Skip to main content
nithincs
Staff & Editor
nithincs
Staff & Editor
May 8, 2020

Troubleshooting Tip: Impossible to ping the IPsec VPN remote peer network

  • May 8, 2020
  • 0 replies
  • 36252 views

Description


This article describes how to ping a remote network connected via IPsec VPN.

 

Scope

 

FortiGate.

Solution


Assume the following scenario:                                                          
[172.31.128.0/20]----172.31.128.1 (LAN) 81E-----IPsec VPN--------600C-------[ 172.31.144.0/20].

IPsec VPN is configured in both FortiGate-81E and FortiGate-600C.
For FortiGate-81E, network 172.31.144.0/20 is reachable via VPN, and 172.31.128.0/20 is a directly connected network.

From FortiGate-81E, if the remote network IP is pinged from the CLI directly, the ping communication will fail.

 

FG81EP-2 # execute ping 172.31.147.74
PING 172.31.147.74 (172.31.147.74): 56 data bytes

--- 172.31.147.74 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

 

To ping the remote IP, connect via IPsec VPN, set the source IP for the ping, and initiate the ping.

 

FG81EP-2 # execute ping-options source 172.31.128.1             <----- Source FortiGate-81E’s local network connected interface IP.
FG81EP-2 # execute ping 172.31.147.74
PING 172.31.147.74 (172.31.147.74): 56 data bytes
64 bytes from 172.31.147.74: icmp_seq=0 ttl=255 time=0.5 ms
64 bytes from 172.31.147.74: icmp_seq=1 ttl=255 time=0.5 ms
64 bytes from 172.31.147.74: icmp_seq=2 ttl=255 time=0.3 ms

 

In certain instances, the root cause of the problem may be with the Windows PC at the receiving end. As an initial troubleshooting step, it is advisable to temporarily disable Windows Defender on the destination PC.


Furthermore, the destination PC often responds to ping requests originating from the same Internal network, while failing to respond to machines located on the opposite end of the tunnel. A potential reason could be the presence of antivirus software installed on the destination PC. To resolve this, it is recommended that Network Address Translation (NAT) be enabled in the firewall policy from the tunnel to the internal network.

 

Additionally, there may be a gateway device between the FortiGate and the destination PC, which could be in the same or a different network. It is possible that the FortiGate can ping the destination, but the PC cannot ping back across the IPsec tunnel because the gateway is not sending the traffic to the FortiGate correctly. In this case, it is not a FortiGate issue. Take a packet capture and fix any configuration or routing issues on the gateway.


Ping fails because FortiGate uses a different interface as a source based on the lowest index number. These helpful articles provide details: Technical Tip: Source IP for self-originating IPsec tunnel traffic.

Technical Tip: Self-originating traffic over IPSec VPN (For example ping)

 

This is the same behavior observed when a Loopback interface and a VLAN interface are used as the source IP for FortiGate traffic, as mentioned in the link below:

Technical Tip: PING Behavior when source IP is a Loopback and destination is Public IP

Technical Tip: Testing Internet Connectivity from FortiGate VLAN Interface

    Terms & ConditionsAccessibility statement