Skip to main content
smartslima
smartslima
Explorer
April 24, 2025
Question

vpn is up but cannot ping the remote interface

  • April 24, 2025
  • 3 replies
  • 1634 views

Hello ,

 

In my lab sd-wan everything is ok all my vpn up I create 4 vpn in a vpn zone i create a policy between my lan and the zone a static route between lan and zone vpn but i cannot ping my remote branch . j.png

 

 

Annotation 2025-04-22 142701.png&.pnge.pngl.png

3 replies

smartslima
smartslimaAuthor
Explorer
April 24, 2025

all the vpn are down now hhh

funkylicious
SuperUser
funkylicious
SuperUser
April 24, 2025

can't quite figure out where 10.0.2.0/24 network is located, i can see in the left side 10.0.1.0/24 .

as for ping, if you are trying to ping, i guess from the right side, a fortigate interface is ping enabled on it and firewall rules/routes in place ? 

"jack of all trades, master of none"
    smartslima
    smartslimaAuthor
    Explorer
    April 24, 2025

    Hello @funkylicious 

    10.0.2.0/24 is the other lan i forget to mention it .

    yes i made everything in place the routes , the rules and allowed ping in interface but i cant ping the other lan i connot even ping the firewall 

    all the config i made is on the pictures 

    smartslima
    smartslimaAuthor
    Explorer
    April 24, 2025

    i change the route here you are 

    Annotation 2025-04-24 161552.png

    dingjerry_FTNT
    Staff
    dingjerry_FTNT
    Staff
    April 24, 2025

    Hi @smartslima ,

     

    If the VPN is up, run sniffer packet capture to make sure that it is entering to the correct VPN tunnel on local and leaving the VPN tunnel correctly on remote.

     

    If the Ping is leaving the remote FGT as well, confirm whether the echo reply is back.

     

    If the Ping is not leaving the remote FGT, please run debug flow commands to collect some outputs.

     

    https://docs.fortinet.com/document/fortigate/7.6.2/administration-guide/38044/using-the-debug-flow-tool

      smartslima
      smartslimaAuthor
      Explorer
      April 25, 2025

      Hi @dingjerry_FTNT , @funkylicious 

      I found the problem now i can ping my remote vpc from the  fortigate but from my vpc in the local lan as fortigate  i cannot reach the other vpc my policy is set i have two routes one 0.0.0.0 from internet zone and the other is thes address of my remote lan from vpn zone 

      for the phase 2 of vpn i choosed 0.0.0.0/0 for all of them .

      Annotation 2025-04-25 131519.pngAnnotation 2025-04-25 102316.pngAnnotation 2025-04-25 131635.png

      dingjerry_FTNT
      Staff
      dingjerry_FTNT
      Staff
      April 25, 2025

      Hi @smartslima ,

       

      It's so hard to read and understand your info when there is no punctuation.

       

      Anyway.

       

      "I found the problem now"

       

      What is the problem?  

       

      If you really need help, please provide the following info:

       

      When you have the Ping issue, what is the source IP?  What is the destination IP?  You may use the IPs in the following sniffer packets capture command.

       

      Can you run diag sniffer capture on both FGTs?

       

      diag sniffer packet any 'host x.x.x.x and host y.y.y.y and icmp' 4

       

      Before run it, you need to disable ASIC offloading in firewall policy if your FGT has NPU.

       

      config firewall policy

      edit <id>

      set auto-asic-offload disable

      end

       

      Once you are done with the sniffer packets capture, you may enable the ASIC offload back.

       

      Terms & ConditionsAccessibility statement