hello guys
I have established a site-to-site (S2S) tunnel with two FortiGate firewalls, and this is my topology.
then the tunnel work but no perfectly it can ping juste from the interface of the lan to the other lan interface (and vise verca) (exmple : ping from 192.168.1.1 to 10.0.0.1 it works but if we want to ping from the to the other host the ping issue )
after some time of troubleshooting i find out that the icmp session losed in evry icmp request
so guys what is the solution for this problem please !
A new session is allocated for each ICMP type 8 message because they all have different identifier.
To fix this issue, change your Ping application or its settings to ensure the ID remains the same . Fortigate will then consider them to be part of the same ICMP session.
Reference: Page 15 > https://datatracker.ietf.org/doc/html/rfc792
hello
how can i change my ping application ?????
Created on 02-27-2024 01:10 AM Edited on 02-27-2024 01:11 AM
I think the issue is not with ping application, creating new session for each ICMP is not the issue, it looks like there is no route, can you enable source NAT on the policy from Tunnel towards your LAN/PC to eliminate the route issue. This is for testing, we can check further on routing if this source nat fixes the issue.
hello there
i have enabled the nat in the policy but no result also
this time i try to create a custom tunnel
Can you collect the following from Fortinet2 "diag sniffer packet any "host x.x.x." 10"
replace x.x.x. with IP of Win5
And initiate ping from Win4 towards Win5 ?
Hi,
- Have you tried to capture the ICMP packets on both the sides? If yes do you see if you are missing any ICMP requests or replies?
- We should be able to see at least the cleartext ICMP request on the LAN interface captures in the firewall.
Reagrds,
Shiva
Hi @khalilbouzaiene1 ,
Based on this statement:
ping from 192.168.1.1 to 10.0.0.1 it works but if we want to ping from the to the other host the ping issue
Can you tell me the finding that you had?
Example:
ping 192.168.1.1 to 10.0.0.1 - working
ping 192.168.1.1 to 10.0.0.30 - NOT working
Im afraid this something related to phase2.
Please let me know the output.
ping 192.168.1.10 to 10.0.0.1 - working
ping 192.168.1.10 to 10.0.0.30 - NOT working
hello my friend
in our case when i try to ping from the lan interface 192.168.1.1 to 10.0.0.1 (these adresses are the interfaces of the lan that are related to fortigate directly (look to the tpology)) i have this result
FW-A # execute ping-options source 192.168.1.1
FW-A # execute ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: icmp_seq=0 ttl=255 time=3.0 ms
64 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=1.0 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=255 time=1.4 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=255 time=1.2 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=255 time=1.2 ms
--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.0/1.5/3.0 ms
and now when i try to ping from 192.168.1.1 to the host on the lan (10.0.0.2) not the interface
FW-A # execute ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2): 56 data bytes
--- 10.0.0.2 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
and vise versa if we wenna try the same from the other lan interface we will have the same
do you thing that this is related to phase ??
Thank you for the respond.
Looks like anything behind the fortigate peer is not reachable.
Please test this scenario:
On Fortigate2(peer side), please ping 10.0.0.2.
We need to make sure this Fortigate2 itself able to reach 10.0.0.2.
Else, you need to fix on the Fortigate2 1st. Maybe you have routing issue.
Or 10.0.0.2 did not allow ping. You may disable windows firewall.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.