Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

I am experiencing a loss of ICMP sessions when I attempt to ping through the IPsec tunnel.

hello guys 

I have established a site-to-site (S2S) tunnel with two FortiGate firewalls, and this is my topology.



then the tunnel work but no perfectly it can ping juste from the interface of the lan to the other lan interface (and vise verca) (exmple : ping from to it works but if we want to ping from the to the other host the ping issue )
after some time of troubleshooting i find out that the icmp session losed in evry icmp request 

so guys  what is the solution for this problem please !


okay now we are in the FW-B and i try to ping the host in the lan and this the result 

FW-B # execute ping-options source

FW-B # execute ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=128 time=1.1 ms
64 bytes from icmp_seq=1 ttl=128 time=0.9 ms
64 bytes from icmp_seq=2 ttl=128 time=1.0 ms
64 bytes from icmp_seq=3 ttl=128 time=0.8 ms
64 bytes from icmp_seq=4 ttl=128 time=0.8 ms

--- ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.8/0.9/1.1 ms

and if we want like what i said before if we want to ping from the FW-B to the host in the other lan  , the ping not working 

FW-B # execute ping
PING ( 56 data bytes

--- ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss


There are some possibilities i can see:


1. FW-A did not route to FW-B. Check active routing on FW-A.

2. FW-B policy block traffic to


The best way to verify if traffic is sent/receive correctly is by sniffer(run on both FW-A and FW-B and do the ping test):


so this snapshote show us the packet that arrieved to FW-A when i ping from the host to the host 





and this snapshote show us the packet arrived to FW-B when i try to ping from the host to the host 





in these snapdhotes i see only one thing that is may be the problem 
which is that the icmp session always renewed 


Hi @khalilbouzaiene1 

Thank you for the debug result.
Please focus on 1 way traffic 1st.

Ping from to FW-B

When you do sniffer, does the ping received on FW-B?
diag sniffer packet any 'host and icmp' 4 0
(run this on FW-A and FW-B, then do the ping test)

I can see interesting output "ret-no-match".
I suspecting routing issue.


hello @Muhammad_Haiqal 
okay for your test i have wrote the cmd "diag sniffer packet any 'host and icmp' 4 0" in the termnal of the two fortigate and 
in the fortigate A i have packet  but in the fortigate B no thing happen i don't recive any packet .

so with this result do you thing that i have routing problem ?


Hi @khalilbouzaiene1 ,

Yes. Very likely routing issue.
FGT-A seems never send the traffic to FGT-B.

Based on the sniffer, you should see IN and OUT.
From there, you can identify if traffic from FGT-A left to the correct outbound or not.

1st, fix on the FGT-A . Make sure it sent to correct outbound interface(tunnel to FGT-B).
Once traffic received on FGT-B, then troubleshoot on FGT-B. 


i don't undrestand one thing  which is why when ping from to the ping work 
but when i try to ping from to (hosts) the ping didn't work 
if there is any rounting issue  the  ping from to will not work !!
but it work so what do you thing ?!


- Can you share your routing table?

- You can try to take sniffer for the ESP packet which is getting exchanged between the 2 devices using the gateway IP in the filter. When pinging you can set the ping size as 1000 bytes to compare the packets coming to the firewall and encrypted packet which is going out. 





hello @smaruvala 
okay the routing talble of FW-A 

and the rounting table of FW-B 


i don't undrestand what do you mean in your test !

do you mean i try to ping between the 2 fgt lan interface and sniff the packet ?


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors