DescriptionPing and tracert/traceroute are often used to monitor network connectivity.
Tracert/traceroute is a simple tool to show the pathway to a remote server.
However, timeouts may sometimes be seen to happen intermittently when performing tracert/traceroute over a FortiGate.
SolutionThis behavior is expected as FortiGate will only response to one TTL expired packet to one source per one second.
Starting from FortiOS 6.2.8/6.4.5/7.0.0 releases the ICMP rate limit has changed from 1 second to 10 milliseconds.
Example
When source A sends an ECHO request with TTL = 1, when it reaches the FortiGate unit, the TTL will be decreased to 0, thus the FortiGate will send a "TTL expired" packet back to source A. Source A will then record the FortiGate IP address and mark it as the first hop in the tracert/traceroute output. Source A will then send an ECHO request with TTL=2 and so on.
The issue arises when source A sends multiple ECHO requests with TTL=1 within a second. The FortiGate in releases prior to the 6.2.8/6.4.5/7.0.0 will only respond to one TTL expired packet to one source IP per second, therefore it may appear to be packet loss/timeout because no "TTL expired" is being sent by the FortiGate and received by source A. This is by design to protect the FortiGate from suspected DoS/reconnaissance attacks.
Therefore, when using network monitoring tools such as MTR and multiple instances are running at the same time, this behavior can be observed. It is advisable to use multiple source IPs to run the monitoring tool to avoid this issue.
In newer releases this limitation was lifted and the firewall will be able to respond at most to 100 'ICMP TTL expired error' per second.
