Dual AZ solution: second instance will not boot

[pmcevoy]

After allowing outbound traffic on FortigateSecGrp the first instance will start (PAYG). However the second (passive) instance will not because it's unable to download a license file. The second instance only has an EIP on port4/eni3. (ClusterEIP is assigned to active instance).

How does the second instance get it's license so that it can join the cluster?

[hgaberra]

For the issue you are seeing, this is actually due to a new FortiCare license download and validation process that was added in FortiOS 6.2.2 for PAYG instances.

This is a known issue (Mantis #590555) that is being addressed in FortiOS code, however in the mean time we will be setting the CF templates to use 6.2.1 GA code until a newer GA patch of code with the relevant fix will be available. The push for the new templates should be completed by the end of the week.

In the mean time, for your existing deployments, you can simply assign an EIP to the primary IP of eni0 on the slave\FGT2 for it to complete the FortiCare license download and validation process. Once this process is completed, you can disassociate and release that EIP from the slave\FGT2 eni0 and begin failover testing after the cluster in sync status.