Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BraddyJ
New Contributor

unable to ping beyond default gateway on new Internet connection

I have a Fortigate 200B with the latest 4.0 firmware. We use muiltiple Internet connections, two PPPoE connections that work just fine, and one new manual connection that I can' t get to work. I feel like I must be missing something really simple/stupid. The connections that are working: Port 13 (DSL01) - DHCP 63.231.68.142 / 255.255.255.255 Gateway: 207.225.112.6 Port 14 (DSL02) - DHCP 216.160.163.168/255.255.255.255 Gateway: 207.225.112.2 The connection that isn' t working: Port 15 (EoCu) - Manual 63.232.194.114/255.255.255.248 Static routes: Device distance priority gateway ip/mask Port 13 10 5 0.0.0.0 0.0.0.0/0.0.0.0 port 14 10 5 0.0.0.0 0.0.0.0/0.0.0.0 port 15 10 5 63.232.194.113 0.0.0.0/0.0.0.0 Static Settings: port 13 ping server 4.2.2.1 port 14 ping server 4.2.2.2 port 15 ping server 63.232.194.113 Routing monitor shows: type network distance gateway interface static 0.0.0.0/0 5 207.225.112.2 PPP1 static 0.0.0.0/0 5 207.225.112.6 PPP2 (no other static entries are listed for any interfaces) connected 63.231.68.142/32 0 0.0.0.0 PPP2 connected 63.232.194.112/29 0 0.0.0.0 Port 15 connected 207.225.112.2/32 0 0.0.0.0 PPP1 connected 207.225.112.6/32 0 0.0.0.0 PPP2 connected 216.160.163.168/32 0 0.0.0.0 PPP1 (why isn' t my static route default gateway listed for port 15???) From the firewall console: exec ping 63.232.194.113 comes back fine exec ping 207.109.53.142 does not come back When I connected my laptop to the same connection as port 15 I configured it like this: IP: 63.232.194.114 Subnet mask: 255.255.255.248 Default gateway: 63.232.194.113 With that configuration, I am able to ping 207.109.53.142 from my laptop. What am I missing???
21 REPLIES 21
Dave_Hall
Honored Contributor

What do you get when you " exec traceroute 207.109.53.142" from the Fortigate?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

BraddyJ
New Contributor

exec traceroute 207.109.53.142
I think it goes out over one of the other connections:
 IASLC-FW01 # exec traceroute 207.109.53.142 
 
 traceroute to 207.109.53.142 (207.109.53.142), 32 hops max, 72 byte packets 
 
  1  207.225.112.2 <hlrn-dsl-gw02.hlrn.qwest.net>  38.313 ms  37.918 ms  39.709 ms 
 
  2  71.217.188.13 <hlrn-agw2.inet.qwest.net>  37.788 ms  37.658 ms  37.722 ms 
 
  3  67.14.24.17 <dvr-core-01.inet.qwest.net>  38.925 ms  39.289 ms  39.080 ms 
 
  4  67.14.24.93 <dvr-edge-13.inet.qwest.net>  38.596 ms  38.563 ms  38.373 ms 
 
  5  * * * 
 
 ...
 
 
rwpatterson
Valued Contributor III

Have you checked off the " NAT" checkbox in that policy? Any policy facing the Internet needs that checked if your inside IP addresses are in the private (RFC 3330) range.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

BraddyJ

Yes, NAT is checked and using destination interface IP address in all outbound rules. Correct me if I' m wrong, but I shouldn' t even need a rule to be able to ping 1 hop beyond my default gateway from the firewall console, right?
rwpatterson
Valued Contributor III

ORIGINAL: BraddyJ Yes, NAT is checked and using destination interface IP address in all outbound rules. Correct me if I' m wrong, but I shouldn' t even need a rule to be able to ping 1 hop beyond my default gateway from the firewall console, right?
You are correct. I missed the console part of the post. Perhaps you need to set the ping options in the unit to use the IP associated with that port...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

emnoc
Esteemed Contributor III

yes that' s correct. Have you ran' d the diag debug flow and either packet sniffer. if your doing traceroute, it' s should be udp and with a high # udp-port incrementing per-hop.

PCNSE 

NSE 

StrongSwan  

BraddyJ
New Contributor

I have not tried that, and to be honest I' m not sure how. Cound you provide some steps to follow please?
Dave_Hall
Honored Contributor

Yes, NAT is checked and using destination interface IP address in all outbound rules.
Is Port15 showing any traffic at all? Duplex/speed set to auto or forced? (" debug hardware deviceinfo nic port15" ) Any router policy configured? Considering all routes being equal, wouldn' t the fgt pick either the lowest port# or use odd/even, etc. when choosing a route path?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

BraddyJ

" Debug hardware deviceinfo nic port15" returns " Unknown action 0" Here is the output from get hardware nic port15: IASLC-FW01 # get hardware nic port15 Driver Name: NP2 Version: 0.92 Chip Revision: 2 BoardSN: ��^8FModule Name: 200B-256 DDR Size: 256 MB Bootstrap ID: 18 PCIX-64bit-@133MHz bus: 02:00.0 Admin: up, num=4, duration=6997551 Current_HWaddr: 00:09:0f:fa:29:49 Permanent_HWaddr: 00:09:0f:fa:29:49 Link: up, 5 Speed: 100Mbps Duplex: Full Rx Pkts: 38461 Tx Pkts: 33669 Rx Bytes: 2326528 Tx Bytes: 1469440 MAC2 Rx Errors: 0 MAC2 Rx Dropped: 0 MAC2 Tx Dropped: 0 MAC2 FIFO Overflow: 0 MAC2 IP Error: 0 TAE Entry Used: 0 TSE Entry Used: 3 Host Dropped: 0 Shaper Dropped: 0 EEI0 Dropped: 0 EEI1 Dropped: 0 EEI2 Dropped: 0 EEI3 Dropped: 0 IPSEC QFIFO Dropped: 0 IPSEC DFIFO Dropped: 0 PBA: 123/1019/251 Forwarding Entry Used: 0 Offload IPSEC Antireplay ENC Status: Disable Offload IPSEC Antireplay DEC Status: Enable Offload Host IPSEC Traffic: Disable ses mask: 40047dcb