Ipsec VPN no TFTP traffic possible

Question

Hi there,

I've a VPN connection ready to a datacenter. I connect with Forticlient VPN on my laptop and setup an IPSEC connection to a datacenter which is fine. No I'd like to take the config of a switch in that datacenter and TFTP the config to my laptop.

The switch uses the Fortigate firewall interface address as a default gateway and is physically connected to the firewall. So that rules out routing issues.

So what I do is a copy running-config to TFTP server "Ip address VPN adapter laptop"

This times out obviously. Now in the debug logs I see TFTP traffic in the right direction through the fortifgate firewall.

However, this is SYN only, so there's no return traffic. Could it be that the Forticlient VPN has a built in firewall which doesn't allow TFTP traffic to go back? The same applies to ICPM packet sent but not returned.

Best,

E

Toshi_Esumi · Answer

I originally thought it could be something related to fragmentation issues like in discussion below:

https://lists.gt.net/cisco/nsp/159665

But if pinging from the switch side to the laptop you're running a TFTP server doesn't work, that's a different issue since they're much small packets, besides, I'm assuming you're getting in the switch over the same tunnel.

I'm assuming you have a pair of policies to cover both directions into/out of the tunnel on the FG. You probably need to run "flow debug" to see how the ping packets are treated by the FG, if it's going into the tunnel or dropped.

By the way, TFTP is using UDP. So SYN packet you saw was for other traffic. I would expect TFTP write request UDP packet with some options comes out from the switch toward the server first.

Also I would run Wireshark on the laptop side to see the TFTP packets are actually arrivng there.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded