Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Lucas1
New Contributor II

Created on ‎08-08-2024 11:29 AM

Execute Backup does not reach a remote site connected by ipsec.

I am having a problem running an automation to backup my computer. I want to send the backup to a sftp server of a remote branch, connected to the fortigate equipment from which I make the backup, and it is as if it did not arrive. If I do a ping it arrives, but I have to specify the source. Does anyone have any idea how I can fix it?

The traffic and routes are allowed on both sides. But when I launch the "execute backup" it doesn't arrive. When pinging I have to add the source option to allow the traffic.

 

Packet Trace #7,2024/08/06 15:59:27,"vd-root:0 received a packet(proto=6, 181.14.198.42:6817->10.1.4.121:22) tun_id=0.0.0.0 from local. flag [S], seq 4203643946, ack 0, win 65535"
Packet Trace #7,2024/08/06 15:59:27,"Find an existing session, id-060b7b91, original direction"
Packet Trace #7,2024/08/06 15:59:27,"enter IPSec interface VPN_IPSec1, tun_id=0.0.0.0"
Packet Trace #7,2024/08/06 15:59:27,output to IPSec tunnel VPN_IPSec1 vrf 0
Packet Trace #7,2024/08/06 15:59:27,"No matching IPsec selector, drop"

Labels:
887
0 Kudos
1 Solution
jguerra
Staff
Staff

Created on ‎08-08-2024 11:42 AM

Hi Lucas, sometimes is necessary to configure an IP address in the Ipsec tunnel interfaces for this configuration to work. See the KB below:

 

Technical Tip: Configure automation backup over IPsec tunnel 

View solution in original post

873
4 REPLIES 4
patelr
Staff
Staff

Created on ‎08-08-2024 11:39 AM

Hello @Lucas1

 

Please review https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPN-tunnel-errors-due-to-traff... as your debug says "No matching IPsec selector, drop" , which mean phase-2 configurations aren't matching on both sides. Make sure, all phase-2 configurations should be matched on Local, and remote firewall device.

 

Thanks, 

Ronak Patel

876
0 Kudos
jguerra
Staff
Staff

Created on ‎08-08-2024 11:42 AM

Hi Lucas, sometimes is necessary to configure an IP address in the Ipsec tunnel interfaces for this configuration to work. See the KB below:

 

Technical Tip: Configure automation backup over IPsec tunnel 

874
Lucas1
New Contributor II
In response to jguerra

Created on ‎08-08-2024 11:47 AM

Excellent. This is the answer I was looking for. I will give it a try and see how it goes. Thank you very much.

867
0 Kudos
Umer221
Staff
Staff

Created on ‎08-08-2024 12:19 PM

Hi Lucas,

 

If the Backup server is hosted across the IPsec Tunnel, then you will need to define a source IP address on the FortiGate from where the backup is being initiated. Here is an article that would provide further details regardless of the backup services vendor:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Auvik-backup-fails-while-Auvik-serve...

 

864
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.