Ping reply but no sent Ping and also destination unreachable

=====Site A--------------VPN--------------Site B===

192.168.1.20/24--------------------------192.168.70.20/24

192.168.2.20/24 -------------------------192.168.159.20/24

----SIP 192.168.2.215-------------------   ----SIP 192.168.159.6

The ping request/replies that you describe are not really clear, or not plausible.

You can't have a reply without a request, unless the traffic flows asymmetrically.

Use "any" filter for interface, and "host" or "net" instead of "src / dst ". For example:

diag sniffer packet any "net 192.168.159.0/24 and icmp" 4 0

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sniffer/ta-p/194222?externalID=11186

ping from .159.6 > .2.215

  >> do you see the request and reply on site A FortiGate? 

ping from .2.215 > .159.6

  >> do you see the request and reply on site B FortiGate?

Thanks,

So, doing a ping with just ICMP as opposed to anything for specific addresses i get a request and reply both ways on either side so:

ping from .159.6 > .2.215

  >> do you see the request and reply on site A FortiGate? - Yes

ping from .2.215 > .159.6

  >> do you see the request and reply on site B FortiGate? - Yes

Where do i see the IPSEC selectors as i didn't set these up but i've gone into the IPsec Tunnels settings but can only see Phase2 selectors which are set to 0.0.0.0/0.0.0.0 ? I can see IP ranges on the SSL-VPN settings but suspect these are for the dial in VPN users ?

lol......i've removed an older firewall rule that WAS there (i suspect someone added this a while ago for some reason) so i could start from scratch and it's now working.....Sorry for the wasted time but still not sure why i got different packet results using ICMP with any source/dest as opposed to ANY with specific source/dest ?

mmm...spoke too soon. It's now stopped again and i can't ping one to the other. I've ran another trace and on both sides pinging as the phone server as the source to the other phone server (so 192.168.2.215-192.168.159.6 and vice versa) i'm getting a ping reply but the request is showing as Destination unreachable (protocol unreachable) on both sides which makes no sense as it would have to have sent the request for it to receive the reply ?

Just seems a bit odd that i removed the old policy and it worked but now doesn't so wondering if that was a red herring and there's something like a rogue MAC address taking the same IP but i can't find anything on the network

when you use source-ip for simulating traffic on the FortiGate, the IP must be defined on one of the FG interfaces. Any other IP will not have desired output. Try to capture traffic generated from these machines, even if not ICMP

Right so that makes a bit of sense now....so i can get onto one of the phone servers (192.168.2.215) but not on the other as there's no GUI on that model so i've pinged 192.168.159.6 from 192.168.2.215 and the packet trace picks up nothing at all....no request and no reply ? I did however choose the interface as the SIP interface but that would've picked it up if there WAS icmp traffic going through it wouldn't it ?

I added a firewall rule to test for the siteA sip as the source to siteB sip as the dest and allowed ICMP and was getting a ping reply from siteB to site A but the request again is showing as Destination Unreachable (Protocol Unreachable)...just tried it again and there's nothing on either side....not sure if there's just a network issue that keeps going up and down

Hello,

I have the same problem on some sites. Do you have a solution or found something ?