Troubleshooting Tip: Effect of Route Priority on Ping from FortiGate CLI

adimailig · ‎02-14-2024

Description

This article describes the effects of route priority on PING operations from the FortiGate CLI.

Scope

FortiGate.

Solution

Network:
FortiGate has two WAN interfaces - Port1 and Port2.

IP=10.47.1.80->10.47.1.80/255.255.240.0 index=3 devname=port1
IP=10.47.17.80->10.47.17.80/255.255.240.0 index=4 devname=port2

1. Static Route or SD-WAN member have the same priority.

In this example, the priority of the route is 1 in both cases.

S* 0.0.0.0/0 [1/0] via 10.47.15.254, port1, [1/0]
[1/0] via 10.47.31.254, port2, [1/0]

Behavior:

A ping from FortiGate CLI sourcing from the respective IP addresses of Port1 and Port2 will work in both cases.

execute ping-options source 10.47.1.80
execute ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=58 time=4.0 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=3.7 ms

execute ping-options source 10.47.17.80

execute ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=58 time=3.8 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=5.0 ms

2. Static Route or SD-WAN member have different priority.

In this example, Port1 has lower priority (1) compared to Port2 (10). Lower priority means that the route is preferred.
See Technical Tip: Routing behavior depending on distance and priority for static routes, and Policy Bas....

S* 0.0.0.0/0 [1/0] via 10.47.15.254, port1, [1/0]
[1/0] via 10.47.31.254, port2, [10/0]

Behavior:
Ping with source IP of Port1 will work.

execute ping-options source 10.47.1.80

execute ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=58 time=6.3 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=3.7 ms

Ping with source IP of Port2 will fail since traffic will egress on Port1 (preferred) instead of Port2.

execute ping-options source 10.47.17.80

execute ping 1.1.1.1
^CPING 1.1.1.1 (1.1.1.1): 56 data bytes

--- 1.1.1.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

2024-02-14 23:09:39.835953 port1 out 10.47.17.80 -> 1.1.1.1: icmp: echo request
2024-02-14 23:09:40.836107 port1 out 10.47.17.80 -> 1.1.1.1: icmp: echo request

It is necessary to specify an outgoing interface in ping-options to make sure that ICMP traffic will egress to Port2.

execute ping-options source 10.47.17.80

execute ping-options interface port2

execute ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=58 time=5.6 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=2.3 ms