Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kgeorge
Staff
Staff

Created on ‎10-23-2024 03:38 AM Edited on ‎10-23-2024 08:00 AM By Moderator

Article Id 351849

Technical Tip: Ping Traffic not working between End Machines via IPSec Site-Site Tunnel

Description This article describes how to troubleshoot the Ping communication between end machines connected via IPSec Site-Site Tunnel.
Scope FortiGate.
Solution

Toplogy:

Local Subnet ---> FortiGateA <--> IPSec Site-Site <--> FortiGateB ---> Remote Subnet

 

Observations:

  • The IPSec Site-Site configuration is appropriately configured on both the FortiGate devices with relevant Firewall Policies and Routes for Local and Remote Subnets
  • It can be seen that the Ping traffic is successfully processed by both the FortiGate between Local and Remote machines. However, there would be a 'Request timed out' in the Command prompt.
  • In the Flow Debug and Sniffer outputs, it can be seen that the Ping Traffic is flowing in and out of both the FortiGate through corresponding Firewall Policies however, there will be no response from the end machines.

 

Solution:

  • Disable Windows Firewall and AntiVirus (optionally) Or, implement the steps below to create a Custom rule in Windows Defender Firewall with Advanced Security:
  1. Log in to the Windows machine.
  2. Go to Windows Defender Firewall and select Advanced Settings.
  3. On the Windows Firewall with Advanced Security screen, select Inbound Rules and select the New Rule link located at Actions Pane.
 
Inbound Rules.png

  1.  Select Custom and then select 'Next'.

 

Custom.png

  1. Select All programs, then on Next.

 

All Programs.png

  1. Select the Protocol type as ICMPv4 and click on the Customize button.

 

ICMPV4.png

  1. On the next screen, select Specific ICMP types and then Echo Request. Select 'OK', and then Next.

 

ICMP Types.png

  1. Select either Any IP address or These IP Addresses under the 'Which local IP addresses does this rule Apply to?' and 'Which Remote IP addresses does this rule Apply to?' Options. When selecting These IP addresses, specify the IP addresses to be allowed.

 

Specific IPs.png

  1. Once the necessary settings are done, select the Next button.
  2. On the next screen, Allow the Connection and Next.

 

Allow the Connections.png

  1. On the next screen, select the profile name (Domain, Private, Public) to which this rule should be applied, and then select Next.

 

Rule applies to.png

  1. On the next screen, type the name of the rule and specify the description (optional). Select Finish.

 

Nameofrule.png

 

Note:
By default, the ICMPv4-In rule only allows for local subnet only. In order for ping traffic to work, enable NAT on policy or change to scope to 'Any'.

icmp_local.png
Labels:
156
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.