Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
edisonwang66
New Contributor

Crazy fortigate forwarding behavior

Hey,

One of my computeer with IP 10.10.11.152 got ping timeout to its gateway fortigate firewall internal interface with IP 10.10.11.1. How ever other servers on the subnet like 10.10.11.150 can ping 10.10.11.1. When I did ping capture on the firewall, I can see the following outputs. The replied packets are not going through internal inteface, but from root interface, but I have never created any interface called root. It's so confusing. Anyone has ever seen this crazy behavior before. Any solution to fix this issue? thank you

 

# diagnose sniffer packet any "host 10.10.11.1 and icmp" 4
5.779616 internal in 10.10.11.152 -> 10.10.11.1: icmp: echo request
5.779668 root out 10.10.11.1 -> 10.10.11.152: icmp: echo reply
5.779678 root in 10.10.11.1 -> 10.10.11.152: icmp: echo reply

 

2 REPLIES 2
jintrah_FTNT
Staff
Staff

Hi,

 

The configuration on the device is not understood. Please gather the output of below commands for checking the behavior,

 

show sys settings

show sys global

show firewall ippool

show firewall vip

show router policy

get router info routing-table all

 

And you may run debug flow as detailed here Troubleshooting Tip: First steps to troubleshoot c... - Fortinet Community to understand the behavior better.

 

Best regards,

Jin

 

tthrilok
Staff
Staff

Hi Edison,

 

Thank you for the query!

 

From the query, I understand you are not able to ping the firewall IP from one specific user machine. 

 

Could you please confirm if you are seeing 10.10.11.0/24 route on the Internal interface.

 

Please share the output of the command:
get router info routing-table details 10.10.11.152

 

Also please share the below debugs:

 

di de reset

di de flow filter addr 10.10.11.152

di de flow filter proto 1

di de fl sho ip en

di de fl trace start 1000

di de en

 

Once you run the above commands in firewall cli, please try to ping firewall ip from 10.10.11.152, once it is finished, please stop the debug using:

 

di de di

di de reset

Labels
Top Kudoed Authors