Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Moosi
New Contributor II

Created on ‎08-13-2023 01:34 AM Edited on ‎08-13-2023 01:38 AM

FortiGate SFTP auto backup with zero kb size

8628992.pngHi

I have set up automatic backup to a sftp server (move it transfer), scheduled backup works well and the file is transferring to the server as well. But unfortunately the file's size is zero KB.

Tried manual backup to sftp server by using execute backup command in the cli, but result is same.

Firewall has multiple vdom.

Attached the captured packet screenshot for the reference

 

Thnaks inadvance

 

 

Labels:
798
0 Kudos
2 Solutions
pgautam
Staff
Staff

Created on ‎08-13-2023 04:52 AM

Hi @Moosi 

 

Thank you for updating your query.

 

As per the issue, description SFTP backup schedule back works well however transferred file size is zero.

 

May I know which SFTP platform are you using and what is FortiOS version?

Did you try backup on a different platform? 

 

In the syn packet, we see the MSS 1460 and server-side MSS 1380. For the highlighted data transfer we are not receiving any ack packet from the server side.

 You can reduce the MSS on the FortiGate to avoid fragmentation. 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518

 

Please follow below reference link to understand the TCP mss behavior 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Behavior-of-TCP-MSS-setting-under-system-i...

 

 

Regards
Priyanka


- Have you found a solution? Then give your helper a "Kudos" and mark the solution

 

 

 

 

View solution in original post

774
0 Kudos
Moosi
New Contributor II

Created on ‎10-17-2023 06:17 AM

@pgautam 

Thanks for your advise and suggestion.

To avoid fragmentation, we matched the FortiGate MSS value to the  SFTP server value 1380 on the firewall port where the backup trafiic is generating.

 

config system interface
    edit "mgmt2"
        set tcp-mss 1380
    next

View solution in original post

567
0 Kudos
4 REPLIES 4
pgautam
Staff
Staff

Created on ‎08-13-2023 04:52 AM

Hi @Moosi 

 

Thank you for updating your query.

 

As per the issue, description SFTP backup schedule back works well however transferred file size is zero.

 

May I know which SFTP platform are you using and what is FortiOS version?

Did you try backup on a different platform? 

 

In the syn packet, we see the MSS 1460 and server-side MSS 1380. For the highlighted data transfer we are not receiving any ack packet from the server side.

 You can reduce the MSS on the FortiGate to avoid fragmentation. 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518

 

Please follow below reference link to understand the TCP mss behavior 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Behavior-of-TCP-MSS-setting-under-system-i...

 

 

Regards
Priyanka


- Have you found a solution? Then give your helper a "Kudos" and mark the solution

 

 

 

 

775
0 Kudos
Moosi
New Contributor II
In response to pgautam

Created on ‎08-16-2023 06:47 AM

Hi @pgautam

Thanks for the reply

 

SFTP Platform:Move it transfer

FortiOS version:7.2.4

 I tried backup on different platform (ftp server) and it is working fine.

Should i reduce MSS or MTU?

Modifications to MTU or MSS affect the network or user sessions?

752
0 Kudos
pgautam
Staff
Staff
In response to Moosi

Created on ‎08-16-2023 02:30 PM

Hi @Moosi 

 

When you tried backup on a different platform what was the MSS value you observed in the syn and syn+ack packet?

 

When you reduce MSS on the Fortigate it will rewrite the MSS value in the TCP syn packet.

 From the syn+ack packet, we are observing the MSS of server 1380.

To avoid fragmentation you can reduce the MSS in policy. 

Since you will be making changes in the policy configuration in this case session might be marked dirty for the re-evaluation.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dirty-session/ta-p/197748

 

 

Regards
Priyanka


- Have you found a solution? Then give your helper a "Kudos" and mark the solution

 

744
0 Kudos
Moosi
New Contributor II

Created on ‎10-17-2023 06:17 AM

@pgautam 

Thanks for your advise and suggestion.

To avoid fragmentation, we matched the FortiGate MSS value to the  SFTP server value 1380 on the firewall port where the backup trafiic is generating.

 

config system interface
    edit "mgmt2"
        set tcp-mss 1380
    next

568
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.