This article describes how to troubleshoot when FortiGate fails to join HA when a VDOM license is purchased.
This problem is commonly observed when attempting to re-introduce an RMA replacement FortiGate into an existing HA cluster that is already using additional VDOM licenses.
Scope
FortiGate.
Solution
While adding the new FortiGate into the HA cluster, it may fail to join the HA cluster with the following error, even though a valid VDOM license is applied to the device in FortiCare: ‘It exceeds the maximum number of items allowed on the HA peer’.
Verify on each unit if the number of supported licensed VDOM is correctly reflected. Run the command ‘get system status’ and look for the line ‘Max number of virtual domains:’
If the number of supported VDOMs is incorrect, the license key must be retrieved manually and applied to the unit.
The License Key can be retrieved from the Fortinet Customer Service & Support by navigating to Asset Management > Products > More Views > License. In the Search License List, the search bar type VDOM. From the result, select the desired Serial Number of the FortiGate that needs to be licensed.
The license can be applied using the following command:
config global execute upd-vd-license <license key>
While uploading the license from the CLI, run into the following issue when trying to apply the license on the secondary unit.
secondary $ config global secondary (global) $ execute upd-vd-license XXXX-YYYY-ZZZZ-X decode vdom license key failed Command fail. Return code -1003
Instead, try uploading the same license via the Web GUI, under Global VDOM, navigate to System > FortiGuard > Virtual Domain and enter the VDOM license key.
Verify again by running ‘get system status’ and look for the below line:
Max number of virtual domains:
It will show the updated reflected number of VDOMS supported. Once, the VDOM license is applied and matched, the FortiGates will form the HA cluster successfully.