Description
This article describes the common issues encountered when uploading FortiConverter-generated configuration file to FortiGate devices, and provides a step-by-step approach to troubleshoot and resolve these problems effectively.
Scope
FortiOS.
Solution
Once the config is converted to FortiOS using Forticonverter, the config will be break down into different parts.
Each config will be in text file and can be uploaded via the Script on FortiGate
The following command can be run while uploading the script.
FortiGate-901G # diagnose debug en
FortiGate-901G # diagnose debug cli 8
Debug messages will be on for 30 minutes.
FortiGate-901G # cmd=/tmp/monitor_upload_AQhV9r
0: config system global
0: set hostname "New_Box"
0: end
[show_walker_construct:85] open('/tmp/system.conf.31528.F9aMie) to save config of 'global'
write config file success, prepare to save '/tmp/system.conf.31528.F9aMie' to '/data/./config/sys_global.conf.gz' on flash
flash: block_sz=1024, free_blocks=112352
[__create_file_new_version:312] the new version config file '/data/./config/sys_global.conf.gz.v000000011' is created
[symlink_config_file:379] a new version of '/data/./config/sys_global.conf.gz' is created: /data/./config/sys_global.conf.gz.v000000011
[symlink_config_file:423] the old version '/data/./config/sys_global.conf.gz.v000000010' is deleted
[symlink_config_file:425] '/data/./config/sys_global.conf.gz' has been symlink'ed to the new version '/data/./config/sys_global.conf.gz.v000000011'. The old version '/data/./config/sys_global.conf.gz.v000000010' has been deleted
zip config file /data/./config/sys_global.conf.gz success!
New_Box #
New_Box # cmd=/tmp/monitor_upload_1pF9IL
0: config system settings
0: set central-nat enable
0: end
[show_walker_construct:85] open('/tmp/system.conf.31542.shgzEh) to save config of 'root'
write config file success, prepare to save '/tmp/system.conf.31542.shgzEh' to '/data/./config/sys_vd_root+root.conf.gz' on flash
flash: block_sz=1024, free_blocks=112378
[__create_file_new_version:312] the new version config file '/data/./config/sys_vd_root+root.conf.gz.v000000008' is created
[symlink_config_file:379] a new version of '/data/./config/sys_vd_root+root.conf.gz' is created: /data/./config/sys_vd_root+root.conf.gz.v000000008
[symlink_config_file:423] the old version '/data/./config/sys_vd_root+root.conf.gz.v000000007' is deleted
[symlink_config_file:425] '/data/./config/sys_vd_root+root.conf.gz' has been symlink'ed to the new version '/data/./config/sys_vd_root+root.conf.gz.v000000008'. The old version '/data/./config/sys_vd_root+root.conf.gz.v000000007' has been deleted
zip config file /data/./config/sys_vd_root+root.conf.gz success!
Here, the script has been successfully completed and uploaded as required.
If there is any error on the script, the debug will show errors:
0: config vpn ipsec phase1-interface
0: edit "WAN GroupVPN_X1"
0: set type dynamic
0: set peertype one
0: set peerid "GroupVPN"
0: set authmethod psk
0: set psksecret "123456"
0: set dhgrp 2
0: set mode aggressive
0: set proposal 3des-sha1
-651: set interface X1 <----- error code -651.
0: set xauthtype auto
0: set authusrgrp "VPN Users"
0: set keylife 28800
1: next
-1: edit "WAN GroupVPN_X16" <----- error code -1.
-61: set type dynamic
-61: set peertype one
-61: set peerid "GroupVPN"
-61: set authmethod psk
-61: set psksecret "123456"
-61: set dhgrp 2
-61: set mode aggressive
-61: set proposal 3des-sha1
-61: set interface X16
-61: set xauthtype auto
-61: set authusrgrp "VPN Users"
-61: set keylife 28800
-61: next
An error occurs during the upload of the VPN config script, preventing the configuration from being applied successfully.
The script needs to be edited and re-uploaded.
There are no interfaces named X1 or X16 on FortiGate; these should be corrected to port1 and port16.
The VPN phase1 name exceeds the 16-character limit and should be changed from 'WAN GroupVPN_X16' to 'WAN GrpVPN_X16'.
After making the changes above, the script can be uploaded again and will show as successful.
