Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000 Handbook

Download PDF
Copy Link

Viewing more details about FortiGate-7000 synchronization

If the output of the diagnose sys configsync status command includes in_sync=0 entries, you can use the diagnose sys confsync showcsum command to view more details about the configuration checksums and potentially identify parts of the configuration that are not synchronized.

The diagnose sys configsync showcsum command shows HA and confsync debugzone and checksum information for the FIMs and FPMs, beginning with the FPM in slot 3 and ending with the primary FIM.

The following example shows the FPM in slot 3.

==========================================================================
Slot: 3  Module SN: FPM20E3E17900511
ha debugzone
global: 7e 06 79 02 65 a9 ea e3 68 58 73 c2 33 d0 16 f1 
root: 43 2c ee 2c f1 b3 b2 13 ff 37 34 5e 86 11 dc bf 
mgmt-vdom: 9c 7d 58 9f 81 4b b7 4e ed 2a c3 02 34 b4 7c 63 
all: 0b 16 f2 e4 e2 89 eb a1 bf 8f 15 9b e1 4e 3b f2 

ha checksum
global: 7e 06 79 02 65 a9 ea e3 68 58 73 c2 33 d0 16 f1 
root: 43 2c ee 2c f1 b3 b2 13 ff 37 34 5e 86 11 dc bf 
mgmt-vdom: 9c 7d 58 9f 81 4b b7 4e ed 2a c3 02 34 b4 7c 63 
all: 0b 16 f2 e4 e2 89 eb a1 bf 8f 15 9b e1 4e 3b f2 

confsync debugzone
global: 09 28 1a fd 1b 4c 7d 39 1b 67 8a 62 e0 04 f8 b3 
root: 8c 54 95 74 40 68 2c a7 3e ef e6 26 d3 37 09 08 
mgmt-vdom: 88 34 5f b0 7c 36 a6 32 50 fb 9c 1f 36 84 86 6c 
all: f4 aa fe e5 e3 0b c9 9e 56 b5 05 30 f4 27 80 3f 

confsync checksum
global: 09 28 1a fd 1b 4c 7d 39 1b 67 8a 62 e0 04 f8 b3 
root: 8c 54 95 74 40 68 2c a7 3e ef e6 26 d3 37 09 08 
mgmt-vdom: 88 34 5f b0 7c 36 a6 32 50 fb 9c 1f 36 84 86 6c 
all: f4 aa fe e5 e3 0b c9 9e 56 b5 05 30 f4 27 80 3f 

The example output includes four sets of checksums: a checksum for the global configuration, a checksum for each VDOM (in this case there are two VDOMs: root and mgmt-vdom), and a checksum for the complete configuration (all). You can verify that this FPM is synchronized because both sets of HA checksums match and both sets of confsync checksums match. Also as expected, the HA and confsync checksums are different.

If the FIMs and FPMs in a standalone FortiGate-7000 have the same set of checksums, the FIMs and FPMs in that FortiGate-7000 are synchronized.

If a FIM or FPM is out of sync, you can use the output of the diagnose sys configsync status command to determine what part of the configuration is out of sync. You could then take action to attempt to correct the problem or contact Fortinet Technical Support at https://support.fortinet.com for assistance.

A corrective action could be to restart of the component with the synchronization error. You could also try using the following command to re-calculate the checksums in case the sync error is just temporary:

diagnose sys confsync csum-recalculate

Viewing more details about FortiGate-7000 synchronization

If the output of the diagnose sys configsync status command includes in_sync=0 entries, you can use the diagnose sys confsync showcsum command to view more details about the configuration checksums and potentially identify parts of the configuration that are not synchronized.

The diagnose sys configsync showcsum command shows HA and confsync debugzone and checksum information for the FIMs and FPMs, beginning with the FPM in slot 3 and ending with the primary FIM.

The following example shows the FPM in slot 3.

==========================================================================
Slot: 3  Module SN: FPM20E3E17900511
ha debugzone
global: 7e 06 79 02 65 a9 ea e3 68 58 73 c2 33 d0 16 f1 
root: 43 2c ee 2c f1 b3 b2 13 ff 37 34 5e 86 11 dc bf 
mgmt-vdom: 9c 7d 58 9f 81 4b b7 4e ed 2a c3 02 34 b4 7c 63 
all: 0b 16 f2 e4 e2 89 eb a1 bf 8f 15 9b e1 4e 3b f2 

ha checksum
global: 7e 06 79 02 65 a9 ea e3 68 58 73 c2 33 d0 16 f1 
root: 43 2c ee 2c f1 b3 b2 13 ff 37 34 5e 86 11 dc bf 
mgmt-vdom: 9c 7d 58 9f 81 4b b7 4e ed 2a c3 02 34 b4 7c 63 
all: 0b 16 f2 e4 e2 89 eb a1 bf 8f 15 9b e1 4e 3b f2 

confsync debugzone
global: 09 28 1a fd 1b 4c 7d 39 1b 67 8a 62 e0 04 f8 b3 
root: 8c 54 95 74 40 68 2c a7 3e ef e6 26 d3 37 09 08 
mgmt-vdom: 88 34 5f b0 7c 36 a6 32 50 fb 9c 1f 36 84 86 6c 
all: f4 aa fe e5 e3 0b c9 9e 56 b5 05 30 f4 27 80 3f 

confsync checksum
global: 09 28 1a fd 1b 4c 7d 39 1b 67 8a 62 e0 04 f8 b3 
root: 8c 54 95 74 40 68 2c a7 3e ef e6 26 d3 37 09 08 
mgmt-vdom: 88 34 5f b0 7c 36 a6 32 50 fb 9c 1f 36 84 86 6c 
all: f4 aa fe e5 e3 0b c9 9e 56 b5 05 30 f4 27 80 3f 

The example output includes four sets of checksums: a checksum for the global configuration, a checksum for each VDOM (in this case there are two VDOMs: root and mgmt-vdom), and a checksum for the complete configuration (all). You can verify that this FPM is synchronized because both sets of HA checksums match and both sets of confsync checksums match. Also as expected, the HA and confsync checksums are different.

If the FIMs and FPMs in a standalone FortiGate-7000 have the same set of checksums, the FIMs and FPMs in that FortiGate-7000 are synchronized.

If a FIM or FPM is out of sync, you can use the output of the diagnose sys configsync status command to determine what part of the configuration is out of sync. You could then take action to attempt to correct the problem or contact Fortinet Technical Support at https://support.fortinet.com for assistance.

A corrective action could be to restart of the component with the synchronization error. You could also try using the following command to re-calculate the checksums in case the sync error is just temporary:

diagnose sys confsync csum-recalculate