ping fail from wan interfaces

mac26 · ‎09-25-2025

hey all

first off, my english is not great, so if anything is confusing, please let me know

okay, i have remote sites under my control connected to my main site via multiple VPN tunnels, one for each physical WAN interface IP

in these remote sites, some have only have internet access via the main tunnel and some also have another ppoe connection on wan2 via some other local isp, some have sd-wan configured, but in all of them, for some reason, i can't ping from wan interfaces to outside

when i try, it either gives me :

remote-site1 # exe ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

or when directly specifying the interface:

remote-site1 # exe ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
sendto failed: 101(Network is unreachable)
sendto failed: 101(Network is unreachable)
sendto failed: 101(Network is unreachable)
sendto failed: 101(Network is unreachable)
sendto failed: 101(Network is unreachable)

no matter what interface or source ip i specify, it will not ping, but internet is working fine on every site

and as for the most obvious setting, yes i do have it enabled for every site/interface under allowaccess ping, and i also tried creating every kind of policy, but nothing changes

any ideas i could try? traceroute also doesn't work, also tried running diagnose but same thing, says unreachable

remote-site1 # diagnose sniffer packet any 'host 192.168.88.10 and icmp' 4 0 l
interfaces=[any]
filters=[host 192.168.88.10 and icmp]
2025-09-25 10:35:50.143305 wan1 in 192.168.88.1 -> 192.168.88.10: icmp: echo request
2025-09-25 10:35:50.143344 wan1 out 192.168.88.10 -> 192.168.88.1: icmp: echo reply
2025-09-25 10:35:51.139763 wan1 in 192.168.88.1 -> 192.168.88.10: icmp: echo request
2025-09-25 10:35:51.139796 wan1 out 192.168.88.10 -> 192.168.88.1: icmp: echo reply
2025-09-25 10:35:51.578997 root out 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:51.579013 root out 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:51.579022 root out 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:51.579032 root out 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:51.579041 root out 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:51.579050 root out 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:51.579054 root in 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:51.579075 root in 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:51.579079 root in 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:51.579082 root in 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:51.579090 root in 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:51.579094 root in 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:52.134865 wan1 in 192.168.88.1 -> 192.168.88.10: icmp: echo request
2025-09-25 10:35:52.134905 wan1 out 192.168.88.10 -> 192.168.88.1: icmp: echo reply
2025-09-25 10:35:53.133677 wan1 in 192.168.88.1 -> 192.168.88.10: icmp: echo request
2025-09-25 10:35:53.133719 wan1 out 192.168.88.10 -> 192.168.88.1: icmp: echo reply
2025-09-25 10:35:54.145214 wan1 in 192.168.88.1 -> 192.168.88.10: icmp: echo request
2025-09-25 10:35:54.145259 wan1 out 192.168.88.10 -> 192.168.88.1: icmp: echo reply
2025-09-25 10:35:54.668996 root out 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:54.669013 root out 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:54.669023 root out 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:54.669033 root out 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:54.669042 root out 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:54.669051 root out 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:54.669055 root in 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:54.669076 root in 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:54.669080 root in 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:54.669088 root in 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:54.669092 root in 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:54.669095 root in 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:55.152766 wan1 in 192.168.88.1 -> 192.168.88.10: icmp: echo request
2025-09-25 10:35:55.152809 wan1 out 192.168.88.10 -> 192.168.88.1: icmp: echo reply
2025-09-25 10:35:56.144836 wan1 in 192.168.88.1 -> 192.168.88.10: icmp: echo request
2025-09-25 10:35:56.144884 wan1 out 192.168.88.10 -> 192.168.88.1: icmp: echo reply
2025-09-25 10:35:57.143826 wan1 in 192.168.88.1 -> 192.168.88.10: icmp: echo request
2025-09-25 10:35:57.143869 wan1 out 192.168.88.10 -> 192.168.88.1: icmp: echo reply
2025-09-25 10:35:57.738996 root out 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:57.739014 root out 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:57.739024 root out 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:57.739033 root out 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:57.739042 root out 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:57.739051 root out 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:57.739055 root in 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:57.739077 root in 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:57.739086 root in 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:57.739090 root in 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:57.739094 root in 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
2025-09-25 10:35:57.739097 root in 192.168.88.10 -> 192.168.88.10: icmp: host 172.25.14.2 unreachable
^C
222 packets received by filter
0 packets dropped by kernel

one last thing, from main site i can ping just fine, i have main connection on dmz and secondary isp on wan1 and ping works for both

appreciate any help or suggestions that could point me in the right direction

AEK · ‎09-25-2025

Hi Mac

This is usually seen when WAN IP has more than 1 IP address. In that case this can be fixed by selecting the source IP address. And FGT services can be set with local out routing.

AEK

mac26 · ‎09-26-2025

hey man, thanks for the reply

pretty much every site has a wan physical interface ip and a tunnel ip, and also another wan physical port with ppoe, but even when specifying with source command, it gives me the same results, which is either 100% packet loss or the error "sendto failed: 101(Network is unreachable)"

Toshi_Esumi · ‎09-26-2025

What's in "exe traceroute 8.8.8.8"? Does it show any hops?
Also share us "get router info routing-t all" for the first part that include default routes (0.0.0.0/0) at the remote-site1.

Toshi

mac26 · ‎09-26-2025

Hello Toshi, thanks for the reply

What's in "exe traceroute 8.8.8.8"? Does it show any hops?

remote-site1 # exe traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 32 hops max, 3 probe packets per hop, 84 byte packets
 1  10.0.0.13  8.414 ms  8.382 ms  8.274 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  *^C *

if i specify source internal ip, it pings and traceroutes just fine:

remote-site1 # exe traceroute-options source 192.168.30.1

remote-site1 # exe traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 32 hops max, 3 probe packets per hop, 84 byte packets
 1  10.0.0.13  8.434 ms  8.353 ms  8.289 ms
 2  one.of.ourmain.site.external.ip  10.066 ms  10.836 ms  9.186 ms
 3  72.14.196.46  25.011 ms  25.521 ms  24.870 ms
 4  108.170.227.19  24.264 ms  24.119 ms  23.977 ms
 5  74.125.242.191  23.946 ms  24.246 ms  23.996 ms
 6  8.8.8.8 <dns.google>  23.927 ms  24.771 ms  23.825 ms

Also share us "get router info routing-t all" for the first part that include default routes (0.0.0.0/0) at the remote-site1.

remote-site1 # get router info routing-t all
Routing table for VRF=0
S*      0.0.0.0/0 [5/0] via toMatriz tunnel 172.25.14.2, [1/0]
S       10.0.0.12/30 [5/0] via toMatriz tunnel 172.25.14.2, [1/0]
C       10.0.0.14/32 is directly connected, toMatriz
S       172.25.14.0/30 [10/0] via 172.25.14.21, wan2, [1/0]
C       172.25.14.20/30 is directly connected, wan2
C       192.168.30.0/24 is directly connected, internal
C       192.168.88.0/24 is directly connected, wan1

toMatriz is our main site, wan2 is where our remote site has the physical wan port connected to the main site, wan1 is a local isp who gave us a static ip (not external) to connected instead of ppoe

ping fail from wan interfaces

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website