How to troubleshoot HA issues.
Using the log viewer
You can use the log viewer to view HA logs. HA logs are displayed under the System module. You can apply a filter to the log component to match on HA.
The image below shows HA logs displayed in the log viewer.
Using the raw log files through SSH
You can find the HA log files in the /log directory through the advanced shell. To access log files through SSH, do as follows:
- Log in to the CLI console of the primary device using administrator credentials.
- Select option 5. Device Management.
- Select option 3. Advanced Shell.
- Press Enter.
- To show the list of logs, type:
- To view a log, type:
The below table describes the four relevant log files for HA.
|msync.log||HA synchronization service.|
|ctsyncd.log||Conntrack synchronization service.|
|applog.log||HA configuration and status updates.|
|csc.log||Central service, which manages all services.|
Dedicated port failure
If the dedicated port or cable fails, both devices become standalone primary devices and send gratuitous ARP requests (GARPs) to the network switch to take ownership of the virtual MAC address (VMAC). This will likely result in routing issues.
In this scenario, shut down one of the devices and repair the link (assuming it’s not the interface itself). Start the device, it’ll detect the primary and take on the role of the auxiliary.
The example log file entries below show the status change you see when the dedicated link goes down.
Log example on the primary device:
Log example on the auxiliary device:
Defective interface or cable
To verify if a defective interface or cable is causing a failover, review the port status using the dmesg command from the CLI advanced shell, as shown in the image below.
If the port is going up and down, check and correct the speed and duplex settings on both sides of the connection.
You can also do the following:
- Check for packet drops, errors, and collisions on the interface using ifconfig or show network interfaces commands. More information on these commands can be found in the CLI guide.
- Try replacing the cable.
1U XGS series firewalls unable to establish HA when using FleXi Port as dedicated HA link
This issue affects only 1U devices using a FleXi Port as the dedicated HA link. When the first device updates and restarts, the interface speed for the FleXi Port isn't set to auto negotiation. The second device continues to have its interface speed set to auto negotiation and HA is not established.
To resolve this issue, do as follows:
- On both devices, go to Network > Interfaces.
- Click the Flexi Port interface and go to Advanced settings.
- Set the Interface speed for the FLeXi Port to Auto negotiation.
Alternatively, you can set a fixed port as the dedicated HA port.