Potential HA upgrade error due to changes in FortiOS

The following is, if not common, a plausible scenario:

You have a FortiGate unit that you have upgraded from version 4.3.10 to 5.0.1. You want to make it part of an HA cluster so you bring in a new unit of the exact same model and install a fresh copy of the exact same 5.0.1 build of the firmware. You try to join the new machine to the cluster and instead of the hoped for notification that everything went exactly as planned you get a message similar to this:

HA cannot be formed because the internal ports of 
box-FG100D3G12801021 is in different mode with this box. 
In order to form HA, please make them in the same mode first.

In the 4.3 firmware the default name for the internal interface was “internal” and it’s type is set to “physical”. In version 5.0.1 or later this interface’s default name has been changed to “lan” and the device type is “hard-switch”. When you upgrade a unit the settings follow through the upgrade but when you either do a fresh install or do a factory reset the settings are set to the default values which are going to be different than those of the unit that has been upgraded.

Solution:

The solution to this error is to change the configuration of the one of the FortiGate units to match the other. Which unit to change to match the other is up to you. One thing that would make sense to consider is which is more likely to be added to the cluster in the future:

  1. A FortiGate that has been upgraded from 4.3 to a current version
  2. A FortiGate unit that has a fresh new install of the 5.0.1 or later version of the firmware on it.

If the new install is more likely it would make sense to reconfigure the upgraded unit so that you don’t have to remember to edit the new join to the cluster later on.

Bruce Davis

Bruce Davis

Technical Writer at Fortinet
Bruce has been working with computers, and related technology, since before the World Wide Web was a thing. He has worked in system and network administration. He has even dabbled in technical support. He has made the switch to technical writing as part of his deep, dark and dastardly plan to make the arcane machinations of IT technology more easily understood by the poor folks who use it. That, and the voices in his head told him it was good idea. Never argue with the voices in your head. People will start to stare.
Bruce Davis

Latest posts by Bruce Davis (see all)

Share this recipe:

Facebooktwittergoogle_pluslinkedin

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.