FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vbandha
Staff
Staff
Article Id 356630
Description This article describes a symptom that may appear when troubleshooting device connectivity where the ping time is seen to be 0.1 ms.
Scope FortiGate v6.4+.
Solution

Ping is an important tool used to troubleshoot device connectivity issues.

 

If a device is not responding or packets are not going to the end device, ping is used to check the connection to the device.

 

In a scenario where the device is not responding but the ping is working from FortiGate and the ping reply is around 0 -0.8 ms, it may be a symptom of ping packets not reaching the actual device.

 

The usual ping response time should be more than 1 ms. If the response time is around 0.1 ms, it would point to the fact the ping reply is not coming from the end device but the FortiGate itself.

 

Usually, this happens if there is an IP Pool or Virtual IP configured for that IP with ARP reply enabled.

 

An example of such a ping response is shown below:

 

1.JPG

 

Another way to check this is to run a sniffer with the IP and check:

 

1.2.JPG

 

If it shows 'root in' and 'root out', then it would confirm that the ping reply is coming from FortiGate itself.

 

The next step would be to check the IP Pool and Virtual IP/Virtual Server to see if there is anything matching the IP presenting the issue:

 

2.JPG

 

If an object is found, then disable the ‘arp reply’ setting on the object:

 

3.JPG
Use the following CLI Commands to disable the  'arp-reply' from the IP Pool:  

config firewall ippool
    edit "IP Pool"
        set startip 192.168.39.1
        set endip 192.168.39.255
        set arp-reply disable  <-----
     next
end

 

After that, the ping should go to the device. The same sniffer command can be run again to verify that.