Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Allwyn_Mascarenhas
Contributor

Windows PCs not ping the default gateway

I have a client with a a fortigate 70d, everything has been running fine since few months but now suddenly some windows machines are just not pinging the fortigate 70d lan interface IP. Ping is enabled on the fgt lan port as well.

 

Also user identity policies using ldap server are in place here and users can only get on to the internet through that. The machines which are facing the problems simply dont even ask for user auth in the browser as they cant get to the FGT in the first place. These machines which cant ping the gatewat fgt are able to ping the ldap server and other PCs on the network.

 

I also enabled debugging on the FGT to check for incoming packets and none show up.

 

FGT# diag debug enable FGT# diag debug flow filter add <PC1> FGT# diag debug flow show console enable FGT# diag debug flow trace start 100 FGT# diag debug enable   Simple nothing shows up. This same office has other PCs which are using the internet fine as per the user id policies and also ping the fgt.    My next course of action is to try wireshark to see what's wrong. Has anyone faced something like before? Any ideas also really appreciated.   Thanks.
5 REPLIES 5
ede_pfau
Esteemed Contributor III

Use the built-in sniffer on the FGT to look into the traffic on your LAN side:

diag sniffer packet lan 'icmp and host 192.168.333.444' 4
This will show all pings on the LAN side involving host 192.168.333.444 (yes, these values are placeholders...).

If you don't even see these pings then your PCs have a real problem. Check the software firewall (Windows, AV suite) first.

You can also sniff for protocol 'arp' for ARP requests. Start with pinging the FGT's LAN interface (to exclude routing issues).

 

Are you, by any chance, using VLANs?


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Allwyn_Mascarenhas

HI thanks for the response.

 

From the wireshark capture i can see some STP packets related to the fortinet's lan interface. I dont have any idea on reading that data or using wireshark yet, but it clearly showed no icmp packets at all on the PCs with the issue and then i started connecting the PCs straight to fgt's internal port as the device is in switch mode and then used another small switch for some more problem PCs and things started working for now.

 

I have opened tickets with both fortinet and HP for the issue and handed the WS capture to fortinet, (the geniuses at hp dont even let you attach WS packet capture file).

 

But still some random PC somewhere would stop pinging the others or would stop pinging the gateway or drop its dhcp leased out ip, from the client's complaints.

 

For now i am down to figuring out if stp is acting weird here.

 

Not using VLANs at all. Also could you explain how does that place holder thing work? Never seen that IP before and googling it brought me back to this post itself.

 

ps: the forum's image and file uploading is not working correctly here

ede_pfau
Esteemed Contributor III

If you think of an STP issue you could take the FGT's interfaces out of STP. System > Interfaces, disable 'Use STP'. This option is enabled per default in v5.2.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Smartypants

A few years later an I'm seeing the same issue on our 900D HA pair.

We have about 10 different FGT Interfaces in use and the 10GB PORTA is divided into several VLANs.

One of these PORTA VLANs (10.0.0.0/22) has stopped replying to "pings" to the GW but the others haven't.

All of the other Interface GW's are working.

This firewall has been working fine for two years so for this to happen, and we do know the exact time it happened because several system and our alerting system that pings this GW all reported that it failed at 4:18:28PM give or take 10-sec 4/5/2017. One of this systems that failed at the time was vSphere HA.

Fortigate support has told me that its a problem with my VLAN tagging and I reject that for reason stated above.

As someone who has a support agreement I've pushed back so my question to the forum is has anyone else seen this?

I've needed to reboot this HA pair several time over the last two years and had to RMA one because of a failed drive but I can't reboot right now because of 24/7 business requirements.

 

  

rosario_thobias
New Contributor

Hi, The Windows PC in question; is it connected directly to the firewall ? Are all interfaces pingable right from PC ethernet port to firewall lan port? What is the tracert output to lan interface of firewall from the the ip that's not working? What gateway ip does ipconfig output show on pc working vs not working and what is the Lan int ip of the firewall ? Try setting static ip on PC that's not working, maybe you could use the ip of PC that is working. Then see if ping works. If it works, then we know it is a routing problem or at least we know something is excluding this ip. If it doesn't, is physical layer ok? Do both PC's belong to same vlan(if applicable)? Objects ->addresses (if applicable) ? I have few other ideas, but let me know how it goes :)...
Top Kudoed Authors