Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

I am experiencing a loss of ICMP sessions when I attempt to ping through the IPsec tunnel.

hello guys 

I have established a site-to-site (S2S) tunnel with two FortiGate firewalls, and this is my topology.



then the tunnel work but no perfectly it can ping juste from the interface of the lan to the other lan interface (and vise verca) (exmple : ping from to it works but if we want to ping from the to the other host the ping issue )
after some time of troubleshooting i find out that the icmp session losed in evry icmp request 

so guys  what is the solution for this problem please !


A new session is allocated for each ICMP type 8 message because they all have different identifier.


To fix this issue, change your Ping application or its settings to ensure the ID remains the same . Fortigate will then consider them to be part of the same ICMP session.


Reference: Page 15 >


how can i change my ping application ?????



I think the issue is not with ping application, creating new session for each ICMP is not the issue, it looks like there is no route, can you enable source NAT on the policy from Tunnel towards your LAN/PC  to eliminate the route issue. This is for testing, we can check further on routing if this source nat fixes the issue.

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

hello there 
i have enabled the nat in the policy but no result also 
this time i try to create a custom tunnel 


Can you collect the following from Fortinet2 "diag sniffer packet any "host x.x.x." 10"
replace x.x.x. with IP of Win5
 And initiate ping from Win4 towards Win5 ?

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.



- Have you tried to capture the ICMP packets on both the sides? If yes do you see if you are missing any ICMP requests or replies?

- We should be able to see at least the cleartext ICMP request on the LAN interface captures in the firewall.






Hi @khalilbouzaiene1 ,

Based on this statement:
ping from to it works but if we want to ping from the to the other host the ping issue 


Can you tell me the finding that you had?
ping to - working
ping to - NOT working

Im afraid this something related to phase2.
Please let me know the output.

ping to - working
ping to - NOT working




hello my friend 
in our case when i try to ping from the lan interface to (these adresses are the interfaces of the lan that are related to fortigate directly (look to the tpology)) i have this result 

FW-A # execute ping-options source

FW-A # execute ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=255 time=3.0 ms
64 bytes from icmp_seq=1 ttl=255 time=1.0 ms
64 bytes from icmp_seq=2 ttl=255 time=1.4 ms
64 bytes from icmp_seq=3 ttl=255 time=1.2 ms
64 bytes from icmp_seq=4 ttl=255 time=1.2 ms

--- ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.0/1.5/3.0 ms

and now when i try to ping from to the host on the lan ( not the interface 

FW-A # execute ping
PING ( 56 data bytes

--- ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

and vise versa if we wenna try the same from the other lan interface we will have the same 
do you thing that this is related to phase ??


Hi @khalilbouzaiene1 


Thank you for the respond.
Looks like anything behind the fortigate peer is not reachable.

Please test this scenario:
On Fortigate2(peer side), please ping

We need to make sure this Fortigate2 itself able to reach
Else, you need to fix on the Fortigate2 1st. Maybe you have routing issue.
Or did not allow ping. You may disable windows firewall.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors