Troubleshooting Tip: 'execute backup' command is not fully SD-WAN aware
| Description | This article describes how at the time of writing this document, the Backup of configuration file from CLI using FTP is not fully SD-WAN aware, and may cause connectivity issues for self-generated traffic. |
| Scope | FortiOS. |
| Solution | FortiOS will initially follow the SD-WAN rules for the Control Channel over port 21, but will fail to do so for the Data Channel and will follow the RIB instead. This will be an issue if there is a single default route pointing to the SD-WAN Zone, and the destinations are controlled by SD-WAN rules, including destinations for IPsec tunnels.
The same behavior will happen if this command is being used on a CLI script Action on an Automation Stitch.
The workaround for this issue is to create specific static routes for the FTP server, using the correct Egress interface. Example:
config router static set dst 172.16.200.1 255.255.255.255 set device "IPSEC-Tunnel"
|