Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
karamjeetmultani
New Contributor

Created on ‎06-14-2024 09:53 PM Edited on ‎06-14-2024 10:30 PM

Warning: Got ICMP 3 (Destination Unreachable)

FortiGate 7.4.4-1 in GNS3 unable to ping GNS3 VM, unable to ping windows 11 host machine, unable to ping gateway.  

 

FortiGate IP address: 192.168.0.33/24

GNS3 VM IP address: 192.168.0.52/24

Windows IP address: 192.168.0.125/24

Default Gateway: 192.168.0.1/24

 

C:\Users\<username>ping 192.168.0.33

Pinging 192.168.0.33 with 32 bytes of data:
Reply from 192.168.0.125: Destination host unreachable.
Reply from 192.168.0.125: Destination host unreachable.
Reply from 192.168.0.125: Destination host unreachable.
Reply from 192.168.0.125: Destination host unreachable.

Ping statistics for 192.168.0.33:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

 

Warning: Got ICMP 3 (Destination Unreachable)

FortiGate-7.4.4 (IP address: 192.168.0.33\24) running in GNS3 (2.2.47 version).

GNS3 VM (2.2.47 version with IP address: 192.168.0.52\24) running on Oracle VM Virtual Machine.

Windows 11 with IP-address: 192.168.0.125 with Default Gateway: 192.168.0.1

 

Able to ping GNS3 VM IP-address.

Unable to ping FortiGate below is the config details

config system interface
edit "port1"
set vdom "root"
set ip 192.168.0.33 255.255.255.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 1
next

end

 

Screenshot 2024-06-15 004637.png

Labels:
2562
0 Kudos
8 REPLIES 8
karamjeetmultani
New Contributor

Created on ‎06-14-2024 09:59 PM Edited on ‎06-14-2024 10:32 PM

No luck when tried the same on VMWare

2554
0 Kudos
hbac
Staff
Staff

Created on ‎06-15-2024 06:32 AM

Hi @karamjeetmultani,

 

You can check the arp table by running 'get system arp'. You can also run packet sniffer "di packet sniffer port1 'none' 4 0 l

 

Regards, 

2488
0 Kudos
karamjeetmultani
New Contributor

Created on ‎06-15-2024 07:19 AM Edited on ‎06-15-2024 07:23 AM

Thank you @hbac for the quick response

 


FortiFirewall-VM64-KVM # get system arp
Address Age(min) Hardware Addr Interface

 

 

FortiFirewall-VM64-KVM # diagnose sniffer packet any 'arp' 4
Using Original Sniffing Mode
interfaces=[any]
filters=[arp]
0.870537 port1 out arp who-has 192.168.0.1 tell 192.168.0.33
1.910426 port1 out arp who-has 192.168.0.1 tell 192.168.0.33
4.818708 port1 out arp who-has 192.168.0.1 tell 192.168.0.33
5.830426 port1 out arp who-has 192.168.0.1 tell 192.168.0.33

 


FortiFirewall-VM64-KVM # di packet sniffer port1 'none' 4 0 l

command parse error before 'packet'
Command fail. Return code -61

 

I see fortilink ip-address different from my network which is from class-c, but I see fortilink has class-c ip addresss  as seen below

 

config system interface
edit "port1"
set vdom "root"
set ip 192.168.0.33 255.255.255.0
set allowaccess ping https http
set type physical
set snmp-index 1
next

edit "fortilink"
set vdom "root"
set fortilink enable
set ip 10.255.1.1 255.255.255.0
set allowaccess ping fabric
set type aggregate
set lldp-reception enable
set lldp-transmission enable
set snmp-index 14
next
end

2481
0 Kudos
hbac
Staff
Staff
In response to karamjeetmultani

Created on ‎06-15-2024 07:24 AM

@karamjeetmultani,

 

As you can see, FortiGate is sending arp requests but no response. It is a layer 2 issue. 

 

Regards, 

2475
0 Kudos
karamjeetmultani
New Contributor

Created on ‎06-15-2024 07:32 AM

@hbac 

How to resolve layer2 issue? Is it known issue or a new issue with me? 
I have tried using vmware player and still the same issue.


I mean how arp will update its table. 

Do I need to run any command like "arp-scan -l"

2467
0 Kudos
karamjeetmultani
New Contributor

Created on ‎06-15-2024 08:37 AM

@hbac 

 

Is this issue with the FortiGate-7.4.4 image or should I configure something to make it work? 

I mean FortiGate supposed to connect with other devices and their addresses. But arp table seems to be empty. Any remedies that could help me to resolve this? 

2448
0 Kudos
gagandeeps
Staff
Staff

Created on ‎12-18-2024 09:41 AM

Refer to the link below for more information

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Blocking-ICMP-type-3-messages-Destination/...

875
0 Kudos
roquexz
New Contributor

Created on ‎02-15-2025 04:16 AM

I was with the same problem and I found a solution.

 

Check if you have port mgmt on your equipment with "show system interface".

 

When you have this port the lab associate this with port1, so you need to configure the ip on the port mgmt.

 

The port1 on the equipment will be display as port2 on the lab.

 

I hope helped you!

 

 

Look the port1 have the ip 10.10.20.13/30

Captura de Tela 2025-02-15 às 09.13.23.png

 

On the system it will appears as mgmt interfaceCaptura de Tela 2025-02-15 às 09.14.08.pngCaptura de Tela 2025-02-15 às 09.14.59.png

 

 

310
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.