Windows PCs not ping the default gateway

Forum|Forum|10 years ago
October 17, 2015
2 replies
13082 views

I have a client with a a fortigate 70d, everything has been running fine since few months but now suddenly some windows machines are just not pinging the fortigate 70d lan interface IP. Ping is enabled on the fgt lan port as well.

Also user identity policies using ldap server are in place here and users can only get on to the internet through that. The machines which are facing the problems simply dont even ask for user auth in the browser as they cant get to the FGT in the first place. These machines which cant ping the gatewat fgt are able to ping the ldap server and other PCs on the network.

I also enabled debugging on the FGT to check for incoming packets and none show up.

FGT# diag debug enable FGT# diag debug flow filter add <PC1> FGT# diag debug flow show console enable FGT# diag debug flow trace start 100 FGT# diag debug enable Simple nothing shows up. This same office has other PCs which are using the internet fine as per the user id policies and also ping the fgt. My next course of action is to try wireshark to see what's wrong. Has anyone faced something like before? Any ideas also really appreciated. Thanks.

FortiGate

ede_pfau

SuperUser

Use the built-in sniffer on the FGT to look into the traffic on your LAN side:

diag sniffer packet lan 'icmp and host 192.168.333.444' 4

This will show all pings on the LAN side involving host 192.168.333.444 (yes, these values are placeholders...).

If you don't even see these pings then your PCs have a real problem. Check the software firewall (Windows, AV suite) first.

You can also sniff for protocol 'arp' for ARP requests. Start with pinging the FGT's LAN interface (to exclude routing issues).

Are you, by any chance, using VLANs?

Allwyn_MascarenhasAuthor

New Member

HI thanks for the response.

From the wireshark capture i can see some STP packets related to the fortinet's lan interface. I dont have any idea on reading that data or using wireshark yet, but it clearly showed no icmp packets at all on the PCs with the issue and then i started connecting the PCs straight to fgt's internal port as the device is in switch mode and then used another small switch for some more problem PCs and things started working for now.

I have opened tickets with both fortinet and HP for the issue and handed the WS capture to fortinet, (the geniuses at hp dont even let you attach WS packet capture file).

But still some random PC somewhere would stop pinging the others or would stop pinging the gateway or drop its dhcp leased out ip, from the client's complaints.

For now i am down to figuring out if stp is acting weird here.

Not using VLANs at all. Also could you explain how does that place holder thing work? Never seen that IP before and googling it brought me back to this post itself.

ps: the forum's image and file uploading is not working correctly here

ede_pfau

SuperUser

If you think of an STP issue you could take the FGT's interfaces out of STP. System > Interfaces, disable 'Use STP'. This option is enabled per default in v5.2.

rosario_thobias

New Member

Hi, The Windows PC in question; is it connected directly to the firewall ? Are all interfaces pingable right from PC ethernet port to firewall lan port? What is the tracert output to lan interface of firewall from the the ip that's not working? What gateway ip does ipconfig output show on pc working vs not working and what is the Lan int ip of the firewall ? Try setting static ip on PC that's not working, maybe you could use the ip of PC that is working. Then see if ping works. If it works, then we know it is a routing problem or at least we know something is excluding this ip. If it doesn't, is physical layer ok? Do both PC's belong to same vlan(if applicable)? Objects ->addresses (if applicable) ? I have few other ideas, but let me know how it goes :)...

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded