Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RolandBaumgaertner72
New Contributor

Cant ping my PC directly behind the FG30E

Hello,

 

I really dont get it. I wanted to try a FG30E in my office (before I had a FG60F and everything works fine) with OS 6.0.15. Before I did a factory reset to start from scratch.

 

After the configuration in my office I had internet access and everything from the 192.168.25.145.

 

LAN is 192.168.25.0/24 and my PC has the 192.168.25.145 (just as with the FG60F). I configured the SSL VPN to have access from outside to the 192.168.25.145 when I realized that I can establish the SSL VPN but I cannot connect via RDP. I cant PING the 145. 

 

Than I tried to ping from the FG and nothing:

FGT30E3U17022826 # exec ping 192.168.25.145
PING 192.168.25.145 (192.168.25.145): 56 data bytes
--- 192.168.25.145 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
FGT30E3U17022826 #

 

Also I tried directly with a VIP to get RDP access for emergencys to connect to this PC and of course it doesnt work. I double checked Interface and IP config from the PC, Policy, restarted, etc. On Device Inventory I can see the IP and the MAC.

 

So weird, I really dont know what else to check. Maybe a hardware problem?

 

Thanks for your ideas!

 

 

 

8 REPLIES 8
gfleming
Staff
Staff

Sounds like you can ping *from* the device with 192.168.25.145? If so I would look at the device's firewall settings. Is it allowing ping and other protocols?

 

Also I assume you have verified your policies allow from SSL interface to LAN interface for that specific traffic flow?

 

Can you try a debug flow? 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Debug-flow-tool/ta-p/213238

Cheers,
Graham
RolandBaumgaertner72

Hi,

 

thanks for your info.

 

For me the issue is that I cant ping from the CLI of the FG30E to the 192.168.25.145 host. From the host yes I can ping to the FW. 

 

Also since I know that with my other FG I could ping and I did have ping and access via SSL VPN it cant be an issue of the host (I didnt change anything). 

 

I double checked policies and everything, everything was set on ALL.

 

Could it be a hardware issue? Later I will check again in the office, like change the interface or put a switch between the fw and the host.

 

Thanks

 

 

sagha

Hi RolandBaumgaertner72, 

 

Did you check if windows firewall is enabled? Try disabling that on windows. 

 

In addition to this, you can open two putty sessions and run the following: 

 

Putty session # 1: Enable sniffer

diag sniff packet any 'host 192.168.25.145 and icmp' 4 0 a

 

Putty session # 2: Ping the host

exec ping 192.168.25.145 

 

Thank you.

Shahan Agha

 

 

sw2090
Honored Contributor

Could also be some routing issue. If there is no NAT enabled on the polliy to 192.168.25.xxx subnet the pc will rececive your ping with the original source ip and it then will need to have a route back to there (or the default gw must be your FGT).

You could do some flow debug on your FortiGates to check that. 


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

RolandBaumgaertner72
New Contributor

Hi,

 

still nothing, I am now in the office and I would like to try also with another host. Cant be the windows firewall, first it is disabled and second it worked yesterday with the other FG.

 

This is what I get from the sniffer....what is eth0? Reminds me of old Juniper times ;)

 

FGT30E3U17022826 # diag sniff packet any "host 192.168.25.145 and icmp" 4 0 a
interfaces=[any]
filters=[host 192.168.25.145 and icmp]
2022-09-13 11:30:46.755253 lan out 192.168.25.1 -> 192.168.25.145: icmp: echo re quest
2022-09-13 11:30:46.755263 eth0 out 192.168.25.1 -> 192.168.25.145: icmp: echo r equest
2022-09-13 11:30:47.770778 lan out 192.168.25.1 -> 192.168.25.145: icmp: echo re quest
2022-09-13 11:30:47.770784 eth0 out 192.168.25.1 -> 192.168.25.145: icmp: echo r

 

On the policies NAT is enabled.

 

So crayz...I hope this is not a hardware issue.

 

Thanks!

sagha
Staff
Staff

Hi RolandBaumgaertner72

 

The traffic seems to be leaving the FGT interface with ping echo requests and not getting ping echo replies. 

Try connecting one of the host directly to the FGT on one of its interfaces. This can not be a FGT issue as the traffic seems to be sent out and not received back. 

 

Thank you. 

Shahan Agha

RolandBaumgaertner72
New Contributor

it works.....now I can ping....directly and with the SSL connection.

 

The only thing I did was to connect (also directly) the other host and suddenly I could ping both hosts from the FG.

 

Really strange because I dont know what is/was going on.

 

Thanks!

gfleming

Definitely a weird one. At this point it appears to be something to do with the device... considering we could see the ping packets leaving the FortiGate and the device was directly connected. Perhaps some other process besides Windows Firewall blocking?

Cheers,
Graham