Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Vatsal_shah
New Contributor II

Created on ‎06-14-2025 03:14 PM

Inferface is up still cant ping from outside

I'm currently setting up a FortiGate firewall and facing a strange issue. The FortiGate WAN interface is directly connected to my ISP router. 

From the FortiGate, I can ping the ISP gateway successfully.
However, from the ISP router side (or any host behind it), I cannot ping the FortiGate IP.

Here’s what I’ve checked so far:

  • Ping is enabled on the WAN interface (set allowaccess ping is configured).

  • The interface is up, IP is correctly assigned, and the cable is physically connected.

  • No local-in policy is blocking ICMP.

  • No trusted hosts are configured under the admin settings.

  • Subnet and default routes appear correct.

and when I connect that ips wire to my laptop it can get the internet access and able to ping my ip from outside network.Screenshot 2025-06-15 033932.png

Labels:
3103
0 Kudos
1 Solution
sjoshi
Staff
Staff
In response to Vatsal_shah

Created on ‎06-17-2025 12:25 AM

AHM_MANINAGAR_MNG # get router info routing-table details 103.240.162.91

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 1, metric 0, best
vrf 0 185.75.142.113, via lan2 inactive
* vrf 0 43.250.164.190, via wan

If you see above output your active default route is only available via wan but you are pinging lan2 IP address and hence reverse path is failing
You are not able to ping lan2 IP because default route shows inactive via lan2. It could be because of sdwan perf sla down for lan2

If you have found a solution, please like and accept it to make it easily accessible to others.
Fortinet Certified Expert (FCX) | #NSE8-003459
Salon Raj Joshi

View solution in original post

2676
20 REPLIES 20
funkylicious
SuperUser
SuperUser

Created on ‎06-14-2025 11:24 PM

i see that you have 2 public ip/wan interfaces.

if you didnt configure sdwan or ecmp/asymmetric routing, then that might be the issue.

"jack of all trades, master of none"
"jack of all trades, master of none"
1231
Vatsal_shah
New Contributor II
In response to funkylicious

Created on ‎06-15-2025 06:48 AM

I have done sd wan

1184
0 Kudos
funkylicious
SuperUser
SuperUser
In response to Vatsal_shah

Created on ‎06-15-2025 09:34 AM Edited on ‎06-15-2025 09:35 AM

its time for some sniffer or debug captures while trying to ping the interface/ip and lets see what really happens to the packets.

"jack of all trades, master of none"
"jack of all trades, master of none"
1152
Vatsal_shah
New Contributor II
In response to funkylicious

Created on ‎06-15-2025 09:12 PM

I tried using this command diagnose sniffer packet any "icmp and host 182.75.142.114" 4
and got this output:

AHM_MANINAGAR_MNG # diagnose sniffer packet a "icmp and host 182.75.142.114" 4
interfaces=[a]
filters=[icmp and host 182.75.142.114]
0.259517 a -- 103.240.162.91 -> 182.75.142.114: icmp: echo request
0.356577 a -- 49.43.25.137 -> 182.75.142.114: icmp: echo request
3.258478 a -- 103.240.162.91 -> 182.75.142.114: icmp: echo request
5.198390 a -- 49.43.25.137 -> 182.75.142.114: icmp: echo request
6.242370 a -- 103.240.162.91 -> 182.75.142.114: icmp: echo request
9.247340 a -- 103.240.162.91 -> 182.75.142.114: icmp: echo request
10.184206 a -- 49.43.25.137 -> 182.75.142.114: icmp: echo request
12.261584 a -- 103.240.162.91 -> 182.75.142.114: icmp: echo request
15.180265 a -- 49.43.25.137 -> 182.75.142.114: icmp: echo request
15.297683 a -- 103.240.162.91 -> 182.75.142.114: icmp: echo request
18.317582 a -- 103.240.162.91 -> 182.75.142.114: icmp: echo request
21.315861 a -- 103.240.162.91 -> 182.75.142.114: icmp: echo request
^C
13 packets received by filter
0 packets dropped by kernel

1128
0 Kudos
HarryTran
Staff
Staff
In response to Vatsal_shah

Created on ‎06-16-2025 09:58 AM

May I know what the OS version running on the box?

1022
Vatsal_shah
New Contributor II
In response to HarryTran

Created on ‎06-16-2025 08:54 PM

7.2.11

996
0 Kudos
sjoshi
Staff
Staff

Created on ‎06-15-2025 01:11 AM

Hi,

 

Have you tried connecting a laptop directly on the fortigate wan port and see if that works.

Is arp entry coming correctly?

 

Try to ping again from the ISP end towards FGT IP and take a pcap to see if the traffic is reaching the FGT

diag sniff packet any 'host x.x.x.x' 4 0 l >> where x.x.x.x is the FGT IP

If you have found a solution, please like and accept it to make it easily accessible to others.
Fortinet Certified Expert (FCX) | #NSE8-003459
Salon Raj Joshi
1223
Vatsal_shah
New Contributor II
In response to sjoshi

Created on ‎06-15-2025 06:43 AM Edited on ‎06-15-2025 06:55 AM

I tried directly connecting my laptop to firewall A port and then i check my laptop ipconfig I got all my ip and gateway proper and try to ping with different laptop and pc from that local subnet I can ping  that IP and gateway to of that ISP but when I plug back the cable to firewall I can ping only to gateway, but can't ping interface ip.

1191
0 Kudos
sjoshi
Staff
Staff
In response to Vatsal_shah

Created on ‎06-15-2025 09:35 AM

I guess taking packet capture will give clarity.

Along you capture take a debug flow

https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/54688/debugging-the-packet-f...

 

Take this output while pinging FGT IP

If you have found a solution, please like and accept it to make it easily accessible to others.
Fortinet Certified Expert (FCX) | #NSE8-003459
Salon Raj Joshi
1150
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.