Troubleshooting Tip: The ICMP_TIME_EXCEEDED Packet does not follow the original ICMP path and displays the incorrect traceroute from the User.

In earlier FortiOS versions, where SD-WAN is deployed and ECMP routes are common, FortiGate would ignore ifIndex when checking the routing table. As a result, the route look-up will always return the first match, which may not be the best choice. It appears to the users as if the ICMP packet is sent from one interface, but ICMP_TIME_EXCEEDED packets are received from different Interfaces, which results in wrong Traceroute results.

The following image explains the behavior in previous versions:

The Sniffer output on FortiGate1:

2024-01-08 11:14:23.567254 VPN-4 out 10.103.192.125 -> 10.102.83.253: icmp: echo request
2024-01-08 11:14:23.582648 VPN-1 in 10.103.21.33 -> 10.103.192.125: icmp: time exceeded in-transit

It can be seen above that the reply for the Traceroute is received from a different Interface.

The Sniffer output on FortiGate2:

2024-01-08 11:14:23.593790 HUB1-VPN4 in 10.103.192.125 -> 10.102.83.253: icmp: echo request
2024-01-08 11:14:23.594007 HUB1-VPN1 out 10.103.21.33 -> 10.103.192.125: icmp: time exceeded in-transit

The ICMP_TIME_EXCEEDED Packet is received from a different Interface than of request packet.

Routing Table on FortiGate2 :

Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via HUB1-VPN1 tunnel 170.75.32.40, [1/0]  <----------- First entry is chosen for the reply.
                   [1/0] via HUB1-VPN4 tunnel 10.103.20.1, [1/0]

This behavior is changed in FortiOS 7.0.16, 7.2.9, 7.4.4 and 7.6.0. Moving forward, ICMP_TIME_EXCEEDED packets will follow the same Interface as the original ICMP packet, meaning the correct Traceroute results will be seen.