Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kablage
New Contributor

SIT-Tunnel, traceroute from inside not working properly

Hi folks! Forti OS 5.0.7 (FGT40C), SIT-Tunnel to an tunnelbroker (HE) and everything is working very good. Except traceroute6 from the inside and out: traceroute6 to he.net (2001:470:0:76::2) from 2001:470:xx:xxx::2200, 64 hops max, 16 byte packets 1 2001:470:xx:xxx::254 0.569 ms 0.288 ms 0.232 ms <-- internal IPv6 LAN IP 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 2001:470:0:298::1 119.167 ms 113.866 ms 113.928 ms 8 2001:470:0:270::2 132.132 ms 131.609 ms 139.633 ms 9 2001:470:0:240::1 150.374 ms 149.877 ms 150.385 ms 10 2001:470:0:1b4::1 172.868 ms 174.853 ms 175.129 ms 11 2001:470:0:2f::1 170.109 ms 177.583 ms 172.900 ms 12 2001:470:0:76::2 168.612 ms 168.598 ms 168.624 ms From the " outside" : traceroute ipv6 2001:470:xx:xxx::2200 numeric Tracing the route to IPv6 node 2001:470:xx:xxx::2200 from 1 to 30 hops 1 21 ms <1 ms <1 ms 2001:470:0:31::2 2 27 ms 40 ms 27 ms 2001:470:0:1b4::2 3 71 ms 72 ms 52 ms 2001:470:0:1af::1 4 75 ms 68 ms 74 ms 2001:470:0:298::2 5 138 ms 144 ms 134 ms 2001:470:0:2cf::1 6 160 ms 149 ms 150 ms 2001:470:0:2d0::2 7 171 ms 208 ms 166 ms 2001:470:0:22f::2 8 174 ms 175 ms 175 ms 2001:470:0:11e::2 9 176 ms 172 ms 175 ms 2001:470:xx:xxx::2 <-- SIT-Tunnel, my end 10 182 ms 175 ms 174 ms 2001:470:xx:xxx::2200 <-- Client IPv6 LAN What setting(s) should I look for? The problem is not on the client side as the output is the same on Ubuntu, OS X & Windows. I have tested to set specific TTL values on all interfaces on the fortigate (set ip6-hop-limit 0, 64, 254, 255) If someone has traceroute6 working with HE/SIT-Tunnel, please post your config :)
15 REPLIES 15
sviusa
New Contributor

hi, 

 

have a look at Ken explanation.

http://socpuppet.blogspot.fr/2015/03/ipv6-traceroutes-that-dont-report-next.html

 

Still no solution. 

 

Regards,

 

emnoc
Esteemed Contributor III

I spoke to  FTNT about this and they claim they will look into it, but  still no resolution as of yet. So  the best you can do is for increasing the  TTL in the traceroute probes.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
drixter
New Contributor II

Hello,

 

I've just joined to check that issue is still valid.

I getting the same issue, traceroute still not work from inside.

 

Can someone confirm this? seems to be bug since 5+ years :(

Marcin Gondek / Drixter
http://fido.e-utp.net/
AS56662
Marcin Gondek / Drixterhttp://fido.e-utp.net/AS56662
drixter
New Contributor II

Hi,

 

i can confirm that issue is valid on version 7.0.3 ;-/

Tested on my 40F

 

Thanks,

Marcin Gondek / Drixter
http://fido.e-utp.net/
AS56662
Marcin Gondek / Drixterhttp://fido.e-utp.net/AS56662
vabello

Still an issue on 6.4.10 and 7.0.6 in 2022. :( I thought I was going crazy and suddenly didn't know how to get time-exceeded packets to be allowed, but this just seems like a bug that's never been fixed with SIT tunnels.

drixter
New Contributor II

Hi

 

I mean time I've switched to GRE tunnels, probably SIT can be fixed if ticket will be open to Fortigate and provide real scenario.

 

I've opened such ticket in past but without such tunnel and it's was closed by Fortigate because I was not able to proof it that is still valid.

 

Thanks,

Marcin Gondek / Drixter
http://fido.e-utp.net/
AS56662
Marcin Gondek / Drixterhttp://fido.e-utp.net/AS56662
Labels
Top Kudoed Authors