Try Auvik Free
Try Auvik Free

How can we help?

  1. Auvik Support
  2. Device Inventory
  3. Backup management

Troubleshooting FortiGate Configuration Backup Failures Over VPN

Avatar
Abhilasha Honnaiah
Follow

Purpose:

Provide guidance for diagnosing and resolving intermittent or failed configuration backups on FortiGate devices when backups are performed over VPN-connected environments in Auvik.

Symptoms

  • Configuration backups fail intermittently
  • Backups previously worked but have stopped
  • Manual login succeeds, but backups do not complete
  • Backup timestamps are outdated or inconsistent

Before You Begin

Confirm the following:

  • The device is discovered in Inventory → Network Devices
  • Valid credentials are configured under Discovery → Manage Credentials
  • SSH access to the FortiGate is working from the Auvik collector

If these checks fail, refer to the general backup troubleshooting article.
 

Step 1: Verify Interface Access

On the FortiGate device:

  • Ensure SSH (and/or HTTPS if required) is enabled on the interface used over VPN
  • Confirm the correct administrative services are enabled under allowaccess

Step 2: Validate Firewall Policies

  • Ensure firewall policies allow SSH/HTTPS from the Auvik collector IP or subnet
  • Verify:
    • Correct source and destination interfaces
    • Proper policy order
    • Correct VDOM context

Step 3: Check Admin Trusthost Restrictions

If admin accounts use trusthost restrictions:

  • Add the collector IP or subnet to the allowed list

Example location:

config system admin

Step 4: Confirm Routing Over VPN

  • Ensure return traffic is routed back to the collector through the VPN
  • Verify routing tables on both ends of the tunnel
  • Avoid asymmetric routing paths

Step 5: Verify Permissions and VDOM Access

  • Use an account with sufficient privileges:
    • Recommended: super_admin
  • Ensure access to:
    • Global configuration
    • Relevant VDOMs

Step 6: Check VPN Stability and MTU

  • Verify the VPN tunnel is stable (no drops or resets)
  • Check MTU settings:
    • Incorrect MTU can interrupt SSH sessions
  • Enable keepalives if supported

Step 7: Validate Backup Manually

From the Auvik collector:

  1. SSH to the FortiGate over the VPN
  2. Run a configuration command:
    • show
    • show full-configuration

Confirm:

  • The command completes successfully
  • The session does not disconnect

Then:

  • Trigger or wait for a configuration backup in Auvik
  • Confirm the latest backup timestamp updates

Best Practices

  • Deploy an Auvik collector within the remote site when possible
  • Avoid relying on VPN for management traffic
  • Schedule backups during low network utilization periods
  • Keep FortiOS versions up to date
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Auvik System Status

Check system status

Need help?

Submit your question or comment and we'll be in touch.

Send a message

Related articles