Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Ping not working between interface

hello all, We have a fortigate firewall 600c model. We have configured port1 and port 2 as internal interface. Port1: network, Port2: network. Policies are applied like Port1 to Port2 allow all, Port2 to Port1 allow all. Am able to ping both interface IPs each other. One server is located in network on Port2. Now am pinging this server from network but am unable to ping it. I checked server end and everything fine. Am able to ping the same server from fortigate. Even am able to ping the Port1 and Port2 from server. Can any one help us to resolve this issue ? What could be the issue mostly ? Thank you in advance. Regards Nawin.D

Hello, it seems that the server has no route (back) to the network, can you check this? Regards, Ralph Willemsen Arnhem, Netherlands
Esteemed Contributor III

I agreed and it could the server has icmp disable. Did you run any diagnostic ( debug flow or packet sniffer ) ? That would validate if the server is responding or not.




PCNSE NSE StrongSwan
Contributor II

Third opinion: the server firewall blocks ICMP requests from different subnets.
New Contributor

Fourth opinion: Add the subnet to Trusted hosts of admin-account. Or nevermind, because i didnt read the whole originalpost :)
New Contributor

Run a packet sniffer and a packet trace. Since you can ping directly from the firewall, ping should be allowed on the destination server. When you ping directly from the firewall, it will use the interface IP on the interface connected directly to the destination IP. If you do something like this: exec ping-options source (or whatever IP you have for the interface IP on that network segment) then it will initiate the ping from the network instead of the network. To run a sniffer: diag sniffer packet any ' host 192.168.1.sourceIP and host 192.168.2.destinationIP' To run a trace: diag debug reset diag debug enable diag debug flow show console enable diag debug flow show function-name enable diag debug flow filter saddr 192.168.1.source diag debug flow filter daddr 192.168.2.destination diag debug flow trace start 50 to stop the trace before 50 type diag debug flow trace stop or diag debug disable The comment about a route could be a possiblility if the server does not have a default gateway set. You can ping things on the same subnet without a default gateway setting.

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors