04-22-2020 11:31 PM
Hi
I have a site to site VPN from Site A to Site B.
Site A : 10.110.11.0/24
Site B : 10.0.0.0/8 Network
Behind Site B's firewall, we have an FTP server (10.x.x.x)
There is a default route on Site A that points to Gateway (ISP's IP address).
I am trying to take backup of the firewall using the following command
backup /noconfirm location ftp://username:password@10.x.x.x/backups/"
On the monitoring, I get the following logs
6 | Apr 23 2020 | 06:14:50 | 302013 | x.x.x.x (gateway IP) | 22632 | 10.x.x.x | 21 | Built outbound TCP connection 5098542 for outside:10.x.x.x/21 (10.x.x.x/21) to identity:x.x.x.x/22632 (x.x.x.x/22632) |
6 | Apr 23 2020 | 06:15:00 | 302014 | 10.x.x.x | 21 | x.x.x.x | 22632 | Teardown TCP connection 5098542 for outside:10.x.x.x/21 to identity:x.x.x.x/22632 duration 0:00:10 bytes 0 SYN Timeout |
x.x.x.x = Gateway IP Site A's firewall.
I believe traffic can't be initiated from the Firewall to encryption domain, is there a way to take backup here?
04-23-2020 01:59 AM
04-23-2020 12:30 PM
Thank you.
That did not help.
The connection from Firewall to FTP server goes fine, then next log entry is syn timeout.
6 | Apr 23 2020 | 19:27:22 | 302014 | 10.x.x.x | 21 | x.x.x.x | 3195 | Teardown TCP connection 5124890 for outside:10.x.x.x/21 to identity:x.x.x.x/3195 duration 0:00:10 bytes 0 SYN Timeout |
04-23-2020 12:39 PM
04-23-2020 01:06 PM - edited 04-23-2020 02:48 PM
Does it establish an IPSec SA for that communication? : Yes
Have you defined a rule in the ACL permitting this communication? : Yes
Your return traffic from the FTP server 10.x.x.x could be unintentially natted, ensure you have a NAT exemption rule in place.
I added the public IP to NAT exemption.
Packet tracker : Please let me know the parameters for packet tracer.
04-27-2020 05:04 AM
Bump!
Any hint please?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide