Skip to main content
C
cbillips
New Member
April 27, 2026
Solved

VLAN access between two Fortigates

  • April 27, 2026
  • 4 replies
  • 214 views

Have the following config problem:

Fortigate 1 (VLAN400) -----EPLAN LINK-----> Fortigate 2 (VLAN300) traffic works fine. Foritgate 2 (VLAN300) -----EPLAN LINK -----> Fortigate 1 (VLAN400) traffic fails.

 

Have checked all firewall rules, static routes, etc. Can't find the problem.  Looked through the docs, only finding examples of VLAN routing on the same Fortigate.  I have that working just fine.

Best answer by cbillips

Thanks for all the suggestions.  I ran the troubleshooting steps today and found nothing wrong with the Fortinet configuration.  Turned out that the Synology NAS we were trying to connect had a setting that needed to be turned on for multiple gateways (it has multiple NICS).  Once turned on, was able to ping device with no issues.  The troubleshooting steps provided above narrowed it down enough for me to look at the device itself. 

4 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
April 27, 2026

Don’t know what the “EPLAN LINK” is, but assuming just a L1/L2 media connected to one of FGT’s physical ports on both ends. As you suspect, if only one direction is working it’s likely caused by the policy (or in rare case routing).
Please share those relevant policies with CLI for us to understand your design with/without NAT and physical interfaces.
Also please share routes for the destinations from both sides in like:
get router info routing-table all | grep [desitnation_subnet]
, which works from one side and doesn’t work from another side.

Toshi 

sjoshi
Staff
sjoshi
Staff
April 27, 2026

Hi ​@cbillips 

 

please share below output

diag sniff packet any ‘host x.x.x.x and icmp’ 4 0 l » where x.x.x.x is the dst IP

 

Run the cmd on both FGT at same time and initiate the ping

Thanks, Salon
C
cbillipsAuthor
New Member
April 28, 2026

CENERGY-MLTNWV19D01 # diag sniff packet any 'host 10.19.20.202 and icmp' 4 0
interfaces=[any]
filters=[host 10.19.20.202 and icmp]
50.591546 CENERGY-DATA in 11.21.20.11 -> 10.19.20.202: icmp: echo request
50.591697 wan2 out 11.21.20.11 -> 10.19.20.202: icmp: echo request
55.416577 CENERGY-DATA in 11.21.20.11 -> 10.19.20.202: icmp: echo request
55.416660 wan2 out 11.21.20.11 -> 10.19.20.202: icmp: echo request

 

ASHLAND-ASLDKYVCD01 # diag snif packet any 'host 11.21.20.11 and icmp' 4 0
interfaces=[any]
filters=[host 11.21.20.11 and icmp]
91.349994 x2 in 11.21.20.11 -> 10.19.20.202: icmp: echo request
91.350011 ASH-PRODUCTION out 11.21.20.11 -> 10.19.20.202: icmp: echo request
91.350013 fortilink out 11.21.20.11 -> 10.19.20.202: icmp: echo request
91.350014 port16 out 11.21.20.11 -> 10.19.20.202: icmp: echo request
96.174990 x2 in 11.21.20.11 -> 10.19.20.202: icmp: echo request
96.174998 ASH-PRODUCTION out 11.21.20.11 -> 10.19.20.202: icmp: echo request
96.175000 fortilink out 11.21.20.11 -> 10.19.20.202: icmp: echo request
96.175001 port16 out 11.21.20.11 -> 10.19.20.202: icmp: echo request

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
April 28, 2026

Hi ​@cbillips ,

 

You need to explain something:  Where is the Ping initator?  Which one is FGT1?  Which one is FGT2?  What are the VLAN interfaces on both FGTs respectively?

 

At least, based on the sniffer packet capture, the Ping request was out on both FGTs.

 

So questions:

  1. On CENERGY-MLTNWV19D01 , is it supposed to be out via wan2?
  2. On  ASHLAND-ASLDKYVCD01 , is it supposed to be out via ASH-PRODUCTION?

If yes for both, you need to check why 10.19.20.202 did not respond.  Maybe it has a default route not pointing to FGT?

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
April 28, 2026

Hi ​@cbillips ,

I assume the configurations on both FGTs are similar, except for the interface name and VLAN ID.

If so, you need to run the debug flow commands on both FGTs to tell why and where it fails:

 

diag debug flow show iprope enable

diag debug flow filter addr x.x.x.x   // I assume that you have no NAT enabled.  Otherwise, use the destination IP for this filter

diag debug flow filter proto 1

diag debug flow trace start 10

diag debug enable

 

Then initiate a Ping to IP x.x.x.x to reproduce the issue.  Do not run continuous Ping.

C
cbillipsAuthorAnswer
New Member
April 28, 2026

Thanks for all the suggestions.  I ran the troubleshooting steps today and found nothing wrong with the Fortinet configuration.  Turned out that the Synology NAS we were trying to connect had a setting that needed to be turned on for multiple gateways (it has multiple NICS).  Once turned on, was able to ping device with no issues.  The troubleshooting steps provided above narrowed it down enough for me to look at the device itself. 

    sjoshi
    Staff
    sjoshi
    Staff
    April 28, 2026

    Glad your issue has been fixed.

    Another thing is it could have worked if you enable snat on the incoming policy on ASHLAND-ASLDKYVCD01.

    Could be  10.19.20.202 does not have a reverse route towards 11.21.20.11  and once you turned on multiple gateway it was able to respond.

    Thanks, Salon
    dingjerry_FTNT
    Staff
    dingjerry_FTNT
    Staff
    April 28, 2026

    They may need to identify the source on the server side.

      Terms & ConditionsAccessibility statement