hello guys
I have established a site-to-site (S2S) tunnel with two FortiGate firewalls, and this is my topology.
then the tunnel work but no perfectly it can ping juste from the interface of the lan to the other lan interface (and vise verca) (exmple : ping from 192.168.1.1 to 10.0.0.1 it works but if we want to ping from the to the other host the ping issue )
after some time of troubleshooting i find out that the icmp session losed in evry icmp request
so guys what is the solution for this problem please !
okay now we are in the FW-B and i try to ping the host in the lan and this the result
FW-B # execute ping-options source 10.0.0.1
FW-B # execute ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: icmp_seq=0 ttl=128 time=1.1 ms
64 bytes from 10.0.0.2: icmp_seq=1 ttl=128 time=0.9 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=128 time=1.0 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=128 time=0.8 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=128 time=0.8 ms
--- 10.0.0.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.8/0.9/1.1 ms
and if we want like what i said before if we want to ping from the FW-B to the host in the other lan , the ping not working
FW-B # execute ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
--- 192.168.1.2 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
There are some possibilities i can see:
1. FW-A did not route 10.0.0.2 to FW-B. Check active routing on FW-A.
2. FW-B policy block traffic to 10.0.0.2.
The best way to verify if traffic is sent/receive correctly is by sniffer(run on both FW-A and FW-B and do the ping test):
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Routing-Issue/ta-p/195727?cmd=displa...
so this snapshote show us the packet that arrieved to FW-A when i ping from the host 192.168.1.2 to the host 10.0.0.2
and this snapshote show us the packet arrived to FW-B when i try to ping from the host 10.0.0.2 to the host 192.168.1.2
in these snapdhotes i see only one thing that is may be the problem
which is that the icmp session always renewed
Hi @khalilbouzaiene1
Thank you for the debug result.
Please focus on 1 way traffic 1st.
Ping from 192.168.1.2 to FW-B 10.0.0.2
When you do sniffer, does the ping received on FW-B?
diag sniffer packet any 'host 10.0.0.2 and icmp' 4 0
(run this on FW-A and FW-B, then do the ping test)
I can see interesting output "ret-no-match".
I suspecting routing issue.
hello @Muhammad_Haiqal
okay for your test i have wrote the cmd "diag sniffer packet any 'host 10.0.0.2 and icmp' 4 0" in the termnal of the two fortigate and
in the fortigate A i have packet but in the fortigate B no thing happen i don't recive any packet .
so with this result do you thing that i have routing problem ?
Hi @khalilbouzaiene1 ,
Yes. Very likely routing issue.
FGT-A seems never send the traffic to FGT-B.
Based on the sniffer, you should see IN and OUT.
From there, you can identify if traffic from FGT-A left to the correct outbound or not.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Routing-Issue/ta-p/195727?cmd=displa...
1st, fix on the FGT-A . Make sure it sent to correct outbound interface(tunnel to FGT-B).
Once traffic received on FGT-B, then troubleshoot on FGT-B.
@Muhammad_Haiqal
i don't undrestand one thing which is why when ping from 192.168.1.1 to 10.0.0.1 the ping work
but when i try to ping from 192.168.1.2 to 10.0.0.2 (hosts) the ping didn't work
if there is any rounting issue the ping from 192.168.1.1 to 10.0.0.1 will not work !!
but it work so what do you thing ?!
Hi,
- Can you share your routing table?
- You can try to take sniffer for the ESP packet which is getting exchanged between the 2 devices using the gateway IP in the filter. When pinging you can set the ping size as 1000 bytes to compare the packets coming to the firewall and encrypted packet which is going out.
Regards,
Shiva
hello @smaruvala
okay the routing talble of FW-A
and the rounting table of FW-B
i don't undrestand what do you mean in your test !
do you mean i try to ping between the 2 fgt lan interface and sniff the packet ?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.