Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Routing Issue w/ SD-WAN

Hi Guys,


I'm trying to fix an issue with an SD-WAN connection between 2 Fortigate firewall (v6.2.1).

Find attached the network configuration.

I can successfully ping from to, but ping to fails.

A tcpdump on the server shows that the server receive the ICMP 'echo request' and send back the ICMP 'echo reply'.

A tracert -d from is stuck @


Can someone tell me why server is no reachable (I can see the rule that allowed the traffic) ?


Thanks & Best Regards.


Esteemed Contributor III

A tracert -d from is stuck @


Start here and look at your policies. Also diag debug flow is your  best friend here assuming these are all Fortigates



You ruled 89% of this out by seeing the pings reaching the server. I would look at SNAT rules if applicable  and next-hops gateways


Ken Felix




PCNSE NSE StrongSwan
Esteemed Contributor III

In the diagram you put 10.10.201.x/32 on the WAN interface, which are private IPs. Are they VPN interface IPs and a site-to-site VPN is there over SD-WAN interface on both sides?

If a ping packet can reach the destination, that direction is working fine including routes and policies. Then likely the problem is on the returning direction either no route for the source subnet, no policy for the direction through the VPN, or phase2 selectors are not allowing for the direction.

The "diag debug flow" on the FGT w/ would show exactly why it is dropped there as Ken suggest. But just checking routes and polcies and vpn config would probably let you find the problem easily.

Esteemed Contributor III

I need to correct my misstatements in my previous post.

If ping request packets reach the destination, you have enough policies on both FGTs for that particular direction of pinging. One direction policy should be enough. You might not be able to ping from the opposite side though.

Then since phase2 selectors need to be matching both ends, you should have proper phase2 selector(s) too.


So, I would check the returning routes first, then go to "diag debug flow" as Ken suggests.

Top Kudoed Authors