Hi,
I'm trying to schedule a full-config backup, from a 40F to a ftp server visible on vpn s2s.
using this command:
execute backup full-config ftp '/xxx/FGT_%%date%%.txt' 10.3.64.113 user pwd
I receive this output:
"Send config file to ftp server via vdom root failed."
ping from fgt to the server not working, so I did a packet capture for destination ip 10.3.64.113 and I found that the Fortigate use, by default, the wan interface, but in this case that port is disabled and I'm using A port as a Wan port.
what can i do to route the backup procedure correctly via vpn s2s using the correct tunnel-interface?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @birillo ,
How does your routing table look like? Do you have a routing entry for 10.3.64.113 pointing to the IPSec VPN tunnel? If the VPN is interface based, do you have IP address assigned to it?
So for further troubleshooting, better to provide the FGT config and routing table outputs and the name of the IPSec VPN if you have multiple VPNs.
the configuration is quite basic, I have several firewalls
in vpn all with the same problem.
the routing table has only the 2 classic routes, one to go out on the internet and one for traffic to the "hq" headquarters with subnet 10.0.0.0/8 via vpn tunnel.
execute ping 10.3.64.113 (system uses the wan port disabled)
Source IP | 217.59.xx.xx |
Destination IP | 10.3.64.113 |
5 packets transmitted, 0 packets received, 100% packet loss
execute ping 8.8.8.8 (system uses A port that is the actual wan)
Source IP | 185.208.xx.xx |
Destination IP | 8.8.8.8 |
64 bytes from 8.8.8.8: icmp_seq=4 ttl=118 time=7.8 ms
so I tried with "execute ping-options source 10.3.84.254" (firewall lan1 ip)
64 bytes from 10.3.64.113: icmp_seq=0 ttl=126 time=23.4 ms
and trying "execute backup full-config ftp '/xxx/FGT_%%date%%.txt' 10.3.64.113 user pwd"
Source IP | 217.59.34.22 |
Source Port | 20091 |
Destination IP | 10.3.64.113 |
Destination Port | 21 |
Protocol | TCP |
do you still need the config?
Yes, I still need the config.
It seems that you did not assign an IP to your IPSec VPN interface if your VPN is interface based.
Thanks @dingjerry_FTNT
I have always set phase 2 of the tunnel with the address 0.0.0.0/0.0.0.0 and in fact the problem is exactly this.
set the correct subnets and now the firewall knows how to reach the destination
problem not solved, It worked to one tunnel only.
I also tried to set ip to tunnel interface on both side.
How can I show you the configuration in a safe mode?
I have a load of IPSEC VPNs that have phase2 with selectors on 0.0.0.0/0.0.0.0 and they work fine.
They're all in interface mode and I never assigned an ip to the vpn interface.
All I needed to do was to create some policy for the traffic I need to go over the vpn and also some static route for subnets behind the other side of the VPN (and of course vice versa).
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Created on 11-27-2024 08:27 AM Edited on 11-27-2024 08:28 AM
exactly like my setup. policy and routes are ok.
Hosts under lan interface can reach destination with no problem.
If I use fortigate cli and I try to ping the same destination under vpn tunnel, fortigate uses its own wan interfaces (also a wan port actualy disabled)
edit 4
set name "vpn SF>TG"
set uuid 2983524e-5319-51ea-8c87-211b2d99a8af
set srcintf "lan"
set dstintf "VPN-SF-HQ"
set srcaddr "SF_NET"
set dstaddr "NET_TG_HQ" "NET_TSS_HQ"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 5
set name "vpn TG>SF"
set uuid 298f6d86-5319-51ea-e810-f4dfed618f36
set srcintf "VPN-SF-HQ"
set dstintf "lan"
set srcaddr "NET_TG_HQ" "NET_TSS_HQ"
set dstaddr "SF_NET"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
S* 0.0.0.0/0 [1/0] via 81.174.0.21, ppp1
[1/0] via 192.168.40.252, lan4
S 10.3.0.0/16 [10/0] is directly connected, VPN-SF-HQ
C 81.174.x.x/32 is directly connected, ppp1
C 84.33.x.x/32 is directly connected, ppp1
C 192.168.40.0/24 is directly connected, lan4
C 192.168.134.0/24 is directly connected, lan
Created on 11-27-2024 08:40 AM Edited on 11-27-2024 08:40 AM
Hi @birillo ,
Could you please share the info of this command?
show system interface "VPN-SF-HQ"
You may mask any sensitive info.
Please also let me know what IP you tried to ping with the issue.
show system interface "VPN-SF-HQ"
config system interface
edit "VPN-SF-HQ"
set vdom "root"
set ip 0.0.0.0 255.255.255.255
set type tunnel
set snmp-index 5
set interface "wan"
next
end
get router info routing-table all | grep VPN-SF-HQ
S 10.3.0.0/16 [10/0] is directly connected, VPN-SF-HQ
issue with every ip under 10.3.64.0/23 (I need to reach 10.3.64.113)
info from diagnose pcap
2 1.008408 192.168.40.248 10.3.64.113 ICMP 84 Echo (ping) request id=0x0593, seq=1/256, ttl=64 (no response found!)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.