Unable to ping to Secondary IP from outside network

When you say an secondary IP, do you mean just that, or are you talking about a VIP using another IP in the allocated subnet range. If its a proper secondary IP, then you have to turn it on via the CLI. As per anything involved with the secondary IP, its all configured via the CLI. Just enable the ' ping' option on this, if you want the exact cli commands, you will have to tell us what version of firmware you are using.

Thanks for your reply. Yes, I mean secondary IP, not VIP. I' ve already set it in the CLI, and also " allowaccess ping" I' m using Fortigate 200, with FortiOS 3 MR 2. I have tried playing around with the static route setting. When I set 0.0.0.0 (default route) to the gateway of the secondary IP, it will work, but I will have problem pinging to the External interface IP. When I set 0.0.0.0 to point to the gateway of the external IP, the secondary IP can' t be pinged. Not sure if you have encountered this problem? Thanks.

Not sure on this one, as routing would be ' weird' on this one. Do you use both routes as an failover setup ? ie have two default routes ?

Hi, I don' t use failover setup. What I have are 2 sets of public IP addresses from 2 different service providers. I connect them to a switch, and then connect the external interface of fortigate unit to the swtich. So technically speaking, my fortigate unit can see both gateways. I then try to configure the unit with a secondary ip. For some time, it seems to work. But now, it seems that the secondary ip, or the external interface IP, can only be reached when the default route is pointing thru them I know I should get the Fortigate 200A, which supports 2 WAN, but for now, is there a solution to this? Thanks for your prompt reply.

Do you use the DMZ port ?, if not, use that for the secondary ISP. Why not configure two default routes with equal distances, with the main connection as the top one in the list. This might solve the routing issues. I presume you also do not specify IP restrictions for the admin accounts on the unit (as this restricts the source ip addresses.)

My DMZ interface is in use. So can' t use it for this purpose. Tried putting 2 default routes with equal distances, the secondary IP still can' t be reached. Yap, no IP restrictions on the admin accounts. Thanks.