Skip to main content
A
ayurx07
New Member
May 3, 2026
Question

PING and Site to Site VPN

  • May 3, 2026
  • 4 replies
  • 79 views

I have a site to site vpn lab running in vmware workstation pro

2x FortiGate Firewalls     

2x  Windows 10 vms

FortiGate 1 WAN Address(192.168.100.1) LAN Adress(10.1.1.1)           

FortiGate 1 WAN Address(192.168.100.2) LAN Adress(10.2.2.1)

PC-1 (10.1.1.10) PC-2 (10.2.2.10) ip addresses of the pcs are fixed

the WAN Interfaces are on vmnet1

the lan interface of fortigate 1 on vmnet 2         

the lan interface of fortigate 2 on vmnet 3

pc 1 can’t ping pc 2

    4 replies

    AEK
    SuperUser
    AEK
    SuperUser
    May 3, 2026

    Probably the required routes don’t exist on the two FortiGate.

    • On FG1 you add route to 10.2.2.0/24 via the tunnel
    • On FG2 you add route to 10.1.1.0/24 via the tunnel

    Also check if the required firewall policies exist on both FGT.

    If you created the tunnel with the wizard then all of this should be created automatically.

    AEK
      hpenmetsa
      Staff
      hpenmetsa
      Staff
      May 4, 2026

      Hi, Please run the sniffer on both FortiGate’s to check for traffic is leaving FGT 1 and receiving to the FGT2

      diag sniffer packet any 'host <source_IP> and icmp' 4 0 a

      If you receive traffic on FGT2 and if there is no reply, then check the routing and firewall policy configuration

      Thanks,

        Toshi_Esumi
        SuperUser
        Toshi_Esumi
        SuperUser
        May 4, 2026

        First, is the tunnel up? Show us “get vpn ipsec tun sum”.
        Is the route on both sides there? Show us “get router info routing-table all | grep 10.2.2 (or grep 10.1.1)”
        Is a set of in/out policies on both sides? 

        Toshi

          msanjaypadma
          Staff
          msanjaypadma
          Staff
          May 4, 2026

          Hi ​@ayurx07 ,


          Validate the debug and sniffer step by step :

          Step1 : Validate that is Ipsec tunnel UP ? 

          #get vpn ipsec tunnel summary | grep -f   tunnel_name

          If tunnel is down refer below article to troubleshoot IPsec vpn  : 
           


          https://docs.fortinet.com/document/fortigate/7.6.6/administration-guide/044240/ipsec-related-diagnose-commands

          Step2 : If tunnel is up and not able to reach particular destination 
           

          1) Run the following command on both FGTs:

           

          diag sniffer packet any 'icmp and host x.x.x.x' 4 0 l 

          replace x.x.x.x with destination IP is the one you are Pinging.  Do not run continuous Ping.
           

          2) If you do not see it entering into the local FGT or not leaving the remote FGT, run the debug commands on the one with the issue to tell why:

           

          di de di
          di de reset 
          diag debug flow show fun enable
          diag debug flow show iprope enable
          diag debug flow filter proto 1
          diag debug flow filter addr x.x.x.x
          diag debug flow trace start 999
          diag debug enable

           

          Then initiate a Ping to reproduce the issue.

          Once logs prints , stop the ping using below command

          di de di
          di de reset


          Step3 : If traffic reaches till remote FortiGate-2, and leaves the traffic towards LAN

          - Disable Windows Firewall and AntiVirus (optionally) Or, implement the steps below to create a Custom rule in Windows Defender Firewall with Advanced Security:


          If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.

          Thanks,
          Mayur Padma

          Thanks, Mayur Padma
            Terms & ConditionsAccessibility statement