Hi all,
Not sure if this is a Fortigate issue but i've got a site connected to our main HQ with an IPSEC vpn between the two (60E V 7.0.3) and all is working fine however i've gone to ping some devices over there and found that i can ping some and not others. They are all on the same subnet and if i connected onto a machine within that subnet i can ping them all so i know that ping is enabled on the devices and i know that the gateway is set as they can get to the HQ side of the VPN fine.
I've ran a packet capture on the devices that i can't ping and the ping is showing as getting to the devices but nothing returns back ? There is only a single 48 port HP switch in between the devices and the router and all devices are in the same switch so i'm not sure why i can ping some and not the others ? Is there anything anyone can think of ?
Thanks
Ian
Hello,
Thank you for your question. If you verified, that the on the client that you are not able to reach with ping request is coming but reply is not generated, verify if the device has some build-in firewall (windows firewall, etc). Try to disable and ping it again.
There is no firewall on the client blocking it as i can ping those in question from a device on the same subnet and get a response so i know the ping is getting out of the device/s.
Thanks
Hi,
In that case, if you can see that the ICMP request is leaving the tunnel and is forwarded to destination, try enable SNAT on the firewall policy that is allowing traffic from Tunnel to LAN. But if fgt is gateway for the destination client, then it shouldn't matter if NAT is on or off.
There is one difference that you must keep in mind:
if you ping from a machine within the same subnet that will be subnet-internal traffic it will route point-to-point and will not hit the FortiGate.
if you ping via the ipsec this is traffic from a different subnet/interface and will use the FGT as Gateway to be routed on. So FGT needs to know a route to that subnet plus a policy that allows the traffic. I guess you have that as you wrote that you can ping hosts in the destination network.
Probably you should check the default gateway of the hosts that you cannot ping from out of the ipsec. If they don't use FGT as default gw the reply to your ping cannot reach back to you...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
This helped me.
I think I'll have to go to that site and do some testing from within that subnet. I'm "assuming" all the devices I can't get a ping back from do have a gateway as they can connect to the internet along with devices on the other end of the tunnel so in order to do that they must have the correct gateway. I've just realised though that it seems to be HP thin clients i can't get a reply back from and all other kit seems ok but i know the HP thin clients have a gateway as they are connecting fine to the servers at the other end on the IPsec VPN but i guess it's something to go on.......thanks all
You can also try pinging from the FortiGate directly - presumably one of its interfaces would be in the same subnet so should in theory be able to ping all of them?
Yes i can ping direct from the Fortigate and i've been onto one of the machines at the remote site and all looks ok, i can ping from there across the VPN and get a reply back. Trace Route returns ok, Gateway is ok, Firewall is ok
Hi,
In that case, if this way is working and when you are trying to ping from other way, from remote Client and you see ping on destination client but no reply is generated (in wireshark) then I still think that the best candidate is built-in firewall blocking it.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.