Skip to main content
mateusguilherme
mateusguilherme
Explorer II
July 3, 2024
Solved

ping from one of the wan interfaces

  • July 3, 2024
  • 3 replies
  • 2566 views

hi

 

I'm trying to ping 8.8.4.4 from my wan interfaces of my fortigate 40F (v7.0.13). Interface 'a' can ping correctly but interface 'wan' cannot reach the destination.

 

Interface 'wan':

 

#execute ping-options source 138.99.23.193  #execute ping 8.8.4.4   PING 8.8.4.4 (8.8.4.4): 56 data bytes --- 8.8.4.4 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss

 


Debug: 

 

# diagnose debug enable  # diagnose debug flow filter addr 8.8.4.4  # diagnose debug flow filter proto 1  # diagnose debug flow show function-name enable show function name  # diagnose debug flow trace start 100  # id=20085 trace_id=729 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=0." id=20085 trace_id=729 func=init_ip_session_common line=6043 msg="allocate a new session-0509fe9d, tun_id=0.0.0.0" id=20085 trace_id=730 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=1." id=20085 trace_id=730 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-0509fe9d, original direction" id=20085 trace_id=731 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=2." id=20085 trace_id=731 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-0509fe9d, original direction" id=20085 trace_id=732 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=3." id=20085 trace_id=732 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-0509fe9d, original direction" id=20085 trace_id=733 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=4." id=20085 trace_id=733 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-0509fe9d, original direction"

 

 

Interface 'a':

 

# execute ping-options reset  # execute ping-options source 177.84.137.44  # execute ping 8.8.4.4 PING 8.8.4.4 (8.8.4.4): 56 data bytes 64 bytes from 8.8.4.4: icmp_seq=0 ttl=120 time=19.5 ms 64 bytes from 8.8.4.4: icmp_seq=1 ttl=120 time=18.4 ms 64 bytes from 8.8.4.4: icmp_seq=2 ttl=120 time=18.3 ms 64 bytes from 8.8.4.4: icmp_seq=3 ttl=120 time=18.3 ms 64 bytes from 8.8.4.4: icmp_seq=4 ttl=120 time=18.3 ms  --- 8.8.4.4 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 18.3/18.5/19.5 ms

 

 

Debug: 

 

# id=20085 trace_id=744 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=0." id=20085 trace_id=744 func=init_ip_session_common line=6043 msg="allocate a new session-050a4965, tun_id=0.0.0.0" id=20085 trace_id=745 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=0." id=20085 trace_id=745 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction" id=20085 trace_id=745 func=vf_ip_route_input_common line=2611 msg="find a route: flag=80000000 gw-177.84.137.44 via root" id=20085 trace_id=746 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=1." id=20085 trace_id=746 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, original direction" id=20085 trace_id=747 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=1." id=20085 trace_id=747 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction" id=20085 trace_id=748 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=2." id=20085 trace_id=748 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, original direction" id=20085 trace_id=749 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=2." id=20085 trace_id=749 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction" id=20085 trace_id=750 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=3." id=20085 trace_id=750 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, original direction" id=20085 trace_id=751 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=3." id=20085 trace_id=751 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction" id=20085 trace_id=752 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=4." id=20085 trace_id=752 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, original direction" id=20085 trace_id=753 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=4." id=20085 trace_id=753 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction"

 

 

routes:

 

#get router info routing-table all  Routing table for VRF=0 S*      0.0.0.0/0 [1/0] via 177.84.139.51, ppp3, [1/0]                   [1/0] via 10.85.161.37, ppp2, [1/0] . . .

 

 

sdwan:

 

#show config system sdwan     set status enable     config zone         edit "virtual-wan-link"         next         edit "z-VPNs"         next     end     config members         edit 1             set interface "wan"             set gateway 10.85.161.37         next         edit 2             set interface "a"             set gateway 177.84.139.51         next         edit 20             set interface "SPOKE-01"             set zone "z-VPNs"             set priority 11         next         edit 30             set interface "SPOKE-02"             set zone "z-VPNs"             set priority 11

 

 

 

The two wan interfaces use PPPOE to receive IP and gateway.


The two interfaces (wan, a) are part of the same sd-wan that implements balancing (Maximize Bandwidth SLA).

I don't understand why I can't ping when I set 'execute ping-options source 138.99.23.19'....

 

I don't know if I provided all the necessary information, you can ask for more if you need

 

Best answer by mateusguilherme

I think I found the cause of this strange behavior. In my SDWAN configuration I need to inform the priority of the link I want to test. Currently my two links have the same priority. If I want to test using the 'wan' interface I need to put more priority on this link, if I want to test using the 'A' port I need to put more priority on the 'A' interface link.

 

It would be better if, when using the command 'execute ping-options source 138.99.23.193', these priority issues should be ignored and fortigate should use the IP/GATEWAY configurations referring to the interface that has IP 138.99.23.193.

3 replies

funkylicious
SuperUser
funkylicious
SuperUser
July 3, 2024

Hi,

One guess would be that you dont actually have that public IP configured on your PPPoE interface, but a private one that the ISP does a NAT for it while the other interface has a direct public IP configured on it.

Maybe try with interface param instead of source ip ? https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-PING-options-from-the-FortiGate-CLI/ta-p/190774

"jack of all trades, master of none"
mateusguilherme
mateusguilhermeAuthor
Explorer II
July 3, 2024

this is very strange:

interface 'wan':

# execute ping-options reset # execute ping-options interface wan # execute ping 8.8.4.4 PING 8.8.4.4 (8.8.4.4): 56 data bytes 64 bytes from 8.8.4.4: icmp_seq=0 ttl=120 time=18.3 ms 64 bytes from 8.8.4.4: icmp_seq=1 ttl=120 time=18.0 ms 64 bytes from 8.8.4.4: icmp_seq=2 ttl=120 time=18.3 ms 64 bytes from 8.8.4.4: icmp_seq=3 ttl=120 time=18.6 ms 64 bytes from 8.8.4.4: icmp_seq=4 ttl=120 time=18.6 ms  --- 8.8.4.4 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 18.0/18.3/18.6 ms

 debug:

# id=20085 trace_id=764 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=0." id=20085 trace_id=764 func=init_ip_session_common line=6043 msg="allocate a new session-050accac, tun_id=0.0.0.0" id=20085 trace_id=765 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=0." id=20085 trace_id=765 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction" id=20085 trace_id=765 func=vf_ip_route_input_common line=2611 msg="find a route: flag=80000000 gw-177.84.137.44 via root" id=20085 trace_id=766 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=1." id=20085 trace_id=766 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, original direction" id=20085 trace_id=767 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=1." id=20085 trace_id=767 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction" id=20085 trace_id=768 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=2." id=20085 trace_id=768 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, original direction" id=20085 trace_id=769 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=2." id=20085 trace_id=769 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction" id=20085 trace_id=770 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=3." id=20085 trace_id=770 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, original direction" id=20085 trace_id=771 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=3." id=20085 trace_id=771 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction" id=20085 trace_id=772 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=4." id=20085 trace_id=772 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, original direction" id=20085 trace_id=773 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=4." id=20085 trace_id=773 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction"

 

Even defining the wan interface (execute ping-options wan interface) the firewall used the IP of interface A (177.84.137.44) to communicate with 8.8.4.4

funkylicious
SuperUser
funkylicious
SuperUser
July 3, 2024

Just a wild idea. Try disabling port A and see if anything works using WAN interface since it will be the only one having a roue and installed in rib.

"jack of all trades, master of none"
mateusguilherme
mateusguilhermeAuthor
Explorer II
July 3, 2024

works, by disabling the A interface I can ping using the wan interface.

mateusguilherme
mateusguilhermeAuthorAnswer
Explorer II
July 3, 2024

I think I found the cause of this strange behavior. In my SDWAN configuration I need to inform the priority of the link I want to test. Currently my two links have the same priority. If I want to test using the 'wan' interface I need to put more priority on this link, if I want to test using the 'A' port I need to put more priority on the 'A' interface link.

 

It would be better if, when using the command 'execute ping-options source 138.99.23.193', these priority issues should be ignored and fortigate should use the IP/GATEWAY configurations referring to the interface that has IP 138.99.23.193.

Terms & ConditionsAccessibility statement