Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

(IPSEC VPN) can you help

Hello my fortigate 60E version 7.0.5
I started to get cloud service and I will use the SAP program.
Cloud system has WATCHGUARD firewall
I'm doing IPSEC tunnel>Custom in Fortigate interface, phase 1 is connected-phase 2 seems to be connected, but I can't ping SAP servers

SAP server on cloud side pinging my side
My policy rules look good
Static Route part is also correct but I cannot access SAP servers from Local network

Can you help me.



As I understand, the tunnel is up and you have issue in pinging from your local network towards SAP servers on remote end. 


A sniffer would quickly help identify if traffic is allowed from local network towards remote end through the VPN tunnel.

#diag sniffer packet any 'host <sap server IP address> and icmp' 4 


Once traffic is confirmed to be send through tunnel, we should be able to check on the remote end if they are received and whether policies are in place to allow this icmp traffic towards SAP servers.  And if so, you may also check if SAP servers have any endpoint protection/firewall which needs to allow icmp traffic.


Best regards,



# diagnose sniffer packet any '! host 82.***.8*.114' icmp 4
filters=[! host 82.***.8*.114]
0.272509 -> 82.***.132.3.110: ack 3579408031
0.272534 85.***.3.57.**778 -> 82.***.132.3.110: ack 3579408031
0.272541 pppoe printer hasn't been added to sniffer
0.272553 pppoe printer hasn't been added to sniffer


this is the result


Thanks, but I do not see any icmp packets send from

#diag sniff packet any 'host and icmp' 4 


We must be able to see the incoming interface, and outgoing vpn interface in the sniffer to confirm the packets have been send to the other end.