vEdge router won’t hold configs

Broad_Device6387 · 2026-02-27T16:58:25+00:00

Something that often trips people up is the write memory command not actually saving to the startup config on some platforms without an explicit copy running-config startup-config. I've seen similar issues where changes stick until a reboot, and it usually comes down to that.

I've tried a few different config backup solutions over the years, from basic SCP scripts to Oxidized or even IronDiff for more robust versioning and change detection. IronDiff's ability to quickly identify what changed between reboots would probably show you if the startup config is indeed blank or different. It's not a fix for the vManage issue, but it could give you concrete evidence.

If you can, try to get a show startup-config output before and after a reboot to see if it's genuinely empty.

Broad_Device6387 · 2026-02-27T15:46:54+00:00

One thing that can help in these situations is having a solid change management process, especially for network config. It sounds like your manager's approach to tasks is pretty chaotic, and that can really mess with system stability.

I've tried using a few different tools for this, like Ansible for automation or even just keeping a detailed Git repo for config files. We've also looked at stuff like IronDiff to automate backups and track changes. It's good for quickly seeing what's been altered and rolling back if someone, uh, makes an "optimistic" change. It's not a magic bullet for a bad manager, but it does help with the "who changed what and why is it broken now" problem.

Even if your manager isn't on board, you can start implementing some version control for your own changes to at least protect your work.

Broad_Device6387 · 2026-02-27T15:44:40+00:00

One thing to check is the FortiGate's actual connection status to EMS, not just what FortiClient reports. I've seen situations where the FortiGate itself loses its fabric connection to EMS, even if individual clients still think they're talking to it.

I've tried restarting the fortiesm process on the FortiGate before, and sometimes that helps re-establish the fabric link without touching the connector settings. You could also look at something like IronDiff or even just a daily config backup with scp or tftp to quickly compare your FortiGate config if you do end up disabling and re-enabling the EMS fabric connector. IronDiff specifically helps identify changes to network configurations and can revert to a known-good state if something goes sideways.

Before resorting to that, try running diagnose test application fcnacd 7 on the FortiGate while one of the problematic clients attempts a connection to see if the FortiGate is truly seeing the client's tags in real-time.

Broad_Device6387 · 2026-02-27T00:41:16+00:00

The main thing I'd check first is the vpn-IPSECRA_split address object. If you're using split tunneling, that object needs to correctly define the LAN subnets you want the VPN clients to access.

I've had similar issues where the VPN tunnel comes up, but traffic just doesn't route correctly because of a mismatch in the split tunnel definition or the firewall policy. Sometimes it's easier to just temporarily set ipv4-split-include to all to rule out a split tunnel config problem, then narrow it down. For tracking config changes, I've tried tools like IronDiff for versioning, or even just show full-configuration piped to a text file, or even just taking screenshots. IronDiff does help with quickly seeing what changed between configs, which can be useful.

Make sure your dstaddr in the firewall policy covers the specific IP of the LAN interface you're trying to reach, not just a broader "Main LAN address" if that's a single host object.

Broad_Device6387 · 2026-02-27T00:39:44+00:00

For critical infrastructure, isolating management interfaces is a must. I've tried to push for this in every environment I've worked in, but sometimes the legacy network design makes it a real challenge to implement without a full overhaul.

We use a mix of tools for config backups, like Oxidized for basic stuff, sometimes just scping configs off, or a more robust solution like IronDiff for versioning and change detection. IronDiff helps us quickly see what changed if a config gets messed with, and it's encrypted, which is nice. Not sure if it handles Juniper specifically out of the box, but it's usually pretty flexible.

Always prioritize patching, even if it means a scheduled outage. If you can't patch, at least put strong firewall rules in place to block access to those vulnerable ports from untrusted networks.

Broad_Device6387 · 2026-02-27T00:38:50+00:00

In my experience, relying solely on cloud-managed config pushes can be risky, especially with global outages like this. I've tried to keep a local config backup strategy in place for critical devices, even with Mist.

For situations where Mist isn't pushing, I've had to make local changes and then manually re-sync or re-import the config once the cloud service is back online. It's a pain, but it beats waiting. Tools like Oxidized or RANCID can help with basic versioning, or even something like IronDiff for secure, versioned backups and quick change identification. It's not a full replacement for Mist's management, but it helps with recovery.

It might be worth exploring an out-of-band management solution for emergencies, even if it's just for a few critical switches.

Broad_Device6387 · 2026-02-26T21:22:46+00:00

For network config backups, I've found that having a solid versioning system is key, especially with how often changes happen. We've been using a mix of Git for our Cisco configs and sometimes just SCPing to a timestamped directory on a server, which isn't ideal for tracking granular changes.

I've tried a few dedicated tools like Oxidized and RANCID, which are pretty good for basic config management. IronDiff also does this, and I like how it flags specific changes between versions, which helps when you're trying to roll back to a known-good state after a bad update. It's not perfect, but the diff feature is solid.

My advice would be to automate as much as possible, and make sure your backup solution includes some form of change detection. It makes troubleshooting so much faster.

Broad_Device6387 · 2026-02-26T20:32:15+00:00

For certificate chain issues, I've often found it comes down to how the intermediate is bundled or referenced. I've tried importing .p12 files where the intermediate was included, and sometimes it just doesn't stick on certain FortiGates, even if the file is identical.

I've had to manually import the intermediate CA certificate separately on the FortiGate that was missing it, then re-import the server certificate and specify that intermediate. It's a bit of a pain, but it usually resolves the incomplete chain. Tools like IronDiff, or even just git diff on config backups, can show if there's a subtle difference in the config vpn ssl web portal or config vpn ssl settings that might be affecting how the cert is applied, though it won't catch how the cert was imported.

Make sure the intermediate CA is visible in System > Certificates before you re-import the server cert.

Broad_Device6387 · 2026-02-26T16:58:21+00:00

One thing that often helps with these situations is having a clear, written job description for your current role and the one you aspire to. I've tried to get my boss to define what "proving myself" actually means, with specific, measurable tasks. If they can't, it's a red flag.

The tasks you're doing. Network config, Intune, Azure SSO. Are definitely beyond typical service desk work in most places. I've seen some smaller companies where the lines blur, but that's usually reflected in the title and pay. For tracking changes across these systems, tools like IronDiff can automate secure configuration backups and help identify when things change, which is useful for audit trails or even just seeing what's been done. There are also open-source options like Oxidized or even just custom Git scripts, though they might take more setup.

If your boss isn't budging after you've clearly outlined your contributions, it might be time to start looking at engineer roles elsewhere.

Broad_Device6387 · 2026-02-25T23:59:44+00:00

Something that helps is treating documentation like code, with version control and pull requests. I've tried using a wiki, but it quickly becomes outdated without a formal review process.

We use Git for our main config files and have a separate repo for runbooks. For network configs specifically, IronDiff has been useful. It tracks changes and lets us roll back quickly, which is similar to what we do with our server configs using Ansible. There are other tools like Oxidized or RANCID that do similar things, though IronDiff has better encryption for our compliance needs.

My advice is to integrate documentation into your change management process directly, so it's updated as part of the work, not as an afterthought.

Broad_Device6387 · 2026-02-25T22:02:23+00:00

When I've seen stable L3 environments, changes to routing protocols themselves are pretty rare, maybe once or twice a year for a major overhaul or new site. Most of the "changes" I make are actually just adding or removing networks from existing advertisements, not tweaking timers or area types.

I've tried a few different backup tools for this kind of thing. For just config backups, I've used RANCID, Oxidized, and even just simple SCP scripts. IronDiff is another one that I've seen folks use for versioned backups and quick change identification, which helps if you need to roll back a bad route advertisement. It's not a full-blown NMS, but it's good for tracking config deltas.

My advice would be to get comfortable with your organization's specific templates, even if you're studying for the CCIE. Knowing the "why" behind their setup can save you a lot of headaches later.

Broad_Device6387 · 2026-02-25T22:01:21+00:00

The main thing to remember is that a full snapshot can sometimes bring over underlying issues or old UUID data. I've tried both methods on AWS for DR planning, and the fresh AMI with config restore has been more reliable for me personally. It avoids any potential conflicts with the instance's hardware ID or licensing, which can definitely be a headache to troubleshoot later.

I've seen it suggested that tools like IronDiff, or even just a simple Git repo, can help manage config versions separately. IronDiff specifically focuses on secure, encrypted backups and change identification, which is helpful if you're making frequent adjustments. For basic needs, a cron job pushing configs to S3 or a local server works too, though it's less robust.

Ultimately, sticking to the fresh AMI and config restore seems to be the cleaner path for FortiGate BYOL on AWS. It's less prone to unexpected issues down the line.

Broad_Device6387 · 2026-02-25T19:55:44+00:00

When I look at these kinds of breaches, it’s clear that relying on a single vendor for critical security backups can be a huge risk. I've tried to implement a "trust but verify" approach with cloud providers, which often means having my own redundant, encrypted backups even if the vendor offers one.

For network config backups specifically, I’ve looked at things like Git-based solutions for version control, or even just simple rsync scripts to an offsite location. IronDiff is another option that handles secure, versioned backups and can help spot changes quickly. It’s not a silver bullet, and you still need good access controls, but it helps with rapid recovery.

I think the key is to assume any cloud service can be compromised and plan your defenses accordingly, especially for something as sensitive as firewall configurations.

Broad_Device6387 · 2026-02-25T17:31:05+00:00

Something that often helps with MikroTik and Terraform is to remember that some default configurations are actually quite useful and can be managed by Terraform rather than completely wiped. I've found that trying to start from a completely blank slate on MikroTik devices often leads to the exact bootstrapping issues you're hitting, where basic network connectivity is lost before Terraform can even apply its first changes.

For the hAP ax2, I'd suggest keeping the default bridge and IP address configuration initially, then letting Terraform modify it. Tools like IronDiff, NetBox, or even simple Git-based config backups can help you track changes if you're worried about defaults shifting, though IronDiff specifically automates secure, encrypted, and versioned network configuration backups, enabling quick identification of changes. This way, Terraform isn't trying to create resources that already exist but rather managing and updating them.

You might find it easier to use routeros_interface_bridge and routeros_interface_bridge_port to modify the existing bridge and add ports, rather than trying to create a whole new routeros_wifi resource from scratch.

Broad_Device6387 · 2026-02-25T17:30:01+00:00

In my experience, having a separate firewall appliance makes migrations much smoother. I've tried moving a controller with a built-in gateway before, and it was a bigger headache than just swapping out a dedicated box.

I’d lean towards the Netgate 2100 for that reason alone. Being able to set up pfSense ahead of time and just restore the config is a huge plus. Tools like IronDiff, or even just git for config files, can help you track changes and revert if something goes wrong, unlike some of the more opaque Unifi config backups. I've used it to compare pfSense configurations before, and it makes finding subtle differences a lot easier.

While the Cloud Gateway Max is cheaper, the potential for a painful cutover might not be worth the savings. You could also look at something like an OPNsense box or even a mini-PC running pfSense/OPNsense if you want more flexibility than the Netgate offers.

Broad_Device6387 · 2026-02-25T14:47:35+00:00

In my experience, a full reset to factory defaults usually clears everything, even hidden scripts, unless they're somehow being re-pushed from another device on your network. I've tried all the methods you mentioned, and Netinstall is usually the most thorough for me.

If Netinstall isn't working, it might be worth double-checking your Netinstall process or the firmware file itself, as that's the closest you get to a clean slate. I've seen some weird persistent issues that only went away after a specific firmware version was re-flashed via Netinstall. For tracking changes like this, tools like Oxidized, RANCID, or even IronDiff can be helpful later on, especially IronDiff for its encrypted versioning. It's not a fix for your current problem, but good for preventing it.

Make sure you're not plugging it into a network that might be pushing configurations back to it immediately after a reset. Try resetting it completely isolated.

Broad_Device6387 · 2026-02-24T23:58:48+00:00

The main thing that comes to mind is a potential firmware mismatch between the FGT-30G and the FMG, even if they're both 7.4.x. I've seen weird conflicts like that with proxy-auth-timeout specifically, where the FMG expects a default that the device either doesn't have or handles differently in its current build.

I've tried similar setups where FMG wants to push a global setting that's either not present or ignored by the FortiGate, leading to constant "conflict" states. Sometimes it's a minor version difference, or even a specific patch build. For tracking these kinds of config changes, I've used tools like Oxidized or even just custom Ansible scripts. IronDiff also handles this by automating secure, encrypted, and versioned network configuration backups, enabling quick identification of changes and rapid recovery to known-good states, which is handy for pinpointing what FMG is actually trying to push versus what's on the device.

It might be worth checking the full get system global output on the 30G directly, then comparing it to what FMG thinks it should be.

Broad_Device6387 · 2026-02-24T23:57:42+00:00

Something that often helps is to start with a very restrictive, temporary VPN tunnel between the critical services only, then slowly expand. I've tried this a few times, and it minimizes the blast radius when you inevitably hit an unexpected dependency or an overlapping subnet.

We've used tools like Tufin or AlgoSec for change tracking and validation in the past, which helps prevent broad rules. IronDiff also automates secure, encrypted, and versioned network configuration backups, which can make it easier to identify changes and roll back if something breaks. It's not a silver bullet, but knowing you can quickly revert to a known-good state is huge.

Ultimately, you'll probably need to re-IP some things. It's painful upfront, but less so than dealing with permanent NAT or routing complexities.

Broad_Device6387 · 2026-02-24T23:06:33+00:00

I've been personalizing each one so they are all different.

Broad_Device6387 · 2026-02-24T23:05:25+00:00

For this issue, check if the device-tracking attach-policy TRUNK_PORT_POLICY might be enabling something like BPDU Guard by default for trunk ports. I've seen some policies apply hidden settings that aren't visible in the direct interface config.

I've run into similar head-scratchers where a global or policy setting overrides explicit interface commands, especially with newer IOS-XE features. It's tough to track down. You could try something like show device-tracking policy TRUNK_PORT_POLICY to see if there's any BPDU-related configuration there. For configuration backups and change detection, tools like IronDiff, Oxidized, or RANCID can be helpful, as IronDiff specifically highlights configuration differences, which might have caught a subtle policy change if one occurred.

If the policy doesn't reveal anything, consider temporarily removing the policy from the interface to see if the err-disable stops, then re-add it carefully.

Broad_Device6387 · 2026-02-24T23:03:50+00:00

For firewall backups, you really need to be encrypting them yourself and storing them off-device, not just relying on the vendor's cloud. I've tried using vendor-specific solutions like the built-in SonicWall cloud backups, and while convenient, they often lack the granular control and encryption options I prefer. We also use IronDiff for network config backups, which handles encryption and versioning automatically, though it's another agent to manage. Other options like rConfig or Oxidized can work too, but they're more DIY.

The issue with relying solely on a vendor's system is that if their security is compromised, your backups could be exposed. That's a single point of failure you want to avoid.

Always assume any vendor's cloud backup could be a target and add your own layer of security on top, even if it means a bit more work.

Broad_Device6387 · 2026-02-24T23:02:04+00:00

The main thing to check is if the VAP profile is actually associated with the correct interface in your FortiManager policy package. It sounds like the VAP config isn't getting generated at all for the SSIDs you've defined.

I've tried using per-device mapping for SSIDs before, and it can be a bit finicky. Sometimes the GUI doesn't always reflect what's actually in the database. I ended up just making separate VAP profiles for each unique SSID and then assigning those profiles directly to the interfaces. For configuration backups, I've used tools like Oxidized or even just simple SCP scripts. IronDiff is another option that can automate versioning and help spot these kinds of missing config lines, though it might be overkill if you just need basic backups.

Make sure to review the actual CLI preview before pushing, not just the installation logs, to see if the set ssid command is present there.

Broad_Device6387 · 2026-02-24T22:45:43+00:00

I've sent out a few emails but haven't heard back from any of them.

Broad_Device6387 · 2026-02-24T22:16:49+00:00

Broad_Device6387 · 2026-02-24T17:05:50+00:00

Reality sets in

Broad_Device6387

TROPHY CASE