Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Matie
New Contributor

Created on ‎08-23-2022 11:34 AM

Why I cannot ping internet

Hi,

 

I don't understand why I cannot ping internet from Clients. I can ping subinterface on port 2 23.1.2.71. But if I try ping  from Linux or VPC 8.8.8.8 it is unsuccessful. I have static route on FortiGate 0.0.0.0/0 to router 23.1.2.1 which is router IP on port gi0/0. Switch ports gi0/0 and gi0/2 are trunk and ports gi0/1 and gi0/3 are vlan interfaces. I can ping internet 8.8.8.8 from Fortigate. Something on FW is missing I guess. Policies are applied and when I ping from client to subinterface "To Internet", policy is working. Please check pictures.

66d02f92-b5bb-4c2b-a9e0-30310b563948.jpg

Policy.jpgPorts.jpgTopology.jpg

Labels:
1189
0 Kudos
13 REPLIES 13
aionescu
Staff
Staff

Created on ‎08-23-2022 01:33 PM

Hi @Matie ,

 

Welcome to the community.

 

If I understood correctly the topology, traffic is coming via VLAN10 and should be routed, via VAL23, towards the ISP router. 

 

I would start the troubleshooting looking at  the routing table and the traffic flow (while generating traffic):

 

get router info routing-table all

 

diagnose debug flow filter addr x.x.x.x <---where x.x.x.x is the source of the traffic
diagnose debug flow trace start 10
diagnose debug enable

 

Looking at the policy that should allow the traffic, we can see that, at some point, there was some traffic that matched it.

796
0 Kudos
Matie
New Contributor
In response to aionescu

Created on ‎08-24-2022 02:28 AM

Yes, if I ping from linux to DG 23.1.2.71, the ping is successful and it hits the policy. However ping doesnt want to go furthet to router 23.1.2.1 and to internet and I dont know why. Routing table is as on a picture. I have tried to type that commands into CLI, but it didn't do anything. I am a beginner so please bear with me
Routing table.jpg

785
0 Kudos
aionescu
Staff
Staff
In response to Matie

Created on ‎08-24-2022 05:53 AM Edited on ‎08-24-2022 05:54 AM

Hi @Matie , I see that you were given useful information so far.

Can you try to disable the asic offload on the policy that allows the traffic and try to run the commands again?

More info on how to do that: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Disabling-NP-offloading-in-security-policy...

 

diagnose debug flow filter addr 10.10.10.49 
diagnose debug flow trace start 10
diagnose debug enable

 

Also, while generating the traffic, you could loosen the filters on the sniffer and use:

diagnose sniffer packet any "host 10.10.10.49" 4

 

767
0 Kudos
Matie
New Contributor
In response to aionescu

Created on ‎08-24-2022 06:26 AM Edited on ‎08-24-2022 09:18 AM

Hi @aionescu, I did what you have asked me for. Once I tried to ping from router to host it disconnected me from FortiGate. I don't know why. Check the first picture. Let me know if you have found something interesting. Thanks

Odpojenie.jpgPing from host to internet.jpgPing from Router and FW logs.jpgPing z Hosta na internet.jpg

765
0 Kudos
Muhammad_Haiqal
Staff
Staff

Created on ‎08-24-2022 01:01 AM

Hi @Matie 

 

Do you mind to put the ip address on the diagram too so I can understand better on your deployment? The gateway is on the switch or Fortinet?

Based on this information, i can assist further on the issue.

haiqal
788
0 Kudos
Matie
New Contributor
In response to Muhammad_Haiqal

Created on ‎08-24-2022 02:33 AM

Gateways are on a FortiGate. Here is topology picture
Topology.jpg

 

Routing.jpg

785
0 Kudos
Debbie_FTNT
Staff
Staff
In response to Matie

Created on ‎08-24-2022 03:04 AM

Dear Matie,

 

your setup looks ok as far as I can see - you have a policy in place from private to internet with the appropriate interfaces, and you have routing in place. The policy also applies NAT, so this is not a case of private IPs going out and getting dropped.

Can you run a traceroute command from the host in question to 8.8.8.8 to verify at which point the traffic is failing?

This could be a case of the ping going through FortiGate, but the reply not making it back for whatever reason.

I would assume that to be unlikely, given that pinging from FortiGate itself works, but it wouldn't hurt to double-check that the ping reaches FortiGate and then gets lost.

Other than that, you will need to dig into troubleshooting traffic on the FortiGate itself. We have a number of good KBs for this:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sn...

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

https://docs.fortinet.com/document/fortigate/6.4.3/administration-guide/54688/debugging-the-packet-f...

let us know if this helps :)

 

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
779
0 Kudos
Matie
New Contributor
In response to Debbie_FTNT

Created on ‎08-24-2022 05:06 AM Edited on ‎08-24-2022 05:52 AM

Hi Debbie,

 

So I have tried to troubleshoot. When I ping from router to host there is a loss, but when I ping default gateway ping works. The same is vice versa. When I ping from host to internet I have loss, but when I ping  from host to def gateway I have success. Please check pictures. Default gateway for vlan 10 and 10. network is 10.10.10.1 on FortiGate and default gateway for vlan 23 network 23.1.2.0 is 23.1.2.71 on FortiGate. So I can ping both default gateways, I just cannot go further. 
Ping na Gateway a na hosta.jpgPing na internet a na def gateway.jpgPing z hosta na default gateway.jpgPing z routra na hosta, z routra na gateway a z hosta na internet.jpg

771
0 Kudos
Matie
New Contributor
In response to Debbie_FTNT

Created on ‎08-24-2022 10:15 AM

Dear Debbie

I am confused. I see only echo request. Can you please explain that logs? What should I do to make it work?

751
0 Kudos
Labels
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.