Hello,
I really dont get it. I wanted to try a FG30E in my office (before I had a FG60F and everything works fine) with OS 6.0.15. Before I did a factory reset to start from scratch.
After the configuration in my office I had internet access and everything from the 192.168.25.145.
LAN is 192.168.25.0/24 and my PC has the 192.168.25.145 (just as with the FG60F). I configured the SSL VPN to have access from outside to the 192.168.25.145 when I realized that I can establish the SSL VPN but I cannot connect via RDP. I cant PING the 145.
Than I tried to ping from the FG and nothing:
FGT30E3U17022826 # exec ping 192.168.25.145
PING 192.168.25.145 (192.168.25.145): 56 data bytes
--- 192.168.25.145 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
FGT30E3U17022826 #
Also I tried directly with a VIP to get RDP access for emergencys to connect to this PC and of course it doesnt work. I double checked Interface and IP config from the PC, Policy, restarted, etc. On Device Inventory I can see the IP and the MAC.
So weird, I really dont know what else to check. Maybe a hardware problem?
Thanks for your ideas!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Sounds like you can ping *from* the device with 192.168.25.145? If so I would look at the device's firewall settings. Is it allowing ping and other protocols?
Also I assume you have verified your policies allow from SSL interface to LAN interface for that specific traffic flow?
Can you try a debug flow?
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Debug-flow-tool/ta-p/213238
Hi,
thanks for your info.
For me the issue is that I cant ping from the CLI of the FG30E to the 192.168.25.145 host. From the host yes I can ping to the FW.
Also since I know that with my other FG I could ping and I did have ping and access via SSL VPN it cant be an issue of the host (I didnt change anything).
I double checked policies and everything, everything was set on ALL.
Could it be a hardware issue? Later I will check again in the office, like change the interface or put a switch between the fw and the host.
Thanks
Did you check if windows firewall is enabled? Try disabling that on windows.
In addition to this, you can open two putty sessions and run the following:
Putty session # 1: Enable sniffer
diag sniff packet any 'host 192.168.25.145 and icmp' 4 0 a
Putty session # 2: Ping the host
exec ping 192.168.25.145
Thank you.
Shahan Agha
Could also be some routing issue. If there is no NAT enabled on the polliy to 192.168.25.xxx subnet the pc will rececive your ping with the original source ip and it then will need to have a route back to there (or the default gw must be your FGT).
You could do some flow debug on your FortiGates to check that.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi,
still nothing, I am now in the office and I would like to try also with another host. Cant be the windows firewall, first it is disabled and second it worked yesterday with the other FG.
This is what I get from the sniffer....what is eth0? Reminds me of old Juniper times ;)
FGT30E3U17022826 # diag sniff packet any "host 192.168.25.145 and icmp" 4 0 a
interfaces=[any]
filters=[host 192.168.25.145 and icmp]
2022-09-13 11:30:46.755253 lan out 192.168.25.1 -> 192.168.25.145: icmp: echo re quest
2022-09-13 11:30:46.755263 eth0 out 192.168.25.1 -> 192.168.25.145: icmp: echo r equest
2022-09-13 11:30:47.770778 lan out 192.168.25.1 -> 192.168.25.145: icmp: echo re quest
2022-09-13 11:30:47.770784 eth0 out 192.168.25.1 -> 192.168.25.145: icmp: echo r
On the policies NAT is enabled.
So crayz...I hope this is not a hardware issue.
Thanks!
The traffic seems to be leaving the FGT interface with ping echo requests and not getting ping echo replies.
Try connecting one of the host directly to the FGT on one of its interfaces. This can not be a FGT issue as the traffic seems to be sent out and not received back.
Thank you.
Shahan Agha
it works.....now I can ping....directly and with the SSL connection.
The only thing I did was to connect (also directly) the other host and suddenly I could ping both hosts from the FG.
Really strange because I dont know what is/was going on.
Thanks!
Definitely a weird one. At this point it appears to be something to do with the device... considering we could see the ping packets leaving the FortiGate and the device was directly connected. Perhaps some other process besides Windows Firewall blocking?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1698 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.