Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

Site to Site IP Sec with SDWAN. Tunnel is up But one side ping is not working

I have created a two IPSec tunnel for two ISPs between FGT1 and FGT2 as Site to tunnel with SDWAN Enabled.  

Both Tunnels are added as members in SDWAN zone.  Static route is configured with the remote site networks in both the sites. In bound and outbound policy from LAN to SDWAN zones and vice versa is in place in both FortiGates. Have place LAN PCs behind both the FGTs

Ping is working from FGT2 LAN PC to FGT1 LAN PC. But vice versa(FGT1 LAN PC --> FGT2 LAN PC) is not working where as if I use ping from FortiGate using execute ping-options source <LAN interface IP> it is reaching remote site.

Phase1 and Phase2 are up for the tunnel in both the fortigates.



LAN PC[]--FGT1 ------------------FGT2 ----------------LAN PC[]

ping ---> -Working

ping ---> - Not Working 


Same If I try through performance SLA in FGT is working. Can you help me why ping from FGT1 PC to FGT2 PC is not working. 


FGT 7.4.3 GA 




Can you start a debug on FGT2 with destination, while pinging with source and see if the packets are reaching the other side?


diag debug ena

diag debug flow filter saddr 

diag debug flow filter daddr

diag debug flow trace start 100


diag debug disable


When you initiate a ping from fortigate it is local traffic and doesn't follow sd-wan rules or policy. It will use static routing preferences. Sd-wan rules are nothing but policy routes. Make sure the correct sequence is applied to the rules. The tunnel rule should be above the generic rule. Ensure no policy route is configured for this traffic under network--policy route

verify routing --- get router info routing-table details <destination ip>

in the sdwan sla --  define the source IP 

config system sdwan
config health-check
    edit <name>  
<----- Health Check name.
        set source <IP address> 
<----- source-IP to be used for the health check.

And then  verify the debugs





Amritpal Singh

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors