Warning: Got ICMP 3 (Destination Unreachable)

karamjeetmultani · ‎06-14-2024

FortiGate 7.4.4-1 in GNS3 unable to ping GNS3 VM, unable to ping windows 11 host machine, unable to ping gateway.

FortiGate IP address: 192.168.0.33/24

GNS3 VM IP address: 192.168.0.52/24

Windows IP address: 192.168.0.125/24

Default Gateway: 192.168.0.1/24

C:\Users\<username>ping 192.168.0.33

Pinging 192.168.0.33 with 32 bytes of data:
Reply from 192.168.0.125: Destination host unreachable.
Reply from 192.168.0.125: Destination host unreachable.
Reply from 192.168.0.125: Destination host unreachable.
Reply from 192.168.0.125: Destination host unreachable.

Ping statistics for 192.168.0.33:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Warning: Got ICMP 3 (Destination Unreachable)

FortiGate-7.4.4 (IP address: 192.168.0.33\24) running in GNS3 (2.2.47 version).

GNS3 VM (2.2.47 version with IP address: 192.168.0.52\24) running on Oracle VM Virtual Machine.

Windows 11 with IP-address: 192.168.0.125 with Default Gateway: 192.168.0.1

Able to ping GNS3 VM IP-address.

Unable to ping FortiGate below is the config details

config system interface
edit "port1"
set vdom "root"
set ip 192.168.0.33 255.255.255.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 1
next

end

karamjeetmultani · ‎06-14-2024

No luck when tried the same on VMWare

hbac · ‎06-15-2024

Hi @karamjeetmultani,

You can check the arp table by running 'get system arp'. You can also run packet sniffer "di packet sniffer port1 'none' 4 0 l"

Regards,

karamjeetmultani · ‎06-15-2024

Thank you @hbac for the quick response

FortiFirewall-VM64-KVM # get system arp
Address Age(min) Hardware Addr Interface

FortiFirewall-VM64-KVM # diagnose sniffer packet any 'arp' 4
Using Original Sniffing Mode
interfaces=[any]
filters=[arp]
0.870537 port1 out arp who-has 192.168.0.1 tell 192.168.0.33
1.910426 port1 out arp who-has 192.168.0.1 tell 192.168.0.33
4.818708 port1 out arp who-has 192.168.0.1 tell 192.168.0.33
5.830426 port1 out arp who-has 192.168.0.1 tell 192.168.0.33

FortiFirewall-VM64-KVM # di packet sniffer port1 'none' 4 0 l

command parse error before 'packet'
Command fail. Return code -61

I see fortilink ip-address different from my network which is from class-c, but I see fortilink has class-c ip addresss as seen below

config system interface
edit "port1"
set vdom "root"
set ip 192.168.0.33 255.255.255.0
set allowaccess ping https http
set type physical
set snmp-index 1
next

edit "fortilink"
set vdom "root"
set fortilink enable
set ip 10.255.1.1 255.255.255.0
set allowaccess ping fabric
set type aggregate
set lldp-reception enable
set lldp-transmission enable
set snmp-index 14
next
end

hbac · ‎06-15-2024

@karamjeetmultani,

As you can see, FortiGate is sending arp requests but no response. It is a layer 2 issue.

Regards,

karamjeetmultani · ‎06-15-2024

@hbac

How to resolve layer2 issue? Is it known issue or a new issue with me?
I have tried using vmware player and still the same issue.

I mean how arp will update its table.

Do I need to run any command like "arp-scan -l"

karamjeetmultani · ‎06-15-2024

@hbac

Is this issue with the FortiGate-7.4.4 image or should I configure something to make it work?

I mean FortiGate supposed to connect with other devices and their addresses. But arp table seems to be empty. Any remedies that could help me to resolve this?

gagandeeps · ‎12-18-2024

Refer to the link below for more information

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Blocking-ICMP-type-3-messages-Destination/...

Warning: Got ICMP 3 (Destination Unreachable)

Nominate a Forum Post for Knowledge Article Creation