Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mohamed-Salah
New Contributor

Created on ‎11-23-2023 08:00 AM Edited on ‎11-24-2023 01:40 AM

GRE tunnel

I have site to site connection over the GRE tunnel it was working fine but now the GRE point to point IP is only ping 

and I found this result from my t-shooting

FortiGate <<GRE>> cisco

172.25.52.1, 2 is the GRE tunnel source

192.168.51.0/24 is the Cisco LAN interface

xxx-store is the GRE interface Name

I make sure the routing is okay

I double-checked everything even deleted everything and reconfigured it but I still got the same result 

 

608.668113 xxx-store out 172.25.52.1 -> 192.168.51.200: icmp: time exceeded in-transit

611.648337 xxx-store out 172.25.52.1 -> 192.168.51.200: icmp: time exceeded in-transit

614.662217 xxx-store out 172.25.52.1 -> 192.168.51.200: icmp: time exceeded in-transit

617.604860 wan in 192.168.50.117 -> 192.168.51.200: icmp: 192.168.50.117 udp port 33437 unreachable

 

I don't know why this problem  I try many solutions but nothing happens 

Kindly If anyone one facing the same issue provide me with the troubleshooting I need or how to fix it

Labels:
1561
0 Kudos
3 REPLIES 3
DPadula
Staff
Staff

Created on ‎11-23-2023 01:53 PM

Hi Mohamed-Salah,


When you get "ICMP time exceeded in-transit" means that TTL of the packet reached zero so probably due to a routing loop. 
Can you get a routing table on both sides of the GRE tunnel and paste them here?

 

1538
Mohamed-Salah
New Contributor

Created on ‎11-24-2023 01:36 AM Edited on ‎11-24-2023 01:39 AM

thank you @DPadula 

I make sure of this and the routing is going correctly from both sides as shown below

fortigate 

Routing table for VRF=0
Routing entry for 192.168.51.0/24
Known via "static", distance 10, metric 0, best
* 172.25.52.2, via xxx-store  <--- gre tunnel 172.25.52.1

Cisco 

Routing entry for 192.168.50.0/24
Known via "static", distance 1, metric 0 (connected)
Routing Descriptor Blocks:
* directly connected, via Tunnel51  <--- gre tunnel 172.25.52.2
Route metric is 0, traffic share count is 1

1524
0 Kudos
DPadula
Staff
Staff

Created on ‎11-26-2023 08:15 PM

Hi Mohamed,

 

I can see that you have a route on the local device that you are using to ping 192.168.51.200.

But you haven't pasted the routing table on the remote device. Can you confirm that it has the route to 172.25.52.x?

 

Also, run the following commands during the ping test (remote device). 

 

diagnose debug reset
diagnose debug disable
diagnose debug enable
diagnose debug console timestamp enable
diagnose debug flow filter clear
diagnose debug flow filter proto 1
diagnose debug flow filter addr 192.168.51.200
diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 500
diagnose debug enable

1473
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.