Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HS08
Contributor

Created on ‎04-02-2025 10:32 PM Edited on ‎04-02-2025 10:58 PM

BGP Established but can't ping

My fortigate hub have BGP connection to the spoke, the spoke ip is 10.10.112.11 and BGP was established.

 

f1.PNG

But why i can't ping to that spoke bgp peer ip? So traffic from the hub can't reach the spoke using this tunnel interface

f2.PNG

If i ping 10.10.112.1 from spoke to the hub the result is reply.

f3.PNG

Labels:
3119
0 Kudos
30 REPLIES 30
jdelafuente_FTNT
Staff & Editor
Staff & Editor

Created on ‎04-02-2025 11:14 PM

share output for:
exe ping-options source 10.10.112.1

exe ping 10.10.112.11
get route info routing details 10.10.112.11

get route info routing all 

Jon De La Fuente | LATAM TAC Engineer
1214
0 Kudos
HS08
Contributor
In response to jdelafuente_FTNT

Created on ‎04-02-2025 11:27 PM

Here the result

a1.png

a2.PNG

and here result if ping from the spoke

a3.PNG

1209
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎04-03-2025 08:35 AM

Since the other direction of pining works, it's not a routing issue over the tunnel. I would suspect something on the remote side is not taking the ping packets, or not returning the ping reply packets.

 

So, I would start with basic troubleshooting on the remote FGT, like checking allowaccess, sniffing the tunnel interface with the source IP after disabling NPU offloading at the policies and/or the IPsec config to see if they're arriving and if it's returning them, and then run flow debugging why not returning if arriving, and so on.

Toshi

1176
0 Kudos
HS08
Contributor
In response to Toshi_Esumi

Created on ‎04-03-2025 08:40 AM

This not only can't ping but traffic from the hub can't reach the spoke if passing this tunnel interface.

1172
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to HS08

Created on ‎04-03-2025 08:46 AM Edited on ‎04-03-2025 08:48 AM

yes, I would imagine so. But even if not it wouldn't change the troubleshooting method I would use.

1170
0 Kudos
HS08
Contributor
In response to Toshi_Esumi

Created on ‎04-03-2025 09:58 AM

If the traffic can't passing thru this tunnel, why the BGP still have path using this tunnel?

1165
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to HS08

Created on ‎04-03-2025 10:08 AM

You need to understand the difference of protocols (like ICMP, TCP, UDP) and ports (TCP 179, 443, 22). BGP is using TCP179. But others use different protocols and/or ports. That's why you need to sniff & flow debug to see why those show different behavior.

Toshi

1160
0 Kudos
funkylicious
SuperUser
SuperUser

Created on ‎04-03-2025 10:02 AM

if you start a diag sniffer packet on the spoke, what do you see ? is the traffic coming/reaching on X interface and is it a reply going back X intf or Y intf?

also, is ping enabled/activated on the interface/fw ?

"jack of all trades, master of none"
"jack of all trades, master of none"
1163
0 Kudos
dingjerry_FTNT
Staff
Staff

Created on ‎04-03-2025 11:04 AM

Hi @HS08 ,

 

My first step would be running "diag sniffer packet" for Ping traffic (using icmp as the filter) on the spoke side first.

 

This is to confirm whether the Ping initiated on the Hub side arrives at the Spoke or not.

Regards,

Jerry
1116
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.