Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HS08
Contributor

Created on ‎04-02-2025 10:32 PM Edited on ‎04-02-2025 10:58 PM

BGP Established but can't ping

My fortigate hub have BGP connection to the spoke, the spoke ip is 10.10.112.11 and BGP was established.

 

f1.PNG

But why i can't ping to that spoke bgp peer ip? So traffic from the hub can't reach the spoke using this tunnel interface

f2.PNG

If i ping 10.10.112.1 from spoke to the hub the result is reply.

f3.PNG

Labels:
3141
0 Kudos
30 REPLIES 30
HS08
Contributor
In response to dingjerry_FTNT

Created on ‎04-03-2025 07:20 PM

hi @dingjerry_FTNT , @funkylicious 

There is no ICMP on the spoke, only psh and ack

c1.PNG

860
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to HS08

Created on ‎04-03-2025 11:20 PM Edited on ‎04-03-2025 11:21 PM

What do you see if you have two CLI sessions, running this sniffing in one session and ping toward 10.10.112.1 in another? You said that direction worked.

 

Toshi

808
0 Kudos
HS08
Contributor
In response to Toshi_Esumi

Created on ‎04-03-2025 11:56 PM

did you mean running the sniff in hub then do ping from spoke to 10.10.112.1?

800
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to HS08

Created on ‎04-04-2025 12:07 AM Edited on ‎04-04-2025 12:08 AM

on the spoke side since you couldn't see any ping packets from the HUB. At least you should see at the spoke ping packets toward the HUB go into  the tunnel and ping replies should come back from the tunnel.

Also if you patiently keep sniffing on the spoke side you should see BGP/TCP 179 traffic as well since you said BGP was up. It might show up every 30 sec or so though.

Toshi

795
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎04-04-2025 12:21 AM

Actually the TCP 179 traffic is there above screenshot. So BGP has been working as you said.

 

Toshi

791
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎04-04-2025 12:25 AM

But the local IP in the sniff result is 10.10.112.6. Not 10.10.112.11. Are you sure you were sniffing at the correct spoke location that has 10.10.112.11?

784
0 Kudos
HS08
Contributor
In response to Toshi_Esumi

Created on ‎04-04-2025 01:10 AM

hub and spoke have 2 internet connection so there will be 4 tunnels.

The topology is

spoke tun1  (internet 1) 10.10.111.6 <--------------------> 10.10.111.1 hub internet 1

spoke tun2  (internet 2) 10.10.111.11 <--------------------> 10.10.111.1 hub internet 1

spoke tun3  (internet 1) 10.10.112.6 <--------------------> 10.10.112.1 hub internet 2

spoke tun4  (internet 2) 10.10.112.11 <--------------------> 10.10.112.1 hub internet 2

 

Tunnel connection from hub internet1 (10.10.111.1) is working fine to tun1 and tun2 but not for hub internet2 (10.10.112.1) to tun3 and tun4.

Ping from hub to 10.10.112.6 or 10.10.112.11 was not successful.

767
0 Kudos
HS08
Contributor
In response to Toshi_Esumi

Created on ‎04-04-2025 12:41 AM

yes, but the traffic from the hub can't reach the spoke if passing thru this tunnel even BGP was established.

776
0 Kudos
HS08
Contributor
In response to Toshi_Esumi

Created on ‎04-04-2025 12:40 AM

Yes true, sniffing in the spoke there is no icmp request sent from hub and I can see TCP/179. For that reason the BGP was established.

781
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to HS08

Created on ‎04-04-2025 08:39 AM Edited on ‎04-04-2025 08:40 AM

Did you see ping replies from the tunnel when you pinged from the spoke toward the hub?

 

So now you're saying you have four tunnels (I think the first time you mentioned through all your previous posts). I'm almost sure it would screw up ADVPN. Because ADVPN is supposed to need only one manual IPsec configured between one hub and one spoke. Then ADVPN itself sets up spokes to spokes automatically.

You have two iBGP peerings between this pairing:the hub and this spoke, right? Since FGT's BGP wouldn't allow two neighbors with the same IP address.
What do you have in "get router info bgp sum"?

 

It would look like below:

fg40f-utm (root) # get router info bgp sum

<snip>

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pf xRcd
10.x.x.121 4 65528 43756 43464 2 0 0 03w2d00h 521
10.y.y.253 4 65528 0 0 0 0 0 never Idle (Ad min)    <- my second IPsec is Admin down

 

Total number of neighbors 2



Toshi

736
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.