Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Shantilal1998
New Contributor

Intermediate Packet Drops in traffic.

We have deployed Fortigate 3501F & It is connected to cisco Catalyst C9300-24T switch.

 

We are using 1G-SFP-RJ45 module on firewall side.

 

While trying to ping from the host that is behind the switch, we are facing intermediate packet drops. The destination host is behind the firewall.

 

Kindly suggest on this.

3 REPLIES 3
Anonymous
Not applicable

Hello, 

Thank you for using the Community, further information would be useful to this topic. Can you please provide the following information for:

  1. Which version is running on the FortiGate?
  2. Verify that ping service are allowed on the concerned ports as follows:
    1. show system interface portX
  3. Can you confirm that you have configured a firewall policy and enable the ping? (hostSW to hostFGT)?
 
Shantilal1998
New Contributor

1. FortiOS 6.4.6 Build 6135

2. Checked,Ping is allowed & traffic is going through the firewall not to the firewall itself.

3. Yes, Policy has been already configured.

Anonymous
Not applicable

Hello,

I don't quite understand what do you mean by "traffic is going through the firewall not to the firewall itself". Can you please elaborate this for me?

But it would be great if you could share the packet capture and trace flow.

  1. Check the routing table, and verify that the subnets of the hosts are in the table.
    1. get router info routing-table all
  2. Use sniffer trace when running a constant ping from hostSW to hostFGT as follows:
    1. diag sniffer packet portX 'addr hostSW' 4 0 L
  3. Use debug flow, to help us understand if the ping is received, routed or blocked by FortiGate as follows:
    1. diag debug enable
    2. diag debug flow filter clear
    3. diag debug flow filter addr <hostSW>
    4. diag debug flow trace start 100