- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am experiencing a loss of ICMP sessions when I attempt to ping through the IPsec tunnel.
hello guys
I have established a site-to-site (S2S) tunnel with two FortiGate firewalls, and this is my topology.
then the tunnel work but no perfectly it can ping juste from the interface of the lan to the other lan interface (and vise verca) (exmple : ping from 192.168.1.1 to 10.0.0.1 it works but if we want to ping from the to the other host the ping issue )
after some time of troubleshooting i find out that the icmp session losed in evry icmp request
so guys what is the solution for this problem please !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
okay now we are in the FW-B and i try to ping the host in the lan and this the result
FW-B # execute ping-options source 10.0.0.1
FW-B # execute ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: icmp_seq=0 ttl=128 time=1.1 ms
64 bytes from 10.0.0.2: icmp_seq=1 ttl=128 time=0.9 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=128 time=1.0 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=128 time=0.8 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=128 time=0.8 ms
--- 10.0.0.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.8/0.9/1.1 ms
and if we want like what i said before if we want to ping from the FW-B to the host in the other lan , the ping not working
FW-B # execute ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
--- 192.168.1.2 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are some possibilities i can see:
1. FW-A did not route 10.0.0.2 to FW-B. Check active routing on FW-A.
2. FW-B policy block traffic to 10.0.0.2.
The best way to verify if traffic is sent/receive correctly is by sniffer(run on both FW-A and FW-B and do the ping test):
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Routing-Issue/ta-p/195727?cmd=displa...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so this snapshote show us the packet that arrieved to FW-A when i ping from the host 192.168.1.2 to the host 10.0.0.2
and this snapshote show us the packet arrived to FW-B when i try to ping from the host 10.0.0.2 to the host 192.168.1.2
in these snapdhotes i see only one thing that is may be the problem
which is that the icmp session always renewed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @khalilbouzaiene1
Thank you for the debug result.
Please focus on 1 way traffic 1st.
Ping from 192.168.1.2 to FW-B 10.0.0.2
When you do sniffer, does the ping received on FW-B?
diag sniffer packet any 'host 10.0.0.2 and icmp' 4 0
(run this on FW-A and FW-B, then do the ping test)
I can see interesting output "ret-no-match".
I suspecting routing issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello @Muhammad_Haiqal
okay for your test i have wrote the cmd "diag sniffer packet any 'host 10.0.0.2 and icmp' 4 0" in the termnal of the two fortigate and
in the fortigate A i have packet but in the fortigate B no thing happen i don't recive any packet .
so with this result do you thing that i have routing problem ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @khalilbouzaiene1 ,
Yes. Very likely routing issue.
FGT-A seems never send the traffic to FGT-B.
Based on the sniffer, you should see IN and OUT.
From there, you can identify if traffic from FGT-A left to the correct outbound or not.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Routing-Issue/ta-p/195727?cmd=displa...
1st, fix on the FGT-A . Make sure it sent to correct outbound interface(tunnel to FGT-B).
Once traffic received on FGT-B, then troubleshoot on FGT-B.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Muhammad_Haiqal
i don't undrestand one thing which is why when ping from 192.168.1.1 to 10.0.0.1 the ping work
but when i try to ping from 192.168.1.2 to 10.0.0.2 (hosts) the ping didn't work
if there is any rounting issue the ping from 192.168.1.1 to 10.0.0.1 will not work !!
but it work so what do you thing ?!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
- Can you share your routing table?
- You can try to take sniffer for the ESP packet which is getting exchanged between the 2 devices using the gateway IP in the filter. When pinging you can set the ping size as 1000 bytes to compare the packets coming to the firewall and encrypted packet which is going out.
Regards,
Shiva
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello @smaruvala
okay the routing talble of FW-A
and the rounting table of FW-B
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i don't undrestand what do you mean in your test !
do you mean i try to ping between the 2 fgt lan interface and sniff the packet ?