New Member

Question

Why I cannot ping internet

Forum|Forum|3 years ago
August 23, 2022
2 replies
7585 views

Hi,

I don't understand why I cannot ping internet from Clients. I can ping subinterface on port 2 23.1.2.71. But if I try ping from Linux or VPC 8.8.8.8 it is unsuccessful. I have static route on FortiGate 0.0.0.0/0 to router 23.1.2.1 which is router IP on port gi0/0. Switch ports gi0/0 and gi0/2 are trunk and ports gi0/1 and gi0/3 are vlan interfaces. I can ping internet 8.8.8.8 from Fortigate. Something on FW is missing I guess. Policies are applied and when I ping from client to subinterface "To Internet", policy is working. Please check pictures.

FortiGate

aionescu

Staff

Hi @Matie ,

Welcome to the community.

If I understood correctly the topology, traffic is coming via VLAN10 and should be routed, via VAL23, towards the ISP router.

I would start the troubleshooting looking at the routing table and the traffic flow (while generating traffic):

get router info routing-table all

diagnose debug flow filter addr x.x.x.x <---where x.x.x.x is the source of the traffic
diagnose debug flow trace start 10
diagnose debug enable

Looking at the policy that should allow the traffic, we can see that, at some point, there was some traffic that matched it.

MatieAuthor

New Member

Yes, if I ping from linux to DG 23.1.2.71, the ping is successful and it hits the policy. However ping doesnt want to go furthet to router 23.1.2.1 and to internet and I dont know why. Routing table is as on a picture. I have tried to type that commands into CLI, but it didn't do anything. I am a beginner so please bear with me
Routing table.jpg

aionescu

Staff

Hi @Matie , I see that you were given useful information so far.

Can you try to disable the asic offload on the policy that allows the traffic and try to run the commands again?

More info on how to do that: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Disabling-NP-offloading-in-security-policy/ta-p/194368

diagnose debug flow filter addr 10.10.10.49
diagnose debug flow trace start 10
diagnose debug enable

Also, while generating the traffic, you could loosen the filters on the sniffer and use:

diagnose sniffer packet any "host 10.10.10.49" 4

A

Anonymous_User

Contributor

Hi @Matie

Do you mind to put the ip address on the diagram too so I can understand better on your deployment? The gateway is on the switch or Fortinet?

Based on this information, i can assist further on the issue.

MatieAuthor

New Member

Gateways are on a FortiGate. Here is topology picture

Debbie_FTNT

Staff & Editor

Dear Matie,

your setup looks ok as far as I can see - you have a policy in place from private to internet with the appropriate interfaces, and you have routing in place. The policy also applies NAT, so this is not a case of private IPs going out and getting dropped.

Can you run a traceroute command from the host in question to 8.8.8.8 to verify at which point the traffic is failing?

This could be a case of the ping going through FortiGate, but the reply not making it back for whatever reason.

I would assume that to be unlikely, given that pinging from FortiGate itself works, but it wouldn't hurt to double-check that the ping reaches FortiGate and then gets lost.

Other than that, you will need to dig into troubleshooting traffic on the FortiGate itself. We have a number of good KBs for this:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sniffer/ta-p/194222

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connectivity/ta-p/192560

https://docs.fortinet.com/document/fortigate/6.4.3/administration-guide/54688/debugging-the-packet-flow

let us know if this helps :)