I have a client with a a fortigate 70d, everything has been running fine since few months but now suddenly some windows machines are just not pinging the fortigate 70d lan interface IP. Ping is enabled on the fgt lan port as well.
Also user identity policies using ldap server are in place here and users can only get on to the internet through that. The machines which are facing the problems simply dont even ask for user auth in the browser as they cant get to the FGT in the first place. These machines which cant ping the gatewat fgt are able to ping the ldap server and other PCs on the network.
I also enabled debugging on the FGT to check for incoming packets and none show up.
FGT# diag debug enable
FGT# diag debug flow filter add <PC1>
FGT# diag debug flow show console enable
FGT# diag debug flow trace start 100
FGT# diag debug enable
Simple nothing shows up.
This same office has other PCs which are using the internet fine as per the user id policies and also ping the fgt.
My next course of action is to try wireshark to see what's wrong. Has anyone faced something like before? Any ideas also really appreciated.
From the wireshark capture i can see some STP packets related to the fortinet's lan interface. I dont have any idea on reading that data or using wireshark yet, but it clearly showed no icmp packets at all on the PCs with the issue and then i started connecting the PCs straight to fgt's internal port as the device is in switch mode and then used another small switch for some more problem PCs and things started working for now.
I have opened tickets with both fortinet and HP for the issue and handed the WS capture to fortinet, (the geniuses at hp dont even let you attach WS packet capture file).
But still some random PC somewhere would stop pinging the others or would stop pinging the gateway or drop its dhcp leased out ip, from the client's complaints.
For now i am down to figuring out if stp is acting weird here.
Not using VLANs at all. Also could you explain how does that place holder thing work? Never seen that IP before and googling it brought me back to this post itself.
ps: the forum's image and file uploading is not working correctly here
A few years later an I'm seeing the same issue on our 900D HA pair.
We have about 10 different FGT Interfaces in use and the 10GB PORTA is divided into several VLANs.
One of these PORTA VLANs (10.0.0.0/22) has stopped replying to "pings" to the GW but the others haven't.
All of the other Interface GW's are working.
This firewall has been working fine for two years so for this to happen, and we do know the exact time it happened because several system and our alerting system that pings this GW all reported that it failed at 4:18:28PM give or take 10-sec 4/5/2017. One of this systems that failed at the time was vSphere HA.
Fortigate support has told me that its a problem with my VLAN tagging and I reject that for reason stated above.
As someone who has a support agreement I've pushed back so my question to the forum is has anyone else seen this?
I've needed to reboot this HA pair several time over the last two years and had to RMA one because of a failed drive but I can't reboot right now because of 24/7 business requirements.
The Windows PC in question; is it connected directly to the firewall ? Are all interfaces pingable right from PC ethernet port to firewall lan port?
What is the tracert output to lan interface of firewall from the the ip that's not working?
What gateway ip does ipconfig output show on pc working vs not working
and what is the Lan int ip of the firewall ?
Try setting static ip on PC that's not working, maybe you could use the ip of PC that is working. Then see if ping works.
If it works, then we know it is a routing problem or at least we know something is excluding this ip. If it doesn't, is physical layer ok?
Do both PC's belong to same vlan(if applicable)?
Objects ->addresses (if applicable) ?
I have few other ideas, but let me know how it goes :)...
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.