Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Matie
New Contributor

Why I cannot ping internet

Hi,

 

I don't understand why I cannot ping internet from Clients. I can ping subinterface on port 2 23.1.2.71. But if I try ping  from Linux or VPC 8.8.8.8 it is unsuccessful. I have static route on FortiGate 0.0.0.0/0 to router 23.1.2.1 which is router IP on port gi0/0. Switch ports gi0/0 and gi0/2 are trunk and ports gi0/1 and gi0/3 are vlan interfaces. I can ping internet 8.8.8.8 from Fortigate. Something on FW is missing I guess. Policies are applied and when I ping from client to subinterface "To Internet", policy is working. Please check pictures.

66d02f92-b5bb-4c2b-a9e0-30310b563948.jpg

Policy.jpgPorts.jpgTopology.jpg

13 REPLIES 13
aionescu
Staff
Staff

Hi @Matie ,

 

Welcome to the community.

 

If I understood correctly the topology, traffic is coming via VLAN10 and should be routed, via VAL23, towards the ISP router. 

 

I would start the troubleshooting looking at  the routing table and the traffic flow (while generating traffic):

 

get router info routing-table all

 

diagnose debug flow filter addr x.x.x.x <---where x.x.x.x is the source of the traffic
diagnose debug flow trace start 10
diagnose debug enable

 

Looking at the policy that should allow the traffic, we can see that, at some point, there was some traffic that matched it.

Matie
New Contributor

Yes, if I ping from linux to DG 23.1.2.71, the ping is successful and it hits the policy. However ping doesnt want to go furthet to router 23.1.2.1 and to internet and I dont know why. Routing table is as on a picture. I have tried to type that commands into CLI, but it didn't do anything. I am a beginner so please bear with me
Routing table.jpg

aionescu

Hi @Matie , I see that you were given useful information so far.

Can you try to disable the asic offload on the policy that allows the traffic and try to run the commands again?

More info on how to do that: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Disabling-NP-offloading-in-security-policy...

 

diagnose debug flow filter addr 10.10.10.49 
diagnose debug flow trace start 10
diagnose debug enable

 

Also, while generating the traffic, you could loosen the filters on the sniffer and use:

diagnose sniffer packet any "host 10.10.10.49" 4

 

Matie
New Contributor

Hi @aionescu, I did what you have asked me for. Once I tried to ping from router to host it disconnected me from FortiGate. I don't know why. Check the first picture. Let me know if you have found something interesting. Thanks

Odpojenie.jpgPing from host to internet.jpgPing from Router and FW logs.jpgPing z Hosta na internet.jpg

Muhammad_Haiqal

Hi @Matie 

 

Do you mind to put the ip address on the diagram too so I can understand better on your deployment? The gateway is on the switch or Fortinet?

Based on this information, i can assist further on the issue.

haiqal
Matie

Gateways are on a FortiGate. Here is topology picture
Topology.jpg

 

Routing.jpg

Debbie_FTNT

Dear Matie,

 

your setup looks ok as far as I can see - you have a policy in place from private to internet with the appropriate interfaces, and you have routing in place. The policy also applies NAT, so this is not a case of private IPs going out and getting dropped.

Can you run a traceroute command from the host in question to 8.8.8.8 to verify at which point the traffic is failing?

This could be a case of the ping going through FortiGate, but the reply not making it back for whatever reason.

I would assume that to be unlikely, given that pinging from FortiGate itself works, but it wouldn't hurt to double-check that the ping reaches FortiGate and then gets lost.

Other than that, you will need to dig into troubleshooting traffic on the FortiGate itself. We have a number of good KBs for this:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sn...

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

https://docs.fortinet.com/document/fortigate/6.4.3/administration-guide/54688/debugging-the-packet-f...

let us know if this helps :)

 

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Matie

Hi Debbie,

 

So I have tried to troubleshoot. When I ping from router to host there is a loss, but when I ping default gateway ping works. The same is vice versa. When I ping from host to internet I have loss, but when I ping  from host to def gateway I have success. Please check pictures. Default gateway for vlan 10 and 10. network is 10.10.10.1 on FortiGate and default gateway for vlan 23 network 23.1.2.0 is 23.1.2.71 on FortiGate. So I can ping both default gateways, I just cannot go further. 
Ping na Gateway a na hosta.jpgPing na internet a na def gateway.jpgPing z hosta na default gateway.jpgPing z routra na hosta, z routra na gateway a z hosta na internet.jpg

Matie

Dear Debbie

I am confused. I see only echo request. Can you please explain that logs? What should I do to make it work?

Labels
Top Kudoed Authors