Skip to main content
BraddyJ
BraddyJ
New Member
January 31, 2013
Question

unable to ping beyond default gateway on new Internet connection

  • January 31, 2013
  • 15 replies
  • 20302 views
I have a Fortigate 200B with the latest 4.0 firmware. We use muiltiple Internet connections, two PPPoE connections that work just fine, and one new manual connection that I can' t get to work. I feel like I must be missing something really simple/stupid. The connections that are working: Port 13 (DSL01) - DHCP 63.231.68.142 / 255.255.255.255 Gateway: 207.225.112.6 Port 14 (DSL02) - DHCP 216.160.163.168/255.255.255.255 Gateway: 207.225.112.2 The connection that isn' t working: Port 15 (EoCu) - Manual 63.232.194.114/255.255.255.248 Static routes: Device distance priority gateway ip/mask Port 13 10 5 0.0.0.0 0.0.0.0/0.0.0.0 port 14 10 5 0.0.0.0 0.0.0.0/0.0.0.0 port 15 10 5 63.232.194.113 0.0.0.0/0.0.0.0 Static Settings: port 13 ping server 4.2.2.1 port 14 ping server 4.2.2.2 port 15 ping server 63.232.194.113 Routing monitor shows: type network distance gateway interface static 0.0.0.0/0 5 207.225.112.2 PPP1 static 0.0.0.0/0 5 207.225.112.6 PPP2 (no other static entries are listed for any interfaces) connected 63.231.68.142/32 0 0.0.0.0 PPP2 connected 63.232.194.112/29 0 0.0.0.0 Port 15 connected 207.225.112.2/32 0 0.0.0.0 PPP1 connected 207.225.112.6/32 0 0.0.0.0 PPP2 connected 216.160.163.168/32 0 0.0.0.0 PPP1 (why isn' t my static route default gateway listed for port 15???) From the firewall console: exec ping 63.232.194.113 comes back fine exec ping 207.109.53.142 does not come back When I connected my laptop to the same connection as port 15 I configured it like this: IP: 63.232.194.114 Subnet mask: 255.255.255.248 Default gateway: 63.232.194.113 With that configuration, I am able to ping 207.109.53.142 from my laptop. What am I missing???

    15 replies

    Dave_Hall
    Dave_Hall
    New Member
    January 31, 2013
    What do you get when you " exec traceroute 207.109.53.142" from the Fortigate?
    BraddyJ
    BraddyJAuthor
    New Member
    January 31, 2013
    exec traceroute 207.109.53.142
    I think it goes out over one of the other connections: 
      IASLC-FW01 # exec traceroute 207.109.53.142     traceroute to 207.109.53.142 (207.109.53.142), 32 hops max, 72 byte packets      1  207.225.112.2 <hlrn-dsl-gw02.hlrn.qwest.net>  38.313 ms  37.918 ms  39.709 ms      2  71.217.188.13 <hlrn-agw2.inet.qwest.net>  37.788 ms  37.658 ms  37.722 ms      3  67.14.24.17 <dvr-core-01.inet.qwest.net>  38.925 ms  39.289 ms  39.080 ms      4  67.14.24.93 <dvr-edge-13.inet.qwest.net>  38.596 ms  38.563 ms  38.373 ms      5  * * *     ...
    rwpatterson
    rwpatterson
    New Member
    January 31, 2013
    Have you checked off the " NAT" checkbox in that policy? Any policy facing the Internet needs that checked if your inside IP addresses are in the private (RFC 3330) range.
    BraddyJ
    BraddyJAuthor
    New Member
    January 31, 2013
    Yes, NAT is checked and using destination interface IP address in all outbound rules. Correct me if I' m wrong, but I shouldn' t even need a rule to be able to ping 1 hop beyond my default gateway from the firewall console, right?
    rwpatterson
    rwpatterson
    New Member
    February 1, 2013
    ORIGINAL: BraddyJ Yes, NAT is checked and using destination interface IP address in all outbound rules. Correct me if I' m wrong, but I shouldn' t even need a rule to be able to ping 1 hop beyond my default gateway from the firewall console, right?
    You are correct. I missed the console part of the post. Perhaps you need to set the ping options in the unit to use the IP associated with that port...
    emnoc
    emnoc
    New Member
    January 31, 2013
    yes that' s correct. Have you ran' d the diag debug flow and either packet sniffer. if your doing traceroute, it' s should be udp and with a high # udp-port incrementing per-hop.
    BraddyJ
    BraddyJAuthor
    New Member
    January 31, 2013
    I have not tried that, and to be honest I' m not sure how. Cound you provide some steps to follow please?
    Dave_Hall
    Dave_Hall
    New Member
    January 31, 2013
    Yes, NAT is checked and using destination interface IP address in all outbound rules.
    Is Port15 showing any traffic at all? Duplex/speed set to auto or forced? (" debug hardware deviceinfo nic port15" ) Any router policy configured? Considering all routes being equal, wouldn' t the fgt pick either the lowest port# or use odd/even, etc. when choosing a route path?
    BraddyJ
    BraddyJAuthor
    New Member
    February 1, 2013
    " Debug hardware deviceinfo nic port15" returns " Unknown action 0" Here is the output from get hardware nic port15: IASLC-FW01 # get hardware nic port15 Driver Name: NP2 Version: 0.92 Chip Revision: 2 BoardSN: ��^8FModule Name: 200B-256 DDR Size: 256 MB Bootstrap ID: 18 PCIX-64bit-@133MHz bus: 02:00.0 Admin: up, num=4, duration=6997551 Current_HWaddr: 00:09:0f:fa:29:49 Permanent_HWaddr: 00:09:0f:fa:29:49 Link: up, 5 Speed: 100Mbps Duplex: Full Rx Pkts: 38461 Tx Pkts: 33669 Rx Bytes: 2326528 Tx Bytes: 1469440 MAC2 Rx Errors: 0 MAC2 Rx Dropped: 0 MAC2 Tx Dropped: 0 MAC2 FIFO Overflow: 0 MAC2 IP Error: 0 TAE Entry Used: 0 TSE Entry Used: 3 Host Dropped: 0 Shaper Dropped: 0 EEI0 Dropped: 0 EEI1 Dropped: 0 EEI2 Dropped: 0 EEI3 Dropped: 0 IPSEC QFIFO Dropped: 0 IPSEC DFIFO Dropped: 0 PBA: 123/1019/251 Forwarding Entry Used: 0 Offload IPSEC Antireplay ENC Status: Disable Offload IPSEC Antireplay DEC Status: Enable Offload Host IPSEC Traffic: Disable ses mask: 40047dcb
    BraddyJ
    BraddyJAuthor
    New Member
    February 1, 2013
    I think I understand what you are all saying about having multiple Internet connections and using ECMP, how do I know my ping will go out that port? I also connected a computer to the switch off of the firewall' s LAN port (port16) gave it an IP address on a range that isn' t used by anything else (192.168.11.11) configured the firewall port 16 to have an additional IP of 192.168.11.1, and I am able to use rules to allow that laptop to get to the Internet over port 13, 14, or 15. However, when I tell it to go out over port 15 it can' t get anywhere. Or rather, it can ping only what the Firewall is also able to ping.
    BraddyJ
    BraddyJAuthor
    New Member
    February 1, 2013
    This is what the traffic on that port looks like. It looks like a lot, but note the scale on the left.
    BraddyJ
    BraddyJAuthor
    New Member
    February 1, 2013
    I' m able to reproduce this very issue on a laptop connected directly to the ISP' s router if I don' t set a default gateway on the laptop. I think the crux of this issue is that I can' t seem to get the FW to read my default gateway into the routing table from my static route. It' s like is just ignores any static route entry for that connection. Any ideas?
    BraddyJ
    BraddyJAuthor
    New Member
    February 1, 2013
    Static routes:
    BraddyJ
    BraddyJAuthor
    New Member
    February 1, 2013
    Static settings:
    Show more replies
    Terms & ConditionsCookie settingsAccessibility statement