Verifying HA cluster status
On a FortiGate-VM in an HA cluster, you can use the following command to verify the status of the cluster:
fgt-vm # diagnose sys ha status
HA information
Statistics
traffic.local = s:0 p:42311 b:9008646
traffic.total = s:0 p:42316 b:9009528
activity.fdb = c:0 q:0
Model=80008, Mode=2 Group=0 Debug=0
nvcluster=1, ses_pickup=0, delay=0
[Debug_Zone HA information]
HA group member information: is_manage_master=1.
FGVM080000109643: Master, serialno_prio=0, usr_priority=128, hostname=fgt-vm
FGVM080000103268: Slave, serialno_prio=1, usr_priority=128, hostname=fgt-vm
[Kernel HA information]
vcluster 1, state=work, master_ip=169.254.0.1, master_id=0:
FGVM080000109643: Master, ha_prio/o_ha_prio=0/0
FGVM080000103268: Slave, ha_prio/o_ha_prio=1/1
The following command shows similar information:
fgt-vm # get system ha status
HA Health Status: OK
Model: FortiGate-VM64-KVM
Mode: HA A-P
Group: 0
Debug: 0
Cluster Uptime: 0 days 02:04:26
Cluster state change time: 2017-09-01 03:08:19
Master selected using:
<2017/09/01 03:08:19> FGVM080000109643 is selected as the master because it has the largest value of serialno.
ses_pickup: disable
override: disable
Configuration Status:
FGVM080000109643(updated 2 seconds ago): in-sync
FGVM080000103268(updated 0 seconds ago): out-of-sync
System Usage stats:
FGVM080000109643(updated 2 seconds ago):
sessions=4, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=55%
FGVM080000103268(updated 0 seconds ago):
sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=54%
HBDEV stats:
FGVM080000109643(updated 2 seconds ago):
port4: physical/10000full, up, rx-bytes/packets/dropped/errors=15043566/61878/0/0, tx=158364378/146977/0/0
FGVM080000103268(updated 0 seconds ago):
port4: physical/10000full, up, rx-bytes/packets/dropped/errors=29442835/61625/49/0, tx=25246662/68626/0/0
MONDEV stats:
FGVM080000109643(updated 2 seconds ago):
port2: physical/10000full, up, rx-bytes/packets/dropped/errors=1892/8/0/0, tx=173710/307/0/0
FGVM080000103268(updated 0 seconds ago):
port2: physical/10000full, up, rx-bytes/packets/dropped/errors=174390/306/0/0, tx=2352/13/0/0
Master: fgt-vm , FGVM080000109643
Slave : fgt-vm , FGVM080000103268
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 FGVM080000109643
Slave :1 FGVM080000103268
The command diagnose system ha checksum show
shows whether the configurations of the FortiGate-VMs in the cluster are synchronized. If the configurations are synchronized, both sets of checksums should match.
fgt-vm # diagnose sys ha checksum show
is_manage_master()=1, is_root_master()=1
debugzone
global: 33 6f ee 5b 78 a5 22 84 39 ec 36 d3 1c 54 7c 78
root: 40 0d fb 04 12 41 df ad f1 64 14 03 ff ec f5 01
all: d3 2f 6f bb a6 e7 77 db 27 75 81 b2 94 f3 fd 68
checksum
global: 33 6f ee 5b 78 a5 22 84 39 ec 36 d3 1c 54 7c 78
root: 40 0d fb 04 12 41 df ad f1 64 14 03 ff ec f5 01
all: d3 2f 6f bb a6 e7 77 db 27 75 81 b2 94 f3 fd 68
If the checksums do not match, you can use the diagnose sys ha checksum show
and diagnose sys ha checksum show global
commands to show more detailed checksum results. The following example shows the first few lines of output of the diagnose sys ha checksum show global
command:
diagnose sys ha checksum show global
system.global: 2c79958c132639dfe61ab782a2f213ec
system.accprofile: 7d79452c78377be2616149264a18fd5c
system.vdom-link: 00000000000000000000000000000000
wireless-controller.inter-controller: 00000000000000000000000000000000
wireless-controller.global: 00000000000000000000000000000000
wireless-controller.vap: 00000000000000000000000000000000
system.switch-interface: 00000000000000000000000000000000
system.interface: 8690699bc33c7c15b20e017876cf1e37
...
If the configurations are synchronized, all the checksums displayed using these commands from both FortiGate-VMs should match. If they do not, you can use the output to see what parts of the configuration are not synchronized.