Cannot ping "some" devices over IPsec VPN

ForgetItNet · ‎04-06-2022

Hi all,

Not sure if this is a Fortigate issue but i've got a site connected to our main HQ with an IPSEC vpn between the two (60E V 7.0.3) and all is working fine however i've gone to ping some devices over there and found that i can ping some and not others. They are all on the same subnet and if i connected onto a machine within that subnet i can ping them all so i know that ping is enabled on the devices and i know that the gateway is set as they can get to the HQ side of the VPN fine.

I've ran a packet capture on the devices that i can't ping and the ping is showing as getting to the devices but nothing returns back ? There is only a single 48 port HP switch in between the devices and the router and all devices are in the same switch so i'm not sure why i can ping some and not the others ? Is there anything anyone can think of ?

Thanks

Ian

akristof · ‎04-06-2022

Hello,

Thank you for your question. If you verified, that the on the client that you are not able to reach with ping request is coming but reply is not generated, verify if the device has some build-in firewall (windows firewall, etc). Try to disable and ping it again.

Adrian

ForgetItNet · ‎04-06-2022

There is no firewall on the client blocking it as i can ping those in question from a device on the same subnet and get a response so i know the ping is getting out of the device/s.

Thanks

akristof · ‎04-06-2022

Hi,

In that case, if you can see that the ICMP request is leaving the tunnel and is forwarded to destination, try enable SNAT on the firewall policy that is allowing traffic from Tunnel to LAN. But if fgt is gateway for the destination client, then it shouldn't matter if NAT is on or off.

Adrian

sw2090 · ‎04-06-2022

There is one difference that you must keep in mind:

if you ping from a machine within the same subnet that will be subnet-internal traffic it will route point-to-point and will not hit the FortiGate.

if you ping via the ipsec this is traffic from a different subnet/interface and will use the FGT as Gateway to be routed on. So FGT needs to know a route to that subnet plus a policy that allows the traffic. I guess you have that as you wrote that you can ping hosts in the destination network.

Probably you should check the default gateway of the hosts that you cannot ping from out of the ipsec. If they don't use FGT as default gw the reply to your ping cannot reach back to you...

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Timur_Mohamed · ‎01-26-2024

This helped me.

ForgetItNet · ‎04-06-2022

I think I'll have to go to that site and do some testing from within that subnet. I'm "assuming" all the devices I can't get a ping back from do have a gateway as they can connect to the internet along with devices on the other end of the tunnel so in order to do that they must have the correct gateway. I've just realised though that it seems to be HP thin clients i can't get a reply back from and all other kit seems ok but i know the HP thin clients have a gateway as they are connecting fine to the servers at the other end on the IPsec VPN but i guess it's something to go on.......thanks all

Debbie_FTNT · ‎04-07-2022

You can also try pinging from the FortiGate directly - presumably one of its interfaces would be in the same subnet so should in theory be able to ping all of them?

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

ForgetItNet · ‎04-07-2022

Yes i can ping direct from the Fortigate and i've been onto one of the machines at the remote site and all looks ok, i can ping from there across the VPN and get a reply back. Trace Route returns ok, Gateway is ok, Firewall is ok

akristof · ‎04-07-2022

Hi,

In that case, if this way is working and when you are trying to ping from other way, from remote Client and you see ping on destination client but no reply is generated (in wireshark) then I still think that the best candidate is built-in firewall blocking it.

Adrian