Created on 07-15-2024 11:34 PM Edited on 08-08-2024 11:57 PM By Jean-Philippe_P
I have a similar problem. I cannot ping from the router. I want to ping from OPPA to MTAVARI_FILIALI at 192.168.0.136, but I cannot. OPPA can see the route. this is photos
this is OPPA router routes
this is MTAVARI router routes
How can I connect from the OPPA router to the host at 192.168.0.136? In the FortiGate interfaces, I have allowed ICMP (PING), and OSPF is configured to redistribute static routes.
The connection between OPPA and FortiGate uses OSPF, while the connection between FortiGate and the MTAVARI router uses static routing.
Please let me know if you identify any issues.
FortiGate
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Ohhh cool I’ll send screenshots. The next hop from this firewall is the ISP. So the gateway for the static routes when I set those up, should be the ISP gateway? I’ll send interface screenshot shortly and debug results. Thx!
The MTAVARI_FILIALI router doesn't have a return route for either those loopback IPs 172.25.11.1/172.25.12.1, or eth0/0 interface IP 10.10.10.2 depending on which one you're using for the ping source IP.
Toshi
hello
To solve the routing problem and enable pinging from the OPPA router to the host at 192.168.0.136, you need to verify and ensure the following configurations:
Sep-by-Step Troubleshooting
1. **Verify Routing on OPPA Router**:
- Ensure that the route to 192.168.0.0/24 network (which includes 192.168.0.136) is correctly configured on the OPPA router. It should point to the next hop that leads towards the MTAVARI network.
2. **Verify Routing on FortiGate**:
- Since OSPF is configured to redistribute static routes, ensure that the FortiGate is correctly redistributing the route to the 192.168.0.0/24 network.
- Check the routing table on the FortiGate to confirm it has a route to 192.168.0.136.
- Ensure that the OSPF configuration is correct and the necessary networks are included in the OSPF configuration.
3. Verify Routing on MTAVARI Router:
- Ensure that the MTAVARI router has a static route back to the OPPA network. This is crucial because even if the OPPA router can send packets towards the MTAVARI network, the MTAVARI router needs to know how to send the responses back.
4. Ping and Trace Route:
- From the OPPA router, try to ping the FortiGate interface IP address that connects to the MTAVARI router. This will help to determine if the problem is with the FortiGate to MTAVARI segment.
- Use the `traceroute` command from the OPPA router to 192.168.0.136 to see where the packets are getting dropped.
5.ICMP Configuration:
- Ensure that ICMP is allowed on all interfaces involved in the path (OPPA router, FortiGate, MTAVARI router).
6. NAT and Firewall Rules:
- Verify that there are no NAT issues or firewall rules blocking the ICMP traffic on any of the devices.
- Check the FortiGate firewall policies to ensure that traffic is allowed from the OPPA network to the MTAVARI network.
Example Commands for Verification
On OPPA Router:
shell
# Show the routing table
show ip route
# Ping FortiGate interface
ping [FortiGate-Interface-IP]
# Traceroute to the target
traceroute 192.168.0.136
```
On FortiGate
```shell
# Show the routing table
get router info routing-table all
# Show OSPF configuration
get router info ospf status
# Show OSPF database
get router info ospf database
```
On MTAVARI Router:
```shell
# Show the routing table
show ip route
# Ping FortiGate interface
ping [FortiGate-Interface-IP]
# Ensure static route to OPPA network exists
ip route [OPPA-network] [next-hop-IP]
```
Configuration Check on FortiGate for OSPF and Static Routes
Redistribute Static Routes in OSPF:
```shell
config router ospf
config redistribute "static"
set status enable
set metric-type 1
end
end
```
Example of Adding Static Route on MTAVARI Router:
```shell
ip route [OPPA-network] [next-hop-IP]
```
common Isues to Check
1. Asymmetric Routing: Ensure that the return path for the ping packets is correctly routed back to the OPPA router.
2. Firewall Policies: Ensure that there are no firewall policies blocking ICMP traffic on FortiGate or the routers.
3. Network Mask Mismatch: Ensure that the network masks are correctly configured on all devices.
By following these steps and verifying the configurations on each device, you should be able to diagnose and resolve the routing issue preventing the ping from OPPA to the host at 192.168.0.136. If issues persist, detailed log analysis on FortiGate and routers can provide further insights.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.