hi
I'm trying to ping 8.8.4.4 from my wan interfaces of my fortigate 40F (v7.0.13). Interface 'a' can ping correctly but interface 'wan' cannot reach the destination.
Interface 'wan':
#execute ping-options source 138.99.23.193
#execute ping 8.8.4.4
PING 8.8.4.4 (8.8.4.4): 56 data bytes
--- 8.8.4.4 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
Debug:
# diagnose debug enable
# diagnose debug flow filter addr 8.8.4.4
# diagnose debug flow filter proto 1
# diagnose debug flow show function-name enable
show function name
# diagnose debug flow trace start 100
# id=20085 trace_id=729 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=0."
id=20085 trace_id=729 func=init_ip_session_common line=6043 msg="allocate a new session-0509fe9d, tun_id=0.0.0.0"
id=20085 trace_id=730 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=1."
id=20085 trace_id=730 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-0509fe9d, original direction"
id=20085 trace_id=731 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=2."
id=20085 trace_id=731 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-0509fe9d, original direction"
id=20085 trace_id=732 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=3."
id=20085 trace_id=732 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-0509fe9d, original direction"
id=20085 trace_id=733 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=4."
id=20085 trace_id=733 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-0509fe9d, original direction"
Interface 'a':
# execute ping-options reset
# execute ping-options source 177.84.137.44
# execute ping 8.8.4.4
PING 8.8.4.4 (8.8.4.4): 56 data bytes
64 bytes from 8.8.4.4: icmp_seq=0 ttl=120 time=19.5 ms
64 bytes from 8.8.4.4: icmp_seq=1 ttl=120 time=18.4 ms
64 bytes from 8.8.4.4: icmp_seq=2 ttl=120 time=18.3 ms
64 bytes from 8.8.4.4: icmp_seq=3 ttl=120 time=18.3 ms
64 bytes from 8.8.4.4: icmp_seq=4 ttl=120 time=18.3 ms
--- 8.8.4.4 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 18.3/18.5/19.5 ms
Debug:
# id=20085 trace_id=744 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=0."
id=20085 trace_id=744 func=init_ip_session_common line=6043 msg="allocate a new session-050a4965, tun_id=0.0.0.0"
id=20085 trace_id=745 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=0."
id=20085 trace_id=745 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction"
id=20085 trace_id=745 func=vf_ip_route_input_common line=2611 msg="find a route: flag=80000000 gw-177.84.137.44 via root"
id=20085 trace_id=746 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=1."
id=20085 trace_id=746 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, original direction"
id=20085 trace_id=747 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=1."
id=20085 trace_id=747 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction"
id=20085 trace_id=748 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=2."
id=20085 trace_id=748 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, original direction"
id=20085 trace_id=749 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=2."
id=20085 trace_id=749 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction"
id=20085 trace_id=750 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=3."
id=20085 trace_id=750 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, original direction"
id=20085 trace_id=751 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=3."
id=20085 trace_id=751 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction"
id=20085 trace_id=752 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=4."
id=20085 trace_id=752 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, original direction"
id=20085 trace_id=753 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=4."
id=20085 trace_id=753 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction"
routes:
#get router info routing-table all
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 177.84.139.51, ppp3, [1/0]
[1/0] via 10.85.161.37, ppp2, [1/0]
.
.
.
sdwan:
#show
config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
edit "z-VPNs"
next
end
config members
edit 1
set interface "wan"
set gateway 10.85.161.37
next
edit 2
set interface "a"
set gateway 177.84.139.51
next
edit 20
set interface "SPOKE-01"
set zone "z-VPNs"
set priority 11
next
edit 30
set interface "SPOKE-02"
set zone "z-VPNs"
set priority 11
The two wan interfaces use PPPOE to receive IP and gateway.
The two interfaces (wan, a) are part of the same sd-wan that implements balancing (Maximize Bandwidth SLA).
I don't understand why I can't ping when I set 'execute ping-options source 138.99.23.19'....
I don't know if I provided all the necessary information, you can ask for more if you need
Solved! Go to Solution.
I think I found the cause of this strange behavior. In my SDWAN configuration I need to inform the priority of the link I want to test. Currently my two links have the same priority. If I want to test using the 'wan' interface I need to put more priority on this link, if I want to test using the 'A' port I need to put more priority on the 'A' interface link.
It would be better if, when using the command 'execute ping-options source 138.99.23.193', these priority issues should be ignored and fortigate should use the IP/GATEWAY configurations referring to the interface that has IP 138.99.23.193.
Hi,
One guess would be that you dont actually have that public IP configured on your PPPoE interface, but a private one that the ISP does a NAT for it while the other interface has a direct public IP configured on it.
Maybe try with interface param instead of source ip ? https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-PING-options-from-the-FortiGat...
this is very strange:
interface 'wan':
# execute ping-options reset
# execute ping-options interface wan
# execute ping 8.8.4.4
PING 8.8.4.4 (8.8.4.4): 56 data bytes
64 bytes from 8.8.4.4: icmp_seq=0 ttl=120 time=18.3 ms
64 bytes from 8.8.4.4: icmp_seq=1 ttl=120 time=18.0 ms
64 bytes from 8.8.4.4: icmp_seq=2 ttl=120 time=18.3 ms
64 bytes from 8.8.4.4: icmp_seq=3 ttl=120 time=18.6 ms
64 bytes from 8.8.4.4: icmp_seq=4 ttl=120 time=18.6 ms
--- 8.8.4.4 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 18.0/18.3/18.6 ms
debug:
# id=20085 trace_id=764 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=0."
id=20085 trace_id=764 func=init_ip_session_common line=6043 msg="allocate a new session-050accac, tun_id=0.0.0.0"
id=20085 trace_id=765 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=0."
id=20085 trace_id=765 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction"
id=20085 trace_id=765 func=vf_ip_route_input_common line=2611 msg="find a route: flag=80000000 gw-177.84.137.44 via root"
id=20085 trace_id=766 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=1."
id=20085 trace_id=766 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, original direction"
id=20085 trace_id=767 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=1."
id=20085 trace_id=767 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction"
id=20085 trace_id=768 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=2."
id=20085 trace_id=768 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, original direction"
id=20085 trace_id=769 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=2."
id=20085 trace_id=769 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction"
id=20085 trace_id=770 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=3."
id=20085 trace_id=770 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, original direction"
id=20085 trace_id=771 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=3."
id=20085 trace_id=771 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction"
id=20085 trace_id=772 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=4."
id=20085 trace_id=772 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, original direction"
id=20085 trace_id=773 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=4."
id=20085 trace_id=773 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction"
Even defining the wan interface (execute ping-options wan interface) the firewall used the IP of interface A (177.84.137.44) to communicate with 8.8.4.4
Just a wild idea. Try disabling port A and see if anything works using WAN interface since it will be the only one having a roue and installed in rib.
works, by disabling the A interface I can ping using the wan interface.
I think I found the cause of this strange behavior. In my SDWAN configuration I need to inform the priority of the link I want to test. Currently my two links have the same priority. If I want to test using the 'wan' interface I need to put more priority on this link, if I want to test using the 'A' port I need to put more priority on the 'A' interface link.
It would be better if, when using the command 'execute ping-options source 138.99.23.193', these priority issues should be ignored and fortigate should use the IP/GATEWAY configurations referring to the interface that has IP 138.99.23.193.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.