This article describes how to Sync out-of-sync HA devices after a firmware upgrade.

Scope

FortiGate.

Solution

There would be a few scenarios post-upgrade of FortiGate HA devices, where the secondary HA device is not in sync with the primary even after all configurations match. Some default address objects could be missing, like ISDB value for Microsoft or Google sites, which causes out-of-sync.

After upgrading the device check on both devices for any configuration errors.:diagnose debug config-error-log read

In the below example, the firewall address object checksum value is different on both devices which caused the device out of sync.

Try to manual sync by recalculating the checksum

If the above step does not work, try to reboot the Secondary FortiGate and wait for sync.

Try to update the ISDB using the below process after failing over to secondary:

diag debug disable
diag debug enable
diag debug application update -1
execute update-now

After the update is completed to stop debugs:

diag debug disable

Check if the database of ISDB is updated on both devices by running the below command :

diagnose autoupdate versions | grep Industrial -A 5
Industrial Attack Definitions
---------
Version: 27.00775 signed
Contract Expiry Date: Sat Oct 3 2026
Last Updated using scheduled update on Thu Apr 25 12:56:20 2024
Last Update Attempt: Sat Apr 27 01:20:26 2024

If the device still shows out of sync, use the below to manually modify the primary unit configuration file and restore it to the secondary unit.

The post How to Fix Secondary HA device is out of sync due to default Microsoft Isdb Missing after upgrade appeared first on PUPUWEB - Tech Solution and Advice from Pro.