Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: One way Ping
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One way Ping
Hey everyone, hope I can get some help with something. Very new to Fortinet and have two locations that I need to setup a VPN for. I have watched the online video cookbook and followed those steps for my two boxes and setup the IPSec VPN.
Location 1 - 10.8.138.0/23 network
Location 2 - 10.8.22.0/24 network
I created both of my Phases, putting in the right IP addresses for each...I' ve triple checked everything, Have my Firewall objects created correctly for both, making sure the Interfaces are set correctly at each location, made my policies and moved them to the top of the list, however........
What is happening is that from Location 1 to Location 2 I am NOT able to ping. However from Location 2 to Location 1, and I can ping and access everything as needed.
I' m almost feeling its something simple, I have properly working internet in both locations but I just cannot figure out this ping and what I might be missing. Thanks so much
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I do a debug of the flow, this is a sample of what I get over and over again when trying to ping from Location 1 to Location 2. And both locations have the exact same policies in place. Thanks so much
id=13 trace_id=101 msg=" vd-root received a packet(proto=1, 10.8.138.180:1->10.8.22.254:8) from Internal."
id=13 trace_id=101 msg=" allocate a new session-00001066"
id=13 trace_id=101 msg=" find a route: gw-10.8.22.254 via Internal"
id=13 trace_id=101 msg=" Denied by forward policy check"
id=13 trace_id=102 msg=" vd-root received a packet(proto=1, 10.8.138.180:1->10.8.22.254:8) from Internal."
id=13 trace_id=102 msg=" allocate a new session-0000106e"
id=13 trace_id=102 msg=" find a route: gw-10.8.22.254 via Internal"
id=13 trace_id=102 msg=" Denied by forward policy check"
id=13 trace_id=103 msg=" vd-root received a packet(proto=1, 10.8.138.180:1->10.8.22.254:8) from Internal."
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it says policy does not allow.
Can you show your policy?
show firewall policy
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
and welcome to the forums.
Are you pinging the remote FGT? If so, check the ' Restricted Hosts' setting in System>Admin. Set them all to ' 0.0.0.0/0' to see if ping is administratively prohibited.
Next, is ping allowed on the interface (System>Network>Interface)?
Next, did you try to reach a host on the remote network, like a printer? Printers don' t have personal firewalls...yet
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much for all the help, but I think I finally stumbled upon the problem.
When I was looking in the Network -> interface area, I seen that my Internal interface wasn' t configured quite right. Once I fixed that, ping in both directions started working! Thanks again for all the help!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One more well meant hint: re-create your VPNs in ' Interface Mode' . You spare yourself a LOT of headaches over time. If you do, the tunnel end becomes a virtual network port, just like the physical ones. You use it in a regular (ACCEPT) policy, and in a static route, for NAT and all that. No more wondering what FortiOS does ' behind the scenes' as you do when using Policy Mode VPN.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where do I do that? Create the VPNs in Interface mode?? Can I change the current setup to do that, or do I need to delete them and recreate them? Thanks
Robert
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you create a Phase1, usually (from FortiOS 4.3 on) the ' Interface Mode' is checked by default.
Alas, there is no (easy) way to change the mode. Just recreate Phase1 and Phase2.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So once I create those in interface mode, what do I need to create in static routes or any policies??? Thanks for taking this step by step for me, this is a whole new world for me! Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Once you create an IPsec VPN in Interface Mode, there will be a new virtual interface under System>Network>Interfaces>the_wan_port_specified.
What do you do to have traffic flow out on a port?
let' s assume your tunnel is called ' Miami' and the remote network is 10.8.22.0/24:
- create a static route to the remote subnet, using the tunnel interface
e.g. 10.8.22.0/24 via ' Miami' (do not specify a gateway address!)
- then allow traffic to pass from ' internal' to ' Miami' :
create a firewall policy, source port ' internal' , src addr ' my_LAN' , dest port ' Miami' , dest addr 10.8.22.0/24, action ACCEPT (!), no NAT
This will allow traffic initiated from your LAN to the ' Miami' network, including reply traffic. If you want to allow traffic initiated from Miami into your LAN, you need an additional policy with reversed source/destination.
Assuming you have a mail server in Miami, and you query it for new messages. This will flow across just one policy. If you want the Miami people to get files from your LAN, you need a second policy.
So, ' Interface Mode' VPN behave just like any other (physical or VLAN) port, in respect to routing and policies. This includes NAT, traffic shaping, UTM etc.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,859 -
FortiClient
1,794 -
5.2
801 -
FortiManager
753 -
5.4
639 -
FortiAnalyzer
568 -
FortiSwitch
486 -
FortiAP
478 -
FortiClient EMS
440 -
6.0
416 -
5.6
362 -
FortiMail
325 -
SSL-VPN
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
220 -
FortiWeb
212 -
FortiNAC
197 -
5.0
196 -
FortiGuard
140 -
6.4
128 -
SD-WAN
119 -
FortiAuthenticator
111 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
99 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
82 -
Customer Service
81 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
61 -
Fortivoice
57 -
FortiADC
54 -
FortiEDR
53 -
VLAN
53 -
ZTNA
50 -
Routing
49 -
DNS
48 -
FortiExtender
46 -
FortiSandbox
44 -
FortiDNS
42 -
BGP
42 -
LDAP
42 -
Authentication
39 -
RADIUS
38 -
SAML
38 -
NAT
37 -
Certificate
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SSO
34 -
VDOM
33 -
Interface
32 -
FortiConnect
31 -
FortiLink
30 -
Application control
29 -
FortiWAN
27 -
Web profile
27 -
FortiGate-VM
26 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiPortal
20 -
FortiSwitch v6.2
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
SSID
17 -
OSPF
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
DNS filter
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1751 | |
| 1114 | |
| 766 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.