Skip to Content

How to fix HA Out of Sync due to speed auto in default setting

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article explains that the firewalls are out of sync status due to differences in the interface configuration settings speed as auto and how it should be resolved.

Scope

FortiGate.

Solution

The firewalls are out of sync due to mismatched checksum of interface objects.

diagnose sys ha checksum show global <----- Checksums are different. 
FG1 # system.interface: 5n6nd4na500787a76a4f4fcedfasg4dgh3h2 
FG2 # system.interface: 6dhjh3hw364ee4e44ad76ca0e32a676df4ft

The configuration of interfaces is different due to the default setting speed auto.

show sys int port1<----- In the show command it is possible to see the 'set speed' command. 
edit "port1" 
set vdom "global" 
set ip x.x.x.x 255.255.255.0 
set allowaccess ping 
set type physical 
set alias "XYZ" 
set device-identification enable 
set role lan 
set speed auto 
Next

The ‘–>ERROR auto‘ is default and should not be displayed in the show command. However, on the other unit, this speed will not be displayed.

Interface setting on the second device:

show sys int port1<----- In the show command the 'set speed' command will not be visible. 
edit "port1"
set vdom "global"
set ip x.x.x.x 255.255.255.0 
set allowaccess ping 
set type physical 
set alias "XYZ" 
set device-identification enable 
set role lan 
Next

This difference in configuration will make the system worse. interface object is different which results in a sync issue.

The solution for this issue is as follows:

  1. Go to the device where speed is not showing as a default setting,
  2. Go to the interface and set the speed to any other setting For example: set speed 1000full.
  3. Save the setting by coming out from the interface settings
  4. Go back to the interface again, set the speed back to auto, then save the configuration.
  5. The default speed auto should be seen in the interface settings on both devices.
  6. Recalculate the checksum for both primary and secondary devices from the below command: diag sys ha checksum recalculate

After recalculating the checksum, the issue should be resolved and both devices will be in synchronization again.

If the issue is still not resolved, verify the configuration of other objects whose checksum is different.