Skip to main content
Hkp
Hkp
New Member
February 16, 2016
Question

config backup to TFTP server is not working

  • February 16, 2016
  • 1 reply
  • 10426 views

Hello,

 

we have some FortiGate 30D in our branch offices their are conncted to our HQ FortiGate (IPSec Tunnel with active policy route to route all traffic through VPN tunnel). Routing is working fine in branch offices.

 

Now I have created a script for daily backups (export full-config to tftp server).

 

Script is working fine, but only in HQ. All 30D devices are getting a time out, see attachment. 

 

Could someone say me why remote HQ network 172.16.0.0/16 is not reachable when I'm using FGT CLI ?!

 

Thanks and regards

    1 reply

    emnoc
    emnoc
    New Member
    February 16, 2016

    The unit is probably  sending the traffic  outside of the  ipsec-tunnel. You will probably need to diag sniffer packet <tunnel name> " port 69" when your script is firing off.

     

    Ken

     

     

    Hkp
    HkpAuthor
    New Member
    February 17, 2016

    I have just sniffed the UDP traffic for VPN tunnel meantime command "exe backup full-config tftp /FortiGate/Backups/FGT03/FGT30D_DialyAutoBackup.conf 172.16.2.32" started.

     

    Logical interface (IP 10.255.255.6) tried to connect to TFTP server through VPN tunnel.

     

    FGT03 # diagnose sniffer packet VPNPBG "udp" 4 interfaces=[VPNPBG] filters=[udp]

    2.526117 VPNPBG -- 10.255.255.6.1069 -> 172.16.2.32.69: udp 61 0x0000 4500 0059 3421 0000 4011 8e3d 0aff ff06 E..Y4!..@..=.... 0x0010 ac10 0220 042d 0045 0045 9648 0002 2f46 .....-.E.E.H../F 0x0020 6f72 7469 4761 7465 2f42 6163 6b75 7073 ortiGate/Backups 0x0030 2f46 4754 3033 2f46 4754 3330 445f 4469 /FGT03/FGT30D_Di 0x0040 616c 7941 7574 6f42 6163 6b75 702e 636f alyAutoBackup.co 0x0050 6e66 006f 6374 6574 00 nf.octet.

    7.522582 VPNPBG -- 10.255.255.6.1069 -> 172.16.2.32.69: udp 61 0x0000 4500 0059 3422 0000 4011 8e3c 0aff ff06 E..Y4"..@..<.... 0x0010 ac10 0220 042d 0045 0045 9648 0002 2f46 .....-.E.E.H../F 0x0020 6f72 7469 4761 7465 2f42 6163 6b75 7073 ortiGate/Backups 0x0030 2f46 4754 3033 2f46 4754 3330 445f 4469 /FGT03/FGT30D_Di 0x0040 616c 7941 7574 6f42 6163 6b75 702e 636f alyAutoBackup.co 0x0050 6e66 006f 6374 6574 00 nf.octet.

    12.522583 VPNPBG -- 10.255.255.6.1069 -> 172.16.2.32.69: udp 61 0x0000 4500 0059 3423 0000 4011 8e3b 0aff ff06 E..Y4#..@..;.... 0x0010 ac10 0220 042d 0045 0045 9648 0002 2f46 .....-.E.E.H../F 0x0020 6f72 7469 4761 7465 2f42 6163 6b75 7073 ortiGate/Backups 0x0030 2f46 4754 3033 2f46 4754 3330 445f 4469 /FGT03/FGT30D_Di 0x0040 616c 7941 7574 6f42 6163 6b75 702e 636f alyAutoBackup.co 0x0050 6e66 006f 6374 6574 00 nf.octet.

    17.522585 VPNPBG -- 10.255.255.6.1069 -> 172.16.2.32.69: udp 61 0x0000 4500 0059 3424 0000 4011 8e3a 0aff ff06 E..Y4$..@..:.... 0x0010 ac10 0220 042d 0045 0045 9648 0002 2f46 .....-.E.E.H../F 0x0020 6f72 7469 4761 7465 2f42 6163 6b75 7073 ortiGate/Backups 0x0030 2f46 4754 3033 2f46 4754 3330 445f 4469 /FGT03/FGT30D_Di 0x0040 616c 7941 7574 6f42 6163 6b75 702e 636f alyAutoBackup.co 0x0050 6e66 006f 6374 6574 00 nf.octet.

    22.522586 VPNPBG -- 10.255.255.6.1069 -> 172.16.2.32.69: udp 61 0x0000 4500 0059 3425 0000 4011 8e39 0aff ff06 E..Y4%..@..9.... 0x0010 ac10 0220 042d 0045 0045 9648 0002 2f46 .....-.E.E.H../F 0x0020 6f72 7469 4761 7465 2f42 6163 6b75 7073 ortiGate/Backups 0x0030 2f46 4754 3033 2f46 4754 3330 445f 4469 /FGT03/FGT30D_Di 0x0040 616c 7941 7574 6f42 6163 6b75 702e 636f alyAutoBackup.co 0x0050 6e66 006f 6374 6574 00 nf.octet.

     

    I have always tried it with new test poliy, but is still not working. 

     

    SRC Interface: ANY | SRC IP: 10.255.255.6 | DST Interface: VPNPBG | DST IP: ALL | SRV: ALL 

     

    Someone know what to do?

     

     

    Snowden
    Snowden
    New Member
    December 16, 2021

    Hi 
    I am also facing the same problem we want to take the configuration backup on the AWS instance 

    Between AWS and my office, we have site 2 site VPN tunnel 

    I am able to ping AWS instance over the VPN from the laptop and same from the AWS to laptop but from firewall if I execute pin x.x.x.x it not pingable to aws until I use source command and provide the source IP.
    Now I want to take configuration backup of the fortigate firewall using command 
    execute backup config tftp <backup_filename> <tftp_servers> <password>
    back configuration is not executing over the Site 2 site VPN 
    but on the other hand, same command is working for my LAN tftp server

    Terms & ConditionsAccessibility statement