Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kvoegele
New Contributor

Unable to ping from Fortinet 1000D to the ISP gateway.

This is a new implementation. We have a fiber 10G handoff rate limited to 1G which we have connected to a 10G port on a cisco switch which is then connected to the fortinet device. The attached image will give you a better idea of the setup and IP addressing. I have a default route set up as 0.0.0.0 0.0.0.0 50.232.x.129 with a GW of 50.206.x.54. My policies are from the inside out to allow all except p2p traffic. 

 

Any advice would be greatly appreciated. 

 

5 REPLIES 5
Johan_Witters
Contributor

kvoegele wrote:

 I have a default route set up as 0.0.0.0 0.0.0.0 50.232.x.129 with a GW of 50.206.x.54.

I'm not completely understanding the above, but if the switch is a routing device, you should have 0.0.0.0 0.0.0.0 50.232.x.129 (next hop), otherwise it should be 0.0.0.0 0.0.0.0 50.206.x.54.

 

I should try with the .129 and perform traceroute to verify the path. Please also keep in mind to configure your policies correctly (internal -> wan with NAT)

Johan Witters

Network & Security Engineer

FCNSP V4/V5

 

BKM NV

Johan Witters Network & Security Engineer FCNSP V4/V5 BKM NV
kvoegele

Sorry, yes the switch is routing and I have .129 as my next hop in default route on the fortinet. I know I can ping the GW .129 from the fortinet however I am unable to get to the next subnet GW at 50.206.x.54. 

 

Here are some logs and tables I have collected:

 

MPP-FW-DC # get router info routing-table details 9 Routing entry for 50.232.x.128/28 Known via "connected", distance 0, metric 0, best * is directly connected, port10

MPP-FW-DC # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - P O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA exter2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia * - candidate default

S* 0.0.0.0/0 [10/0] via 50.232.x.129, port10 C 50.232.x.128/28 is directly connected, port10 C 172.x.x.0/19 is directly connected, port9

MPP-FW-DC # get sys arp Address Age(min) Hardware Addr Interface

MPP-FW-DC # diagnose sniffer packet port10 interfaces=[port10] filters=[none] 2.848755 stp 802.1d, config, flags [none], bridge-id 8001.d1 4.853459 stp 802.1d, config, flags [none], bridge-id 8001.d1 6.862392 stp 802.1d, config, flags [none], bridge-id 8001.d1 8.863121 stp 802.1d, config, flags [none], bridge-id 8001.d1 9.684686 loopback 10.867816 stp 802.1d, config, flags [none], bridge-id 8001.1 12.872611 stp 802.1d, config, flags [none], bridge-id 8001.1 14.877301 stp 802.1d, config, flags [none], bridge-id 8001.1 16.885904 stp 802.1d, config, flags [none], bridge-id 8001.1 17.681396 83.110.81.163 -> 50.232.x.139: icmp: 83.110.81.1e 18.886895 stp 802.1d, config, flags [none], bridge-id 8001.1 19.678918 llc unnumbered, ui, flags [command], length 46 19.679043 llc unnumbered, ui, flags [command], length 76 19.696273 loopback 20.891646 stp 802.1d, config, flags [none], bridge-id 8001.1 22.896417 stp 802.1d, config, flags [none], bridge-id 8001.1 24.904969 stp 802.1d, config, flags [none], bridge-id 8001.1 26.906041 stp 802.1d, config, flags [none], bridge-id 8001.1 28.910783 stp 802.1d, config, flags [none], bridge-id 8001.1 29.694664 loopback 30.915481 stp 802.1d, config, flags [none], bridge-id 8001.1 32.920250 stp 802.1d, config, flags [none], bridge-id 8001.1 33.251406 167.114.173.202.37199 -> 50.232.x.134.53: udp 45 34.840032 213.33.228.98.80 -> 50.232.x.130.30904: rst 0 ac 34.929958 stp 802.1d, config, flags [none], bridge-id 8001.1 36.929795 stp 802.1d, config, flags [none], bridge-id 8001.1 37.523326 112.197.3.81 -> 50.232.x.137: icmp: time exceedet 38.934537 stp 802.1d, config, flags [none], bridge-id 8001.1 39.700225 loopback 40.939351 stp 802.1d, config, flags [none], bridge-id 8001.1 42.943739 stp 802.1d, config, flags [none], bridge-id 8001.1 44.952997 stp 802.1d, config, flags [none], bridge-id 8001.1 46.953263 stp 802.1d, config, flags [none], bridge-id 8001.1 ò 33 packets received by filter 0 packets dropped by kernel

Johan_Witters
Contributor

Seems ok at the moment..

 

Have you run a diag sniff with filter 'icmp' while pinging the wan interface of the switch? you should see those pass from internal to external at least.. If you don't see the ping request exiting, you could use diag debug flow to investigate further to check if routing and policy are correct.

 

Do you have access to the switch configuration to verify it's configuration?

Johan Witters

Network & Security Engineer

FCNSP V4/V5

 

BKM NV

Johan Witters Network & Security Engineer FCNSP V4/V5 BKM NV
emnoc
Esteemed Contributor III

All good tips and I would add  to check for the ARP entry?. if you haven't resolved the l3 arp mapping of the gateway, than you will not ping .

 

Also can you bypass the switch as  temporal to check your cabling and ports?

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
kvoegele
New Contributor

Thanks for the help guys!!

There was nothing in the ARP table which is obviously an issue. We ended up resetting back to the factory defaults and it worked. Appears to have been a bad config file.

 

Thanks again!

 

 

Labels
Top Kudoed Authors