Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

ipsec vpn blackhole issue: i can't ping the other subnet throw the ipsec tunel

I have two LAN networks: the first one is, and the second one is Each LAN is directly connected to a FortiGate firewall. I have set up a site-to-site VPN using two FortiGate virtual machines running version 7.2.0. The VPN configuration was done using the wizard.

However, when I try to ping a host in the other subnet (for example, from to, I don't receive any response. The ping requests seem to be unsuccessful.

I researched this issue and discovered that it might be related to the black hole route created by the VPN wizard template. If anyone has experienced this problem before, I would appreciate any suggestions or solutions for resolving it. If anyone has knowledge of how to fix this, please provide guidance.

1 Solution

@saneeshpv_FTNT @internet_contributer  @jera  @hbac @dbhavsar 

I want to express my gratitude to everyone. I truly appreciate all your help. I understand that I've had many requests, but when it comes to work, it's important to get things done .the issue is not in the static route or in the policies  , the issue was the fortigate it self , the version that i was working with it v7.2.0-build so when i change the version it work dirctly . 

View solution in original post


Hi @khalilbouzaiene1 ,


Setup: <> FW1 <IPSEC> FW2 <>  (


Good day! The first thing you need to check is the availability of  routes going to your remote LAN ( from your FW1.  This  network should be learned from your IPSEC interface.


If you are learning the from your wan/other interface, make sure to configure the route via IPSEC with a lower administrative distance.


config router static
    edit <id>
        set dst
set distance <value> set device "to_IPSEC" next end

You should do the same route verification in FW2. The must be learned from your IPSEC interface. You can double check your IPSEC configuration using this guide:


IPSEC Troubleshooting Guide:



in my case juste i have created the vpn tunel with the wizard template and no thnig else 
this the topology of my network 

and the static rules created by the wizard template are here 



and also in the other fortigate : FW-B 


do i need to add that configuration so that the ping will be successfull ?!!!


Hello @khalilbouzaiene1 

You can run the sniffer on one of the FGT to check if he is sending the traffic out or not :

diagnose sniffer packet any 'host <source IP of user behind FGT> and icmp 4 0 l

Same you can tun on the other FGT to check if that device is also receiving packets or not.



no thing yet guys no one of these preposition is the solution
and the packet they can't reatch the fortigate vpn interface when i try to sniffing the packet on my vpn interface




You can make this tunnel to a Custom tunnel and then remove the Gateway configuration from the Static routes at each side which is incorrect.


Once that is done you will be able to ping.


Best Regards


i have tryed also to do a custom tunel , it have been estableched and it bring up but also i can't ping the host in the other lan 

when i ping from the  lan interface  which directly connectted to the fortigate to the other lan interface which also connected to the other foertigate , ( --> )it work  but when i try to ping the host no thing ( ---> )


Hello @khalilbouzaiene1 ,


It's a great progress. If you are able to ping from local LAN gateway to remote LAN gateway (vise versa) , it means the tunnel is now working.


If the ping source is your server and can't reach the remote LAN Server. You can do another sniffer trace using only the remote IP as host to check if you have a two way traffic. 


If no logs generated on sniffer trace, it's possible that your server do not have the proper default gateway. If you see in/out traffic on sniffer it means that ICMP is blocked from your servers.




hello jera hope you doing well 
so after the sniffer test that i have done so fare , i notice that when i try to ping the other host in the other lan ( from the host ( and in the same time i write this cmd in the cli of the fw-a i have  these logs :sniffer 1.png

and also when i wrote the same cmd in the cli if the fw-b  i have these logs : 
sniffer 2.png

so when i try to ping the other host  from the 192.lan , the packet are resived on the port 3 interface and do not forwarded to the int of the tunel  


and also i have done other test 
i try to ping the other host from the fortigate lan interface ( ,  so for this i wrote these cmd in fw-a cli 
execute ping-options source 
execute ping
and also in the other fortigate b i write this commande to sniffer the packet recived 
and i have these logs 
sniffer 3.png
so in my case i thing that there is no gateway issue 


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors