Skip to main content
HS08
HS08
Visitor III
April 3, 2025
Question

BGP Established but can't ping

  • April 3, 2025
  • 6 replies
  • 5989 views

My fortigate hub have BGP connection to the spoke, the spoke ip is 10.10.112.11 and BGP was established.

 

f1.PNG

But why i can't ping to that spoke bgp peer ip? So traffic from the hub can't reach the spoke using this tunnel interface

f2.PNG

If i ping 10.10.112.1 from spoke to the hub the result is reply.

f3.PNG

6 replies

jdelafuente_FTNT
Staff & Editor
jdelafuente_FTNT
Staff & Editor
April 3, 2025

share output for:
exe ping-options source 10.10.112.1

exe ping 10.10.112.11
get route info routing details 10.10.112.11

get route info routing all 

HS08
HS08Author
Visitor III
April 3, 2025

Here the result

a1.png

a2.PNG

and here result if ping from the spoke

a3.PNG

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
April 3, 2025

Since the other direction of pining works, it's not a routing issue over the tunnel. I would suspect something on the remote side is not taking the ping packets, or not returning the ping reply packets.

 

So, I would start with basic troubleshooting on the remote FGT, like checking allowaccess, sniffing the tunnel interface with the source IP after disabling NPU offloading at the policies and/or the IPsec config to see if they're arriving and if it's returning them, and then run flow debugging why not returning if arriving, and so on.

Toshi

HS08
HS08Author
Visitor III
April 3, 2025

This not only can't ping but traffic from the hub can't reach the spoke if passing this tunnel interface.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
April 3, 2025

yes, I would imagine so. But even if not it wouldn't change the troubleshooting method I would use.

funkylicious
SuperUser
funkylicious
SuperUser
April 3, 2025

if you start a diag sniffer packet on the spoke, what do you see ? is the traffic coming/reaching on X interface and is it a reply going back X intf or Y intf?

also, is ping enabled/activated on the interface/fw ?

"jack of all trades, master of none"
dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
April 3, 2025

Hi @HS08 ,

 

My first step would be running "diag sniffer packet" for Ping traffic (using icmp as the filter) on the spoke side first.

 

This is to confirm whether the Ping initiated on the Hub side arrives at the Spoke or not.

HS08
HS08Author
Visitor III
April 4, 2025

hi @dingjerry_FTNT , @funkylicious 

There is no ICMP on the spoke, only psh and ack

c1.PNG

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
April 4, 2025

What do you see if you have two CLI sessions, running this sniffing in one session and ping toward 10.10.112.1 in another? You said that direction worked.

 

Toshi

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
April 4, 2025

Hi @HS08 ,

 

Please then run the debug flow commands on the Hub:

 

diag debug flow show iprope enable

diag debug flow filter clear

diag debug flow filter proto 1

diag debug flow filter addr 10.10.112.11

diag debug flow trace start 10

diag debug enable

 

Then initiate Ping, please do not run continuous Ping.

HS08
HS08Author
Visitor III
April 4, 2025

hi @dingjerry_FTNT 

 

Here i enable the debug on the hub, then i open a new console and ping to 10.10.112.11 but there is no message log.

d1.PNG

 

d2.PNG

rmoussa
rmoussa
Explorer III
April 4, 2025

Hello,

 

From HUB you have to try to specofi the source address for the ping using exec ping-options source x.x.x.x

 

Regards

Rony

Terms & ConditionsAccessibility statement