Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Umer221
Staff
Staff

Created on ‎10-11-2023 09:23 PM

Article Id 278507

Troubleshooting Tip: Unable to Ping Destination Host Connected via IPsec Tunnel

Description

This article describes the inability to ping a host connected via an IPsec tunnel.

Although the tunnel is successfully established and allows initial traffic flow, ICMP pings to the destination host are unsuccessful. The root cause is identified as Windows Firewall settings on the target host.
Scope FortiGate, IPSec.
Solution

Check IPsec Tunnel Status: Open the FortiGate web interface and navigate to VPN > IPsec Tunnels. Confirm that the IPsec tunnel is up.

 

Traffic Flow Check.

Got to Dashboard -> IPSec Monitor. Follow the below article to understand IPSec Monitor:

Technical Tip: IPsec VPN: Site-to-Site tunnel monitor

 

Activate Debugs.

To monitor real-time traffic, activate debugs by running the following commands:

 

dia deb flow filter addr <destination IP address>
dia deb flow filter proto 1
dia deb flow trace start 100
dia deb en

 

  • Execute Ping from the 1st Site to the destination host (destination IP address) behind the 2nd site.
  • Review the logs and verify that traffic is passing between both sites successfully.
  • If the ping is still not working, disable the Windows Firewall as per this article: Turn Microsoft Defender Firewall on or off.

 

888
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.