Skip to main content
lcmuser
lcmuser
New Member
October 8, 2019
Solved

VPN between 2 Fortigates 60E loosing ping packets

  • October 8, 2019
  • 1 reply
  • 6305 views

Hi all,

 

Checked other forum threads, but found only one mention here https://forum.fortinet.com/tm.aspx?m=142160 and it is not answered.

Basically we have just purchased a pair of Fortigate 60E firewalls that we would like to use for site-to-site IPSec VPN.

So I set them up sitting next to each other connected via a patch cable. 

I used VPN Wizard, everything seems to have started working ok, however.

 

I am using a cisco switch as a client on one side and a mac laptop on the other. I run continuous ping from Mac to the switch and it appears to be working fine, no timeouts or lost packets. Same thing done from switch side towards Mac looks similarly ok, however if I run a ping with say 10000 repetitions, that shows issues:

 

Type escape sequence to abort.
Sending 10000, 100-byte ICMP Echos to 172.11.11.99, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

Clearly, some packets get dropped... but why ? No errors in logs....

 

Any help is appreciated...

    Best answer by emnoc

    Okay so do or did you implement DoS protection. A simple ping is not a DoS by itself

     

    I would 1st start by reviewing  your firewall and see what you applied at the policy and dos-policy level

     

     

    config firewall  DoS-policy 

       show full-configuration 

     

    And if you have a rule  than look at the icmp-information

     

    config firewall DoS-policy

        edit 1

            config anomaly

                edit "icmp_flood" <---

                    set threshold 250

                next

                edit "icmp_sweep" <---

                    set threshold 100

                next

                edit "icmp_src_session" <---

                    set threshold 300

                next

                edit "icmp_dst_session" <---

                    set threshold 1000

                next

     

     

    Ken Felix

     

    1 reply

    lcmuser
    lcmuserAuthor
    New Member
    October 9, 2019

    Quick addition... It appears that the drop event happens after every 250 pings.... is there some sort of protection against constant pings sent in a short time span?

    emnoc
    emnoc
    New Member
    October 9, 2019

    Should not be but what else might be happening at 250 pings? Does the issues with large and sml pkts? Can you place a ipv4 address on both FGT vpn-interfaces, does the same issue happen if pings are FGT-2-FGT?

     

    What is the PMTU?  ( should be 1438bytes or less typically  ) 

     

     

    Ken Felix

     

    lcmuser
    lcmuserAuthor
    New Member
    October 9, 2019

    Thanks, but what about this "feature" ?

     

    https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-firewall-52/Security%20Policies/DoS%20Protection.htm

    icmp_floodIf the number of ICMP packets sent to one destination IP address exceeds the configured threshold value, the action is executed.250 packets per second.

    To me this looks quite relevant.

     

    I am actually using Cisco switch as a client and it seems to be able to send very many icmp packets per second... and interestingly, according the ping output the issue happens after every 250 responses...

     

    Terms & ConditionsAccessibility statement