Issues with incomplete configuration downloads

[pitah81]

Describe the bug We're having issues with configuration download of a FortiGate firewall. The download runs and we get a partial download ending around line 9600 of the configuration.

To Reproduce Steps to reproduce the behavior: Add firewall device using the standard FortiGate no enable template and using default port 22 and credentials Run manual or scheduled backup using "show" command No error, the configuration just ends abruptly at around line 9600. Running debug cli command ends with "successful", however the download is still incomplete

Expected behavior A complete configuration download which is around 60000 lines. Doing a backup from FortiGate ends in bigger configuration file as some longer parts like certificates and such gets broken into multiple lines which is not the case with rConfig backup files.

rConfig Version Information (You can copy this from the rConfig dashboard): OS VERSION Rocky 9.3 PHP / LARAVEL VERSION 8.3.6 / 10.348.8 REDIS VERSION 6.2.7 MYSQL VERSION 15.1

**Logs info (can be retrieved from /var/www/html/rconfig6/storage/logs - try to paste relevant logs only) Strangely enough, latest changed log file is laravel.log dated yesterday. Doesn't manual initiated downloads get logged?

Additional context Are there any limits to size of downloaded configuration files, php process memory allocation or in Laravel? I've added more RAM to the rConfig server, so there's plenty of headroom, however problem stays.

[pitah81]

Downloads from other FortiGate firewalls with less configuration data succeeds, so it's only with this device that has a very large configuration base that we're having this issue.

[stephenstack]

Hi

Sounds like a timeout issue, perhaps on the queue. Few things to try, first update the queuing default timeout. In rConfig Pro 7 we have it set to one day. Edit the .env file and change HORIZON_PROD_TIMEOUT to 86400

You must run a the following when editing the env file. php artisan rconfig:clear-all

Try it again.

Also, running a debug (copy this from the button on the devices page, and copy to CLI), bypasses the queue completely, try that also.

[pitah81]

Hi, I changed the HORIZON_PROD_TIMEOUT to 86400 as you recommended and ran php artisan rconfig:clear-all as you suggested. However the download completes rather quickly taking only a couple of seconds to complete, and the result is still incomplete ending at line 9549 in the "config certificate local" segment of the configuration with this line being the last one.

"9549 set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "

Running the debug cli command runs without giving error, and these are the last segments of that output.

"\r\n <- NET_SSH2_MSG_CHANNEL_DATA (since last: 0.0001, network: 0s)\r\n 00000000 00:00:00:02:00:00:00:71:20:20:20:20:20:20:20:20 .......q \r\n 00000010 73:65:74:20:63:6f:6d:6d:65:6e:74:73:20:22:54:68 set comments "Th\r\n 00000020 69:73:20:63:65:72:74:69:66:69:63:61:74:65:20:69 is certificate i\r\n 00000030 73:20:65:6d:62:65:64:64:65:64:20:69:6e:20:74:68 s embedded in th\r\n 00000040 65:20:68:61:72:64:77:61:72:65:20:61:74:20:74:68 e hardware at th\r\n 00000050 65:20:66:61:63:74:6f:72:79:20:61:6e:64:20:69:73 e factory and is\r\n 00000060 20:75:6e:69:71:75:65:20:74:6f:20:74:68:69:73:20 unique to this \r\n 00000070 75:6e:69:74:2e:20:22:0d:0a unit. "..\r\n \r\n """ Start device download for fk-fw01 ID:16 Config downloaded for fw01 with command: "show" was successful End rconfig:download-device"

What could be causing this? If I ssh into the firewall using putty with same user account and run "show", it prints out the complete configuration, with some output lags/pauses of around 0.5 seconds here and there.

[stephenstack]

OK, thanks for trying those steps. Can you let me know one more thing. What prompts do you have configured for this device in the UI?

[pitah81]

Sure, the prompts are "fk-fw01 #" and "fk-fw01 >", and as this firewall is part of HA the current active prompt is "fk-fw01a #", however changing prompt to match current active doesn't seem to make any difference.

[stephenstack]

Ok, maybe we can help with a short live troubleshooting session there's only a couple of things it can be, and we can feedback results here. Ping info@rconfig.com to set that up.

[stephenstack]

Can you check the logs files in /var/www/html/rconfig/storage/logs. Run the download and check the latest for any errors. Also, check the application logs under settings. I'm starting to sense, given the size of some of these, it might be a max memory issue.

[pitah81]

I checked the log files in /var/www/html/rconfig/storage/logs and there's no errors reported in any of the log files after running both manual backup of the device and doing a force on the backup schedule which includes the devices. Same as before, I get a backup of 475KB which does not contain the entire device backup. Doing a manual backup inside the firewall ends in a configuration file of 2376KB.

[stephenstack]

Thanks peter, its not clear why the download stops consistently at this line. Can you send a copy of the template, and the debug output to support@rconfig.com?

[andre-falcao92]

Hi

Sounds like a timeout issue, perhaps on the queue. Few things to try, first update the queuing default timeout. In rConfig Pro 7 we have it set to one day. Edit the .env file and change HORIZON_PROD_TIMEOUT to 86400

You must run a the following when editing the env file. php artisan rconfig:clear-all

Try it again.

Also, running a debug (copy this from the button on the devices page, and copy to CLI), bypasses the queue completely, try that also.

I had this issue on Fortinet devices. Turns out it was indeed a timeout issue as Stephen mentioned. What worked for me was setting the timeout value to '15 seconds' on the template itself.

[stephenstack]

closing this as resolved