Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

TTL Exceeded in Debug command

I am facing an issue where an IP cannot reach another IP through IPSec Vpn and upon debugging i get TTL exceeded and dropped what is the reason and how do i solve this?




id=65308 trace_id=6367 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=1,> tun_id= from Chhanyatosubusi. type=8, code=0, id=1, seq=29142."
id=65308 trace_id=6367 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0072a66b, original direction"
id=65308 trace_id=6367 func=npu_handle_session44 line=1213 msg="Trying to offloading session from Chhanyatosubusi to internal1, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x02000c00"
id=65308 trace_id=6367 func=fw_forward_dirty_handler line=447 msg="state=00010200, state2=00000000, npu_state=02000c00"
id=65308 trace_id=6367 func=ip_forward_icmp_trap line=49 msg="TTL is exceeded. Drop the packet."


Hi @ShaileshMdr,

Assuming that IPsec phase 1 and 2 are up and running, it seems that the routing may be not properly configured somewhere.
The problem might be on the other side of the IPsec tunnel, do you control the remote peer as well?
You could run a packet capture on a second SSH shell on the FortiGate (while debug flow is still running):

(1) to capture the headers ->  #diagnose packet sniffer any "proto 1 and x.x.x.x" 4 0 l
(2) to capture also the payloads ->  #diagnose packet sniffer any "proto 1 and x.x.x.x" 6 0 l  #where x.x.x.x is your client IP, I guess

You could also run a packet capture on both sides of the IPsec tunnel to see on which side the issue is.
You can also convert the second packet capture (2) in a Wireshark readable format, more info here:

Best regards,

If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.

Hi @ShaileshMdr,


TTL value decreases by 1 on every hop and once it reaches 0, it will be dropped. Please double check your network to make sure there is no loop. You can also check the routing table by running the following commands: 


get router info routing-table details

get router info routing-table details



Top Kudoed Authors