Skip to main content
serbas90
serbas90
New Member
March 30, 2021
Question

TFTP traffic issue via IPSec VPN

  • March 30, 2021
  • 1 reply
  • 5481 views

Hi every one :)

We have met some issue related to TFTP via VPN IPSec.

Topology is simple. We have Datacenter's FG 600e (software 6.4.2) and few branches with FG 100d or 60e (from 6.2.7 to 6.4.4). All branches have VPN IPSec (s2s) to Datacenter and static routes. 

 

Issue is - when client (some workstation) try to request some file by tftp, packets from server (located in DC) dont arive to branch Fortigate and client has "tftp timeout". I sniffed traffic on tunnel interfaces from both sides and define that client have successful request to server, but when server is answer, and send data, packets are present from DC side and absent on banch side. Seams like answer packets are lost somewhere in Tunnel... 

 

We've made some troubleshuting. Created policies from both sides to allow all traffic - no resaults. We deeply checked routes and VPN settings. Also we chacked some other features like "tftp session helper" and so on...

Localy on branch or DC tftp is working well but not via VPN.

 

Is someone meet similar issue? My ideas are finished what it could be... :)

    1 reply

    emnoc
    emnoc
    New Member
    March 30, 2021

    The "diag debug flow" is your friend.

     

        https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/54688/debugging-the-packet-flow

     

    I would run that and analyze the flow on both hub DC and branches at the same time. Since you mention many branches and one DC and if the problem is ALL, than I would forecast on the DC since that is the common item between them.

     

    Also I would upgrade those 6.2 devices.

     

    Ken Felix

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    March 30, 2021

    Do you know the packet/data size your TFTP server and the clients exchange? Older TFTP server like discontinued Cisco one (free software) was always short but newer ones might be sending large packets. It could be MTU related issue over the tunnels. If possible, set the packet size very short, like 100 that was I believe the old Cisco server's, just for test purpose. 

    emnoc
    emnoc
    New Member
    March 30, 2021

    True tftp protocol was 1st originated at 512bytes packet sizes. He needs to do diag debug to see what is happening and if any thinng is being dropped due to df-bit or something else.

     

    Ken Felix

     

    Terms & ConditionsAccessibility statement