Hi there,
I've a VPN connection ready to a datacenter. I connect with Forticlient VPN on my laptop and setup an IPSEC connection to a datacenter which is fine. No I'd like to take the config of a switch in that datacenter and TFTP the config to my laptop.
The switch uses the Fortigate firewall interface address as a default gateway and is physically connected to the firewall. So that rules out routing issues.
So what I do is a copy running-config to TFTP server "Ip address VPN adapter laptop"
This times out obviously. Now in the debug logs I see TFTP traffic in the right direction through the fortifgate firewall.
However, this is SYN only, so there's no return traffic. Could it be that the Forticlient VPN has a built in firewall which doesn't allow TFTP traffic to go back? The same applies to ICPM packet sent but not returned.
Best,
E
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I originally thought it could be something related to fragmentation issues like in discussion below:
https://lists.gt.net/cisco/nsp/159665
But if pinging from the switch side to the laptop you're running a TFTP server doesn't work, that's a different issue since they're much small packets, besides, I'm assuming you're getting in the switch over the same tunnel.
I'm assuming you have a pair of policies to cover both directions into/out of the tunnel on the FG. You probably need to run "flow debug" to see how the ping packets are treated by the FG, if it's going into the tunnel or dropped.
By the way, TFTP is using UDP. So SYN packet you saw was for other traffic. I would expect TFTP write request UDP packet with some options comes out from the switch toward the server first.
Also I would run Wireshark on the laptop side to see the TFTP packets are actually arrivng there.
Hi Toshi, thanks for our answer!
Here's the Fgate debug, Looks like the tftp traffic is finding it's way to the ipsec tunnel:
id=20085 trace_id=127 func=resolve_ip_tuple_fast line=4534 msg="Find an existing session, id-002ab36b, original direction" id=20085 trace_id=127 func=__ip_session_run_tuple line=2644 msg="run helper-tftp(dir=original)" id=20085 trace_id=127 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec interface-BOGUS-VPN_0" id=20085 trace_id=127 func=esp_output4 line=899 msg="encrypting, and send to 1.2.3.4 with source 5.6.7.8" id=20085 trace_id=127 func=ipsec_output_finish line=232 msg="send to 5.6.7.1 via intf-wan1"
Now let's run wireshark on that laptop and find out!
Best,
E
I'm getting this in wireshark..:
28 14.292515 1.2.3.4 5.6.7.8 TFTP 63 Error Code, Code: Access violation, Message: Access violation
Nevermind, it was a credential/homedir TFTP problem. Hard way to find out..
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.