Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-6000 Handbook

Viewing more details about FortiGate-6000 synchronization

If the output of the diagnose sys configsync status command includes in_sync=0 entries, you can use the diagnose sys confsync showcsum command to view more details about the configuration checksums and potentially identify parts of the configuration that are not synchronized.

The diagnose sys configsync showcsum command shows HA and confsync debugzone and checksum information for the management board and the FPCs, beginning with the FPC in slot 1 and ending with the management board.

The following example shows the FPC in slot 1.

diagnose sys confsync showcsum
==========================================================================
Slot: 1  Module SN: FPC6KFT018903332
ha debugzone
global: e3 62 5b 5e 0e 99 3e 28 e2 27 72 d7 d4 16 a5 42
root: 3e af ce 65 00 45 f1 b6 c1 ae 65 40 0a 97 63 fc
mgmt-vdom: 2c 6e 41 c7 d0 15 34 e5 f1 c3 d9 9b 6f a4 fd 47
all: a2 89 77 7b 7f ad 38 b4 f3 16 53 17 f2 8b 60 61

ha checksum
global: e3 62 5b 5e 0e 99 3e 28 e2 27 72 d7 d4 16 a5 42
root: 3e af ce 65 00 45 f1 b6 c1 ae 65 40 0a 97 63 fc
mgmt-vdom: 2c 6e 41 c7 d0 15 34 e5 f1 c3 d9 9b 6f a4 fd 47
all: a2 89 77 7b 7f ad 38 b4 f3 16 53 17 f2 8b 60 61

confsync debugzone
global: be 96 26 6f a7 5d d1 d9 3f 8d 5f 45 46 80 9b 9d
root: 95 43 03 15 0b ce 2e 4e 55 e9 ec 37 65 47 d0 41
mgmt-vdom: c4 fc 49 b6 f1 ff c2 6d 9c bf 1e 5b 7d 5e 69 29
all: b3 f2 1a 4d fa fb b6 06 15 9a 42 17 ae 7e a0 be

confsync checksum
global: be 96 26 6f a7 5d d1 d9 3f 8d 5f 45 46 80 9b 9d
root: 95 43 03 15 0b ce 2e 4e 55 e9 ec 37 65 47 d0 41
mgmt-vdom: c4 fc 49 b6 f1 ff c2 6d 9c bf 1e 5b 7d 5e 69 29
all: b3 f2 1a 4d fa fb b6 06 15 9a 42 17 ae 7e a0 be

The example output includes four sets of checksums: a checksum for the global configuration, a checksum for each VDOM (in this case there are two VDOMs: root and mgmt-vdom), and a checksum for the complete configuration (all). You can verify that this FPC is synchronized because both sets of HA checksums match and both sets of confsync checksums match. Also as expected, the HA and confsync checksums are different.

If the management board and all of the FPCs in a standalone FortiGate-6000 have the same set of checksums, the management board and the FPCs in that FortiGate-6000 are synchronized.

If a FPC or the management board is out of sync, you can use the output of the diagnose sys configsync status command to determine what part of the configuration is out of sync. You could then take action to attempt to correct the problem or contact Fortinet Technical Support at https://support.fortinet.com for assistance.

A corrective action could be to restart of the component with the synchronization error. You could also try using the following command to re-calculate the checksums in case the sync error is just temporary:

diagnose sys confsync csum-recalculate

Viewing more details about FortiGate-6000 synchronization

If the output of the diagnose sys configsync status command includes in_sync=0 entries, you can use the diagnose sys confsync showcsum command to view more details about the configuration checksums and potentially identify parts of the configuration that are not synchronized.

The diagnose sys configsync showcsum command shows HA and confsync debugzone and checksum information for the management board and the FPCs, beginning with the FPC in slot 1 and ending with the management board.

The following example shows the FPC in slot 1.

diagnose sys confsync showcsum
==========================================================================
Slot: 1  Module SN: FPC6KFT018903332
ha debugzone
global: e3 62 5b 5e 0e 99 3e 28 e2 27 72 d7 d4 16 a5 42
root: 3e af ce 65 00 45 f1 b6 c1 ae 65 40 0a 97 63 fc
mgmt-vdom: 2c 6e 41 c7 d0 15 34 e5 f1 c3 d9 9b 6f a4 fd 47
all: a2 89 77 7b 7f ad 38 b4 f3 16 53 17 f2 8b 60 61

ha checksum
global: e3 62 5b 5e 0e 99 3e 28 e2 27 72 d7 d4 16 a5 42
root: 3e af ce 65 00 45 f1 b6 c1 ae 65 40 0a 97 63 fc
mgmt-vdom: 2c 6e 41 c7 d0 15 34 e5 f1 c3 d9 9b 6f a4 fd 47
all: a2 89 77 7b 7f ad 38 b4 f3 16 53 17 f2 8b 60 61

confsync debugzone
global: be 96 26 6f a7 5d d1 d9 3f 8d 5f 45 46 80 9b 9d
root: 95 43 03 15 0b ce 2e 4e 55 e9 ec 37 65 47 d0 41
mgmt-vdom: c4 fc 49 b6 f1 ff c2 6d 9c bf 1e 5b 7d 5e 69 29
all: b3 f2 1a 4d fa fb b6 06 15 9a 42 17 ae 7e a0 be

confsync checksum
global: be 96 26 6f a7 5d d1 d9 3f 8d 5f 45 46 80 9b 9d
root: 95 43 03 15 0b ce 2e 4e 55 e9 ec 37 65 47 d0 41
mgmt-vdom: c4 fc 49 b6 f1 ff c2 6d 9c bf 1e 5b 7d 5e 69 29
all: b3 f2 1a 4d fa fb b6 06 15 9a 42 17 ae 7e a0 be

The example output includes four sets of checksums: a checksum for the global configuration, a checksum for each VDOM (in this case there are two VDOMs: root and mgmt-vdom), and a checksum for the complete configuration (all). You can verify that this FPC is synchronized because both sets of HA checksums match and both sets of confsync checksums match. Also as expected, the HA and confsync checksums are different.

If the management board and all of the FPCs in a standalone FortiGate-6000 have the same set of checksums, the management board and the FPCs in that FortiGate-6000 are synchronized.

If a FPC or the management board is out of sync, you can use the output of the diagnose sys configsync status command to determine what part of the configuration is out of sync. You could then take action to attempt to correct the problem or contact Fortinet Technical Support at https://support.fortinet.com for assistance.

A corrective action could be to restart of the component with the synchronization error. You could also try using the following command to re-calculate the checksums in case the sync error is just temporary:

diagnose sys confsync csum-recalculate