Troubleshoot an HA formation
The following are requirements for setting up an HA cluster or FGSP peers.
Cluster members must have:
- The same model. l The same hardware configuration. l The same connections.
- The same generation.
The requirement to have the same generation is done as a best practice as it avoids issues that can occur later on. If you are unsure if the boxes you have are from the same generation, please contact customer service.
Troubleshooting common HA formation errors
One box keeps shutting down during HA setup (hard drive failure):
If one box has a hard drive failure but the other does not, the one with the hard drive failure will be shut down during HA setup. In this case, RMA the box to resolve the issue.
Desired box won’t be the Master:
When all members join together as a cluster, a process called a negotiation begins in order to decide which box will become the Master. It is decided by the following criteria:
The first factor is the amount of connected good interfaces. If Box A has two monitored interfaces up and Box B has only one, then Box A will become the Master. Ensure all monitored connections to members are good.
All members are Masters and members can’t see other members:
Typically, this is a heartbeat issue. It is recommended that for a two-member cluster, you use a back-to-back connection for heartbeat communication. If there are more than three members in the cluster, a separate switch should be used to connect all heartbeat interfaces.
Check HA sync status
The HA sync status can be viewed in the GUI through either a widget on the Dashboard or on the System > HA page. It can also be confirmed through the CLI. When a cluster is out of sync, administrators should correct the issue as soon as possible as it affects the configuration integrity and can cause issues to occur.
HA sync status in the GUI
- Dashboard widget:
- Following HA setup, the HA Status widget can be added to the Dashboard. The widget shows the HA sync status by displaying a green checkmark next to each member in sync. A red mark indicates the member is out of sync.
- System > HA page: l The same set of icons will be displayed on the System > HA page to indicate if the member is in sync.
HA sync status in the CLI
- In the CLI, run the command get sys ha status to see if the cluster is in sync. The sync status is reported under Configuration Status. In the following example, both members are in sync:
FGT_A # get sys ha status
HA Health Status: OK Model: FortiGate-300D Mode: HA A-P Group: 146 Debug: 0 Cluster Uptime: 0 days 21:42:53 Cluster state change time: 2019-03-09 11:40:51 Master selected using: <2019/03/08 18:56:12> FGT6HD3914800153 is selected as the master because it has the least value 0 of link-failure + pingsvr-failure.
ses_pickup: enable, ses_pickup_delay=disable override: enable Configuration Status:
FGT6HD3914800069(updated 5 seconds ago): in-sync
FGT6HD3914800153(updated 4 seconds ago): in-sync
System Usage stats:
FGT6HD3914800069(updated 5 seconds ago): sessions=17, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=25% FGT6HD3914800153(updated 4 seconds ago):
sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=25%
: : : Master: FGT6HD3914800069, HA operating index = 0 Slave : FGT6HD3914800153, HA operating index = 1
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!