Troubleshooting Tip: FortiGate Interface not responding to traffic outside IPv6 subnet unless a firewall policy is configured

AnthonyH · ‎08-25-2025

Description

This article describes how to resolve one-way IPv6 traffic issues where traffic from originating outside FortiGate's subnet is dropped due to a missing firewall policy.

Scope

FortiGate.

Solution

In this scenario, the setup follows:

Client (2001:db8:beef:cafe::/64) == Internet == (Port1: 2001:db8:dc1:abcd::1/64) FortiGate (Port3: 2001:db8:dc1:da01::1/64).

Port1 is the outside interface.
Port3 is the inside interface.

On the FortiGate, the routing table shows the necessary routing to reach 2001:db8:beef:cafe::/64 network via port1.

get router info6 routing-table

IPv6 Routing Table

Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,

IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, B - BGP

* - candidate default

Timers: Uptime

Routing table for VRF=0

S* ::/0 [10/0] via 2001:db8:dc1:abcd::1, port1, 01:41:15, [1024/0]

C ::1/128 via ::, root, 02:11:36

C 2001:db8:dc1:abcd::/64 via ::, port1, 01:10:48

C 2001:db8:dc1:da01::/64 via ::, port3, 00:41:43

C fe80::/64 via ::, port3, 01:21:34

Additionally, the inside interface, port3 has been configured to accept PING traffic.

config system interface

edit "port3"

set vdom "root"

set type physical

set snmp-index 3

config ipv6

set ip6-address 2001:db8:beef:cafe::1/64

set ip6-allowaccess ping https

set ip6-send-adv enable

config ip6-prefix-list

edit 2001:db8:beef:cafe::/64

end

However, while troubleshooting, it can be observed in the sniffer that FortiGate is not responding to ICMPv6 traffic:

diagnose sniffer packet any 'net 2001:db8:beef:cafe::/64' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[net 2001:db8:beef:cafe::/64]
2025-08-25 07:05:06.054144 port1 in 2001:db8:beef:cafe:b478:4008:be22:8301 -> 2001:db8:dc1:da01::1: icmp6: echo request seq 34
2025-08-25 07:05:10.917317 port1 in 2001:db8:beef:cafe:b478:4008:be22:8301 -> 2001:db8:dc1:da01::1: icmp6: echo request seq 35
2025-08-25 07:05:15.917981 port1 in 2001:db8:beef:cafe:b478:4008:be22:8301 -> 2001:db8:dc1:da01::1: icmp6: echo request seq 36
2025-08-25 07:05:20.916452 port1 in 2001:db8:beef:cafe:b478:4008:be22:8301 -> 2001:db8:dc1:da01::1: icmp6: echo request seq 37

Furthermore, the debug flow shows the packet was received, but, no response back.

diagnose debug flow filter6 proto 1

diagnose debug flow trace start6 100

diagnose debug enable

diagnose debug flow filter6 clear

diagnose debug flow filter6 addr 2001:db8:dc1:da01::1

diagnose debug flow trace start6 100

diagnose debug enable

id=20085 trace_id=6 func=resolve_ip6_tuple_fast line=4787 msg="vd-root:0 received a packet(proto=58, 2001:db8:beef:cafe:b478:4008:be22:8301:1->2001:db8:dc1:da01::1:128) from port1."
id=20085 trace_id=6 func=resolve_ip6_tuple line=4926 msg="allocate a new session-00000088"
id=20085 trace_id=6 func=vf_ip6_route_input line=1201 msg="find a route: gw-:: via root err 0 flags 80200001"
id=20085 trace_id=7 func=resolve_ip6_tuple_fast line=4787 msg="vd-root:0 received a packet(proto=58, 2001:db8:beef:cafe:b478:4008:be22:8301:1->2001:db8:dc1:da01::1:128) from port1."

Solution:

Since traffic is passing through FortiGate (i.e, Port1 to Port3), ensure there is a firewall policy to allow traffic, for example:

config firewall policy

edit 1

set srcintf "port1" <----- Outside interface.

set dstintf "port3" <----- Inside interface.

set action accept

set srcaddr "all"

set dstaddr "all"

set srcaddr6 "all"

set dstaddr6 "all"

set schedule "always"

set service "ALL"

Results:

id=20085 trace_id=18 func=resolve_ip6_tuple_fast line=4787 msg="vd-root:0 received a packet(proto=58, 2001:db8:beef:cafe:b478:4008:be22:8301:1->2001:db8:dc1:da01::1:128) from port1."
id=20085 trace_id=18 func=resolve_ip6_tuple line=4926 msg="allocate a new session-0000008d"
id=20085 trace_id=18 func=vf_ip6_route_input line=1201 msg="find a route: gw-:: via root err 0 flags 80200001"
id=20085 trace_id=19 func=resolve_ip6_tuple_fast line=4787 msg="vd-root:0 received a packet(proto=58, 2001:db8:dc1:da01::1:1->2001:db8:beef:cafe:b478:4008:be22:8301:129) from local."
id=20085 trace_id=19 func=resolve_ip6_tuple_fast line=4827 msg="Find an existing session, id-0000008d, reply direction"

diagnose sniffer packet any 'net 2001:db8:beef:cafe::/64' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[net 2001:db8:beef:cafe::/64]
2025-08-25 07:22:22.788151 port1 in 2001:db8:beef:cafe:b478:4008:be22:8301 -> 2001:db8:dc1:da01::1: icmp6: echo request seq 38
2025-08-25 07:22:22.788766 port1 out 2001:db8:dc1:da01::1 -> 2001:db8:beef:cafe:b478:4008:be22:8301: icmp6: echo reply seq 38

Session6 table:

diagnose sys session6 list
session6 info: proto=58 proto_state=00 duration=12 expire=18 timeout=30 flags=00000000 sockport=0 sockflag=0 use=1
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0
policy_dir=0 tunnel=/
state=clean npu
statistic(bytes/packets/allow_err): org=128/1/0 reply=128/1/0 tuples=1
speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=13->14/14->13
hook=pre dir=org act=noop 2001:db8:beef:cafe:b478:4008:be22:8301:1 -> 2001:db8:dc1:da01::1:128(:::0)
hook=post dir=reply act=noop 2001:db8:dc1:da01::1:128 -> 2001:db8:beef:cafe:b478:4008:be22:8301:1(:::0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 serial=00000abc
npu_state=0x000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0/0

Troubleshooting Tip: FortiGate Interface not responding to traffic outside IPv6 subnet unless a firewall policy is configured

You are leaving our website