Hello,
we have some FortiGate 30D in our branch offices their are conncted to our HQ FortiGate (IPSec Tunnel with active policy route to route all traffic through VPN tunnel). Routing is working fine in branch offices.
Now I have created a script for daily backups (export full-config to tftp server).
Script is working fine, but only in HQ. All 30D devices are getting a time out, see attachment.
Could someone say me why remote HQ network 172.16.0.0/16 is not reachable when I'm using FGT CLI ?!
Thanks and regards
The unit is probably sending the traffic outside of the ipsec-tunnel. You will probably need to diag sniffer packet <tunnel name> " port 69" when your script is firing off.
Ken
PCNSE
NSE
StrongSwan
I have just sniffed the UDP traffic for VPN tunnel meantime command "exe backup full-config tftp /FortiGate/Backups/FGT03/FGT30D_DialyAutoBackup.conf 172.16.2.32" started.
Logical interface (IP 10.255.255.6) tried to connect to TFTP server through VPN tunnel.
FGT03 # diagnose sniffer packet VPNPBG "udp" 4 interfaces=[VPNPBG] filters=[udp]
2.526117 VPNPBG -- 10.255.255.6.1069 -> 172.16.2.32.69: udp 61 0x0000 4500 0059 3421 0000 4011 8e3d 0aff ff06 E..Y4!..@..=.... 0x0010 ac10 0220 042d 0045 0045 9648 0002 2f46 .....-.E.E.H../F 0x0020 6f72 7469 4761 7465 2f42 6163 6b75 7073 ortiGate/Backups 0x0030 2f46 4754 3033 2f46 4754 3330 445f 4469 /FGT03/FGT30D_Di 0x0040 616c 7941 7574 6f42 6163 6b75 702e 636f alyAutoBackup.co 0x0050 6e66 006f 6374 6574 00 nf.octet.
7.522582 VPNPBG -- 10.255.255.6.1069 -> 172.16.2.32.69: udp 61 0x0000 4500 0059 3422 0000 4011 8e3c 0aff ff06 E..Y4"..@..<.... 0x0010 ac10 0220 042d 0045 0045 9648 0002 2f46 .....-.E.E.H../F 0x0020 6f72 7469 4761 7465 2f42 6163 6b75 7073 ortiGate/Backups 0x0030 2f46 4754 3033 2f46 4754 3330 445f 4469 /FGT03/FGT30D_Di 0x0040 616c 7941 7574 6f42 6163 6b75 702e 636f alyAutoBackup.co 0x0050 6e66 006f 6374 6574 00 nf.octet.
12.522583 VPNPBG -- 10.255.255.6.1069 -> 172.16.2.32.69: udp 61 0x0000 4500 0059 3423 0000 4011 8e3b 0aff ff06 E..Y4#..@..;.... 0x0010 ac10 0220 042d 0045 0045 9648 0002 2f46 .....-.E.E.H../F 0x0020 6f72 7469 4761 7465 2f42 6163 6b75 7073 ortiGate/Backups 0x0030 2f46 4754 3033 2f46 4754 3330 445f 4469 /FGT03/FGT30D_Di 0x0040 616c 7941 7574 6f42 6163 6b75 702e 636f alyAutoBackup.co 0x0050 6e66 006f 6374 6574 00 nf.octet.
17.522585 VPNPBG -- 10.255.255.6.1069 -> 172.16.2.32.69: udp 61 0x0000 4500 0059 3424 0000 4011 8e3a 0aff ff06 E..Y4$..@..:.... 0x0010 ac10 0220 042d 0045 0045 9648 0002 2f46 .....-.E.E.H../F 0x0020 6f72 7469 4761 7465 2f42 6163 6b75 7073 ortiGate/Backups 0x0030 2f46 4754 3033 2f46 4754 3330 445f 4469 /FGT03/FGT30D_Di 0x0040 616c 7941 7574 6f42 6163 6b75 702e 636f alyAutoBackup.co 0x0050 6e66 006f 6374 6574 00 nf.octet.
22.522586 VPNPBG -- 10.255.255.6.1069 -> 172.16.2.32.69: udp 61 0x0000 4500 0059 3425 0000 4011 8e39 0aff ff06 E..Y4%..@..9.... 0x0010 ac10 0220 042d 0045 0045 9648 0002 2f46 .....-.E.E.H../F 0x0020 6f72 7469 4761 7465 2f42 6163 6b75 7073 ortiGate/Backups 0x0030 2f46 4754 3033 2f46 4754 3330 445f 4469 /FGT03/FGT30D_Di 0x0040 616c 7941 7574 6f42 6163 6b75 702e 636f alyAutoBackup.co 0x0050 6e66 006f 6374 6574 00 nf.octet.
I have always tried it with new test poliy, but is still not working.
SRC Interface: ANY | SRC IP: 10.255.255.6 | DST Interface: VPNPBG | DST IP: ALL | SRV: ALL
Someone know what to do?
Hi
I am also facing the same problem we want to take the configuration backup on the AWS instance
Between AWS and my office, we have site 2 site VPN tunnel
I am able to ping AWS instance over the VPN from the laptop and same from the AWS to laptop but from firewall if I execute pin x.x.x.x it not pingable to aws until I use source command and provide the source IP.
Now I want to take configuration backup of the fortigate firewall using command
execute backup config tftp <backup_filename> <tftp_servers> <password>
back configuration is not executing over the Site 2 site VPN
but on the other hand, same command is working for my LAN tftp server
Original post was for over site-to-site VPN and the source/IPSec interface IP was 10.255.255.6. Probably it was not included in phase2 network selectors to go into the tunnel.
I don' t know AWS's VPNs but is it allowing traffic souced from the VPN interface IP? You can check it if you set the ping-option source to be the interface IP (169.something?) toward the TFTP server. If you can't, you probably want to ask AWS support for help.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.