Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

PING on VPN IPSec Azure works only two time

Hi all,

I have a problem on a location connected in VPN IpSec.

I have configured all the interfaces and policy and everything seems working good. 

From the server AD I can ping all the clients connected on the location, the problem is from client to server AD where only two ping are replied, then all requested are dropped. 

Here you can find the diag sniffer on Firewall of that location:

FG100E4Q17011401 # diag sniffer packet arena "host and icmp"
filters=[host and icmp]
6.091341 -> icmp: udp port 54317 unreachable
27.833930 -> icmp: udp port 64483 unreachable
35.928811 -> icmp: echo request
35.971478 -> icmp: echo reply
36.930628 -> icmp: echo request
36.972687 -> icmp: echo reply
48.690416 -> icmp: udp port 64556 unreachable
69.547030 -> icmp: udp port 55918 unreachable
91.325987 -> icmp: udp port 60528 unreachable
113.099349 -> icmp: udp port 49737 unreachable
11 packets received by filter
0 packets dropped by kernel


As you can look on it, two ping obtain reply, the other sent unreachable. The client IP is, the Server IP is Which one has the 64556 port blocked? I suppose that is the but in that client the firewall is off and I cannot understand if the Firewall is blocking something or not.

Could you advice me what I can do in order to find a solution? 

Thank you in advance




You can check the following to see if there some devices causing issues, it might be port exhaustion 

  • In the WebUI, you can use the Dashboard to view the Top source, Top Destination and Top Applications to monitor traffic, see if there are any devices using an unusual amount of bandwith
  • Check session logs for "Invalid Packets" log section, identify the device
  • Follow this guide to check which policies are being use by [/ul]
  • lorenzhope

    Hi and thank you for your answer.

    I run a diag sys session stat but I not understand how to resolve with this.

    Here you can find the results:


    FG100E4Q17011401 # diag sys session stat
    misc info: session_count=2210 setup_rate=19 exp_count=50 clash=10
     memory_tension_drop=0 ephemeral=0/196608 removeable=0
    delete=0, flush=0, dev_down=0/0 ses_flush_filters=0
    TCP sessions:
     50 in NONE state
     492 in ESTABLISHED state
     2 in SYN_SENT state
     1 in SYN_RECV state
     3 in FIN_WAIT state
     29 in TIME_WAIT state
     7 in CLOSE state
     82 in CLOSE_WAIT state
    firewall error stat:
    global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0


    I found the possible error blocking me: is a Deny DNS error. Strange (because the first two ping are allowed). Could you be helpfull?

    ActionDeny: DNS errorPolicy3Policy UUID39e02e9a-d838-51e7-47d0-4c2f5ecb4c2dPolicy Typepolicy