unable to ping some hosts

Question

Dear Experts ,

I have two sites connected , FGT-60C and FGT-90D via IPSEC.

I have a strage issue with some hosts on my network .

host A (10.10.110.169, FGT-60C) pings host B over IPSEC (FGT-90D) and I get response

when I'm trying to do the same and ping from host B to host A I get timeouts.

I tried the following :

1. make sure I have a ping from FGT-60C to host A :

PING 10.10.110.169 (10.10.110.169): 56 data bytes
64 bytes from 10.10.110.169: icmp_seq=0 ttl=64 time=1.6 ms
64 bytes from 10.10.110.169: icmp_seq=1 ttl=64 time=1.0 ms

that worked fine .

then I tried to sniff this is what i get for host A pinging from ipsec network

diagnose sniffer packet any "host 10.10.110.169" 4
interfaces=[any]
filters=[host 10.10.110.169]
15.108871 IPSEC-Phones in 10.10.9.149 -> 10.10.110.169: icmp: echo request
15.109169 internal3 out 10.10.9.149 -> 10.10.110.169: icmp: echo request
19.203494 internal1 in 10.10.110.169.49155 -> 239.255.255.250.1900: udp 271
19.203494 PhonesSwitch in 10.10.110.169.49155 -> 239.255.255.250.1900: udp 271
19.203675 internal3 in 10.10.110.169.49155 -> 239.255.255.250.1900: udp 271
19.212981 internal1 in 10.10.110.169.49155 -> 239.255.255.250.1900: udp 271
19.212981 PhonesSwitch in 10.10.110.169.49155 -> 239.255.255.250.1900: udp 271

so I see the request but I see no reply from host B.

when I try another host on the network I see the following :

diagnose sniffer packet any "host 10.10.110.50" 4
interfaces=[any]
filters=[host 10.10.110.50]
1.295465 internal1 in arp who-has 10.10.110.80 tell 10.10.110.50
1.295465 PhonesSwitch in arp who-has 10.10.110.80 tell 10.10.110.50
1.295581 internal3 in arp who-has 10.10.110.80 tell 10.10.110.50
12.704045 internal1 in 10.10.110.50.138 -> 10.10.111.255.138: udp 214
12.704045 PhonesSwitch in 10.10.110.50.138 -> 10.10.111.255.138: udp 214
12.704252 internal3 in 10.10.110.50.138 -> 10.10.111.255.138: udp 214
15.914114 IPSEC-Phones in 10.10.9.149 -> 10.10.110.50: icmp: echo request
15.914434 internal3 out 10.10.9.149 -> 10.10.110.50: icmp: echo request
15.914941 internal3 in 10.10.110.50 -> 10.10.9.149: icmp: echo reply
15.915102 IPSEC-Phones out 10.10.110.50 -> 10.10.9.149: icmp: echo reply

I've also added a Any->Any policy to make sure nothing gets blocked.

Any help about how to go about troubleshooting this is much appreciated .

Thank you

ede_pfau · Answer

So, 10.10.9.149 is on LAN B, right? You didn't show the sniff from the successful ping.

The packet leaves on physical port 'internal3' but there is no reply.

This can be due to many reasons. Are you sure host .110.169 will respond to pings (local software firewall?). Can you ping this host from it's local FGT (CLI)?

Another reason would be wrong routing on this host. It's gateway must be the local FGT. But, in this case you would see replies if sniffing on interface 'any', namely packets leaving the WAN interface. Except for if the host had NO gateway at all.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded