Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
linus2023
New Contributor

Can't seem to PING this Wan1 interface.

linus2023_0-1672786360609.png

Here is the config for Wan1. It is working as far as passing traffic is concerned, however I cannot PING that interface externally (Or internally for that matter) I see that PING is enabled, what else am I missing?

8 REPLIES 8
PaulRoberts
New Contributor III

If you've already verified that the ICMP packets are reaching the device (using the console sniffer, naturally) then this is pretty much your next step.  It'll be really arcane to look at, but...  try these in the console, then ping...

 

diagnose debug flow filter daddr 148.51.230.148

diagnose debug flow filter proto 1

diagnose debug flow trace start 10

diagnose debug enable

 

These will make the Fortinet spew to the console every little thing it knows or decides about the packet, and is mostly readable by the very brave.  You can also add a source address (saddr) criteria if you know what the source IP address should show up as.

Peter-Wainwright
New Contributor II

LAN -> WAN, I would expect a ping response from that interface so long as you have an appropriate firewall policy that allows PING.

 

Use an internal host to ping the WAN interface with the following on the FGT:

diag debug enable
diag debug flow filter proto 1
diag debug flow filter daddr <wan IP address>
diag debug flow filter saddr <host IP address>
diag debug flow trace start 5

... and see what you get. 

 

Not being able to ping the interface from externally could be due to your ISP. Use similar commands given above to look for the incoming packets.

You could also grab a PCAP to check whether the packets are actually coming in.

 

Pete

 

NSE 7
NSE 7
gfleming
Staff
Staff

You should be able to ping it internally assuming it's a ping echo request coming from a machine that can also access the internet through this interface.

 

Are you able to ping outside IP addresses like 9.9.9.9, 1.1.1.1 etc?

 

What does your local-in policy look like? (show firewall local-in-policy)

Cheers,
Graham
seshuganesh
Staff
Staff

As requested by colleagues please get the debug flow output while pining the wan ip of firewall, we can isolate the issue

linus2023
New Contributor

(root) # id=65308 trace_id=1 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 98.191.124.38:1->148.51.230.148:2048) tun_id=0.0.0.0 from wan1. type=8, code=0, id=1, seq=14232."
id=65308 trace_id=1 func=init_ip_session_common line=6073 msg="allocate a new session-022439b1, tun_id=0.0.0.0"
id=65308 trace_id=1 func=get_new_addr line=1228 msg="find DNAT: IP-10.2.0.2, port-0(fixed port)"
id=65308 trace_id=1 func=fw_pre_route_handler line=178 msg="VIP-10.2.0.2:1, outdev-wan1"
id=65308 trace_id=1 func=__ip_session_run_tuple line=3523 msg="DNAT 148.51.230.148:8->10.2.0.2:1"
id=65308 trace_id=1 func=vf_ip_route_input_common line=2605 msg="find a route: flag=00000000 gw-10.2.0.2 via VDOMLK-BERG0"
id=65308 trace_id=1 func=fw_forward_handler line=753 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=2 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 98.191.124.38:1->148.51.230.148:2048) tun_id=0.0.0.0 from wan1. type=8, code=0, id=1, seq=14233."
id=65308 trace_id=2 func=init_ip_session_common line=6073 msg="allocate a new session-022439da, tun_id=0.0.0.0"
id=65308 trace_id=2 func=get_new_addr line=1228 msg="find DNAT: IP-10.2.0.2, port-0(fixed port)"
id=65308 trace_id=2 func=fw_pre_route_handler line=178 msg="VIP-10.2.0.2:1, outdev-wan1"
id=65308 trace_id=2 func=__ip_session_run_tuple line=3523 msg="DNAT 148.51.230.148:8->10.2.0.2:1"
id=65308 trace_id=2 func=vf_ip_route_input_common line=2605 msg="find a route: flag=00000000 gw-10.2.0.2 via VDOMLK-BERG0"
id=65308 trace_id=2 func=fw_forward_handler line=753 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=3 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 98.191.124.38:1->148.51.230.148:2048) tun_id=0.0.0.0 from wan1. type=8, code=0, id=1, seq=14234."
id=65308 trace_id=3 func=init_ip_session_common line=6073 msg="allocate a new session-022439ee, tun_id=0.0.0.0"
id=65308 trace_id=3 func=get_new_addr line=1228 msg="find DNAT: IP-10.2.0.2, port-0(fixed port)"
id=65308 trace_id=3 func=fw_pre_route_handler line=178 msg="VIP-10.2.0.2:1, outdev-wan1"
id=65308 trace_id=3 func=__ip_session_run_tuple line=3523 msg="DNAT 148.51.230.148:8->10.2.0.2:1"
id=65308 trace_id=3 func=vf_ip_route_input_common line=2605 msg="find a route: flag=00000000 gw-10.2.0.2 via VDOMLK-BERG0"
id=65308 trace_id=3 func=fw_forward_handler line=753 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=4 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 98.191.124.38:1->148.51.230.148:2048) tun_id=0.0.0.0 from wan1. type=8, code=0, id=1, seq=14235."
id=65308 trace_id=4 func=init_ip_session_common line=6073 msg="allocate a new session-02243a06, tun_id=0.0.0.0"
id=65308 trace_id=4 func=get_new_addr line=1228 msg="find DNAT: IP-10.2.0.2, port-0(fixed port)"
id=65308 trace_id=4 func=fw_pre_route_handler line=178 msg="VIP-10.2.0.2:1, outdev-wan1"
id=65308 trace_id=4 func=__ip_session_run_tuple line=3523 msg="DNAT 148.51.230.148:8->10.2.0.2:1"
id=65308 trace_id=4 func=vf_ip_route_input_common line=2605 msg="find a route: flag=00000000 gw-10.2.0.2 via VDOMLK-BERG0"
id=65308 trace_id=4 func=fw_forward_handler line=753 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=5 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 98.191.124.38:1->148.51.230.148:2048) tun_id=0.0.0.0 from wan1. type=8, code=0, id=1, seq=14236."
id=65308 trace_id=5 func=init_ip_session_common line=6073 msg="allocate a new session-02243a2c, tun_id=0.0.0.0"
id=65308 trace_id=5 func=get_new_addr line=1228 msg="find DNAT: IP-10.2.0.2, port-0(fixed port)"
id=65308 trace_id=5 func=fw_pre_route_handler line=178 msg="VIP-10.2.0.2:1, outdev-wan1"
id=65308 trace_id=5 func=__ip_session_run_tuple line=3523 msg="DNAT 148.51.230.148:8->10.2.0.2:1"
id=65308 trace_id=5 func=vf_ip_route_input_common line=2605 msg="find a route: flag=00000000 gw-10.2.0.2 via VDOMLK-BERG0"
id=65308 trace_id=5 func=fw_forward_handler line=753 msg="Denied by forward policy check (policy 0)"
Peter-Wainwright

Looks like you have a DNAT policy that is mapping 148.51.230.148 -> 10.2.0.2.

There is then no firewall policy to allow that traffic (hence the "Denied by forward policy check (policy 0)").

 

Pete

NSE 7
NSE 7
gfleming

To expand on this correct answer you need to look at your VIPs and find the one that is mapping one-to-one your WAN1 interface IP to the internal address 10.2.0.2. This VIP is causing all traffic destined to WAN1 int IP to go to 10.2.0.2. 

 

You probably want to adjust the VIP to be a port-based VIP so it's not hijacking your entire WAN IP.

 

https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/155333/virtual-ips-with-port...

Cheers,
Graham
linus2023
New Contributor

I cannot ping 148.51.230.148 neither internally or externally.

Labels
Top Kudoed Authors