Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- issue sending backup to ftp server
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
issue sending backup to ftp server
Hi,
I'm trying to schedule a full-config backup, from a 40F to a ftp server visible on vpn s2s.
using this command:
execute backup full-config ftp '/xxx/FGT_%%date%%.txt' 10.3.64.113 user pwd
I receive this output:
"Send config file to ftp server via vdom root failed."
ping from fgt to the server not working, so I did a packet capture for destination ip 10.3.64.113 and I found that the Fortigate use, by default, the wan interface, but in this case that port is disabled and I'm using A port as a Wan port.
what can i do to route the backup procedure correctly via vpn s2s using the correct tunnel-interface?
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @birillo ,
How does your routing table look like? Do you have a routing entry for 10.3.64.113 pointing to the IPSec VPN tunnel? If the VPN is interface based, do you have IP address assigned to it?
So for further troubleshooting, better to provide the FGT config and routing table outputs and the name of the IPSec VPN if you have multiple VPNs.
Regards,
Jerry
Jerry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the configuration is quite basic, I have several firewalls
in vpn all with the same problem.
the routing table has only the 2 classic routes, one to go out on the internet and one for traffic to the "hq" headquarters with subnet 10.0.0.0/8 via vpn tunnel.
execute ping 10.3.64.113 (system uses the wan port disabled)
| Source IP | 217.59.xx.xx |
| Destination IP | 10.3.64.113 |
5 packets transmitted, 0 packets received, 100% packet loss
execute ping 8.8.8.8 (system uses A port that is the actual wan)
| Source IP | 185.208.xx.xx |
| Destination IP | 8.8.8.8 |
64 bytes from 8.8.8.8: icmp_seq=4 ttl=118 time=7.8 ms
so I tried with "execute ping-options source 10.3.84.254" (firewall lan1 ip)
64 bytes from 10.3.64.113: icmp_seq=0 ttl=126 time=23.4 ms
and trying "execute backup full-config ftp '/xxx/FGT_%%date%%.txt' 10.3.64.113 user pwd"
| Source IP | 217.59.34.22 |
| Source Port | 20091 |
| Destination IP | 10.3.64.113 |
| Destination Port | 21 |
| Protocol | TCP |
do you still need the config?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I still need the config.
It seems that you did not assign an IP to your IPSec VPN interface if your VPN is interface based.
Regards,
Jerry
Jerry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @dingjerry_FTNT
I have always set phase 2 of the tunnel with the address 0.0.0.0/0.0.0.0 and in fact the problem is exactly this.
set the correct subnets and now the firewall knows how to reach the destination
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
problem not solved, It worked to one tunnel only.
I also tried to set ip to tunnel interface on both side.
How can I show you the configuration in a safe mode?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a load of IPSEC VPNs that have phase2 with selectors on 0.0.0.0/0.0.0.0 and they work fine.
They're all in interface mode and I never assigned an ip to the vpn interface.
All I needed to do was to create some policy for the traffic I need to go over the vpn and also some static route for subnets behind the other side of the VPN (and of course vice versa).
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Created on 11-27-2024 08:27 AM Edited on 11-27-2024 08:28 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
exactly like my setup. policy and routes are ok.
Hosts under lan interface can reach destination with no problem.
If I use fortigate cli and I try to ping the same destination under vpn tunnel, fortigate uses its own wan interfaces (also a wan port actualy disabled)
edit 4
set name "vpn SF>TG"
set uuid 2983524e-5319-51ea-8c87-211b2d99a8af
set srcintf "lan"
set dstintf "VPN-SF-HQ"
set srcaddr "SF_NET"
set dstaddr "NET_TG_HQ" "NET_TSS_HQ"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 5
set name "vpn TG>SF"
set uuid 298f6d86-5319-51ea-e810-f4dfed618f36
set srcintf "VPN-SF-HQ"
set dstintf "lan"
set srcaddr "NET_TG_HQ" "NET_TSS_HQ"
set dstaddr "SF_NET"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
S* 0.0.0.0/0 [1/0] via 81.174.0.21, ppp1
[1/0] via 192.168.40.252, lan4
S 10.3.0.0/16 [10/0] is directly connected, VPN-SF-HQ
C 81.174.x.x/32 is directly connected, ppp1
C 84.33.x.x/32 is directly connected, ppp1
C 192.168.40.0/24 is directly connected, lan4
C 192.168.134.0/24 is directly connected, lan
Created on 11-27-2024 08:40 AM Edited on 11-27-2024 08:40 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @birillo ,
Could you please share the info of this command?
show system interface "VPN-SF-HQ"
You may mask any sensitive info.
Please also let me know what IP you tried to ping with the issue.
Regards,
Jerry
Jerry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
show system interface "VPN-SF-HQ"
config system interface
edit "VPN-SF-HQ"
set vdom "root"
set ip 0.0.0.0 255.255.255.255
set type tunnel
set snmp-index 5
set interface "wan"
next
end
get router info routing-table all | grep VPN-SF-HQ
S 10.3.0.0/16 [10/0] is directly connected, VPN-SF-HQ
issue with every ip under 10.3.64.0/23 (I need to reach 10.3.64.113)
info from diagnose pcap
2 1.008408 192.168.40.248 10.3.64.113 ICMP 84 Echo (ping) request id=0x0593, seq=1/256, ttl=64 (no response found!)
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,607 -
FortiClient
1,735 -
5.2
801 -
FortiManager
719 -
5.4
639 -
FortiAnalyzer
552 -
FortiSwitch
468 -
FortiAP
464 -
FortiClient EMS
421 -
6.0
416 -
5.6
362 -
FortiMail
315 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
234 -
Fortiweb
203 -
IPsec
201 -
5.0
196 -
FortiNAC
185 -
FortiGuard
138 -
6.4
128 -
SD-WAN
113 -
FortiGateCloud
102 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiAuthenticator
94 -
FortiToken
89 -
Customer Service
79 -
Firewall policy
78 -
Wireless Controller
77 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
55 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
48 -
FortiExtender
45 -
FortiSandbox
44 -
Routing
44 -
FortiDNS
42 -
DNS
42 -
LDAP
41 -
BGP
40 -
Authentication
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
NAT
34 -
Certificate
34 -
RADIUS
32 -
SSO
31 -
Interface
31 -
FortiLink
29 -
FortiConnect
28 -
FortiWAN
27 -
VDOM
27 -
Web profile
26 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Automation
14 -
Static route
14 -
System settings
14 -
IP address management - IPAM
14 -
snmp
13 -
FortiCASB
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
FortiManager v4.0
10 -
IPS signature
10 -
Security profile
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Proxy policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiGate-VM
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1688 | |
| 1087 | |
| 752 | |
| 446 | |
| 226 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.