster Uptime: 0 days 5:46:11 Cluster state change time: 2023-12-13 16:58:32 Primary selected using: <2023/12/13 16:58:32> FPXVULTM23000077 is selected as the primary because its override priority is larger than peer member FPXVULTM23000076. <2023/12/13 16:58:22> FPXVULTM23000077 is selected as the primary because it's the only member in the cluster. override: disable Configuration Status: FPXVULTM23000077(updated 3 seconds ago): in-sync FPXVULTM23000076(updated 3 seconds ago): in-sync System Usage stats: FPXVULTM23000077(updated 3 seconds ago): sessions=225, average-cpu-user/nice/system/idle=3%/0%/1%/96%, memory=75% FPXVULTM23000076(updated 3 seconds ago): sessions=192, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=38% HBDEV stats: FPXVULTM23000077(updated 3 seconds ago): port3: physical/00, up, rx-bytes/packets=52979450/190963, tx=154587405/194655 FPXVULTM23000076(updated 3 seconds ago): port3: physical/00, up, rx-bytes/packets=154594960/194741, tx=52964728/190807 Primary : FPX1 , FPXVULTM23000077, HA cluster index = 0 Secondary : FPX2 , FPXVULTM23000076, HA cluster index = 1 number of vcluster: 1 vcluster 1: work 169.254.0.33 Primary: FPXVULTM23000077, HA operating index = 0
The interface settings of FPX1 and FPX2 are not the same:
show system interface
config system interface
edit "port1"
set vdom "root" set ip 10.47.1.246 255.255.240.0 set allowaccess ping https ssh http fgfm set type physical set explicit-web-proxy enable set alias "Management" set snmp-index 1
next edit "port2"
set vdom "root" set ip 10.207.1.246 255.255.240.0 set allowaccess ping https ssh http telnet set type physical set alias "Server" set snmp-index 2
next edit "port3"
set vdom "root" set ip 10.227.1.246 255.255.240.0 set allowaccess ping https ssh http telnet set type physical set alias "HeartBeat" set snmp-index 3
next edit "port4"
set vdom "root" set ip 10.177.1.246 255.255.240.0 set allowaccess ping https ssh http set type physical set explicit-web-proxy enable set proxy-captive-portal enable set alias "Data" set role wan set snmp-index 7
next edit "ssl.root"
set vdom "root" set type tunnel set alias "SSL VPN interface" set snmp-index 13
next
end
show system interface
config system interface
edit "port1"
set vdom "root" set ip 10.47.1.243 255.255.240.0 set allowaccess ping https ssh http telnet set type physical set snmp-index 1
next
edit "port2"
set vdom "root" set ip 10.207.1.243 255.255.240.0 set allowaccess ping https ssh http telnet set type physical set snmp-index 2
next edit "port3"
set vdom "root" set ip 10.227.1.243 255.255.240.0 set allowaccess ping https ssh http telnet set type physical set snmp-index 3
next edit "port4"
set vdom "root" set ip 10.177.1.243 255.255.240.0 set allowaccess ping https ssh http telnet set type physical set snmp-index 4
next edit "ssl.root"
set vdom "root" set type tunnel set alias "SSL VPN interface" set snmp-index 5
next
end
However, cluster checksum and system.interface checksum will be the same:
diagnose sys ha checksum cluster
================== FPXVULTM23000077 ==================
is_manage_primary()=1, is_root_primary()=1 debugzone global: 6e 4a 6c ab 54 2c 3b ea 66 ac cc f6 01 7e f8 aa root: db 4c 92 25 57 f2 cb 73 bf 8d 10 a1 5d 0a 30 38 all: 47 80 21 4d cb a5 db 7b d0 8e 55 4c 80 36 98 6d
checksum global: 6e 4a 6c ab 54 2c 3b ea 66 ac cc f6 01 7e f8 aa root: db 4c 92 25 57 f2 cb 73 bf 8d 10 a1 5d 0a 30 38 all: 47 80 21 4d cb a5 db 7b d0 8e 55 4c 80 36 98 6d
================== FPXVULTM23000076 ==================
is_manage_primary()=0, is_root_primary()=1 debugzone global: 6e 4a 6c ab 54 2c 3b ea 66 ac cc f6 01 7e f8 aa root: db 4c 92 25 57 f2 cb 73 bf 8d 10 a1 5d 0a 30 38 all: 47 80 21 4d cb a5 db 7b d0 8e 55 4c 80 36 98 6d
checksum global: 6e 4a 6c ab 54 2c 3b ea 66 ac cc f6 01 7e f8 aa root: db 4c 92 25 57 f2 cb 73 bf 8d 10 a1 5d 0a 30 38 all: 47 80 21 4d cb a5 db 7b d0 8e 55 4c 80 36 98 6d
diagnose sys ha checksum show global system.global: 72f8fd8ca067362bcaa7cbbe25d74a3e system.accprofile: 967a1e9424160e95e202a580198c2b55 system.vdom-link: 00000000000000000000000000000000 system.interface: 05f6b861630b358e9f7322205bdd3b0a system.password-policy: 00000000000000000000000000000000
diagnose sys ha checksum show global system.global: 72f8fd8ca067362bcaa7cbbe25d74a3e system.accprofile: 967a1e9424160e95e202a580198c2b55 system.vdom-link: 00000000000000000000000000000000 system.interface: 05f6b861630b358e9f7322205bdd3b0a system.password-policy: 00000000000000000000000000000000
The checksum will be the same even when interface settings are not the same.
If there is a checksum mismatch or the HA status is out-of-sync, collect the following information and contact FortiCare Technical Support with it attached:
- Configuration files for each HA member.
- Output from the following commands for each HA member:
get system status get system ha status diagnose sys ha checksum cluster diagnose sys ha checksum show global diagnose sys ha checksum show <vdom name>
|