ping from one of the wan interfaces

mateusguilherme · ‎07-03-2024

hi

I'm trying to ping 8.8.4.4 from my wan interfaces of my fortigate 40F (v7.0.13). Interface 'a' can ping correctly but interface 'wan' cannot reach the destination.

Interface 'wan':

#execute ping-options source 138.99.23.193

#execute ping 8.8.4.4


PING 8.8.4.4 (8.8.4.4): 56 data bytes
--- 8.8.4.4 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

Debug:

# diagnose debug enable

# diagnose debug flow filter addr 8.8.4.4

# diagnose debug flow filter proto 1

# diagnose debug flow show function-name enable
show function name

# diagnose debug flow trace start 100

# id=20085 trace_id=729 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=0."
id=20085 trace_id=729 func=init_ip_session_common line=6043 msg="allocate a new session-0509fe9d, tun_id=0.0.0.0"
id=20085 trace_id=730 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=1."
id=20085 trace_id=730 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-0509fe9d, original direction"
id=20085 trace_id=731 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=2."
id=20085 trace_id=731 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-0509fe9d, original direction"
id=20085 trace_id=732 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=3."
id=20085 trace_id=732 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-0509fe9d, original direction"
id=20085 trace_id=733 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=4."
id=20085 trace_id=733 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-0509fe9d, original direction"

Interface 'a':

# execute ping-options reset

# execute ping-options source 177.84.137.44

# execute ping 8.8.4.4
PING 8.8.4.4 (8.8.4.4): 56 data bytes
64 bytes from 8.8.4.4: icmp_seq=0 ttl=120 time=19.5 ms
64 bytes from 8.8.4.4: icmp_seq=1 ttl=120 time=18.4 ms
64 bytes from 8.8.4.4: icmp_seq=2 ttl=120 time=18.3 ms
64 bytes from 8.8.4.4: icmp_seq=3 ttl=120 time=18.3 ms
64 bytes from 8.8.4.4: icmp_seq=4 ttl=120 time=18.3 ms

--- 8.8.4.4 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 18.3/18.5/19.5 ms

Debug:

# id=20085 trace_id=744 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=0."
id=20085 trace_id=744 func=init_ip_session_common line=6043 msg="allocate a new session-050a4965, tun_id=0.0.0.0"
id=20085 trace_id=745 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=0."
id=20085 trace_id=745 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction"
id=20085 trace_id=745 func=vf_ip_route_input_common line=2611 msg="find a route: flag=80000000 gw-177.84.137.44 via root"
id=20085 trace_id=746 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=1."
id=20085 trace_id=746 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, original direction"
id=20085 trace_id=747 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=1."
id=20085 trace_id=747 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction"
id=20085 trace_id=748 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=2."
id=20085 trace_id=748 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, original direction"
id=20085 trace_id=749 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=2."
id=20085 trace_id=749 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction"
id=20085 trace_id=750 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=3."
id=20085 trace_id=750 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, original direction"
id=20085 trace_id=751 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=3."
id=20085 trace_id=751 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction"
id=20085 trace_id=752 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=4."
id=20085 trace_id=752 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, original direction"
id=20085 trace_id=753 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=4."
id=20085 trace_id=753 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction"

routes:

#get router info routing-table all

Routing table for VRF=0
S*      0.0.0.0/0 [1/0] via 177.84.139.51, ppp3, [1/0]
                  [1/0] via 10.85.161.37, ppp2, [1/0]
.
.
.

sdwan:

#show
config system sdwan
    set status enable
    config zone
        edit "virtual-wan-link"
        next
        edit "z-VPNs"
        next
    end
    config members
        edit 1
            set interface "wan"
            set gateway 10.85.161.37
        next
        edit 2
            set interface "a"
            set gateway 177.84.139.51
        next
        edit 20
            set interface "SPOKE-01"
            set zone "z-VPNs"
            set priority 11
        next
        edit 30
            set interface "SPOKE-02"
            set zone "z-VPNs"
            set priority 11

The two wan interfaces use PPPOE to receive IP and gateway.

The two interfaces (wan, a) are part of the same sd-wan that implements balancing (Maximize Bandwidth SLA).

I don't understand why I can't ping when I set 'execute ping-options source 138.99.23.19'....

I don't know if I provided all the necessary information, you can ask for more if you need

mateusguilherme · ‎07-03-2024

I think I found the cause of this strange behavior. In my SDWAN configuration I need to inform the priority of the link I want to test. Currently my two links have the same priority. If I want to test using the 'wan' interface I need to put more priority on this link, if I want to test using the 'A' port I need to put more priority on the 'A' interface link.

It would be better if, when using the command 'execute ping-options source 138.99.23.193', these priority issues should be ignored and fortigate should use the IP/GATEWAY configurations referring to the interface that has IP 138.99.23.193.

View solution in original post

funkylicious · ‎07-03-2024

Hi,

One guess would be that you dont actually have that public IP configured on your PPPoE interface, but a private one that the ISP does a NAT for it while the other interface has a direct public IP configured on it.

Maybe try with interface param instead of source ip ? https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-PING-options-from-the-FortiGat...

"jack of all trades, master of none"

mateusguilherme · ‎07-03-2024

this is very strange:

interface 'wan':

# execute ping-options reset
# execute ping-options interface wan
# execute ping 8.8.4.4
PING 8.8.4.4 (8.8.4.4): 56 data bytes
64 bytes from 8.8.4.4: icmp_seq=0 ttl=120 time=18.3 ms
64 bytes from 8.8.4.4: icmp_seq=1 ttl=120 time=18.0 ms
64 bytes from 8.8.4.4: icmp_seq=2 ttl=120 time=18.3 ms
64 bytes from 8.8.4.4: icmp_seq=3 ttl=120 time=18.6 ms
64 bytes from 8.8.4.4: icmp_seq=4 ttl=120 time=18.6 ms

--- 8.8.4.4 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 18.0/18.3/18.6 ms

debug:

# id=20085 trace_id=764 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=0."
id=20085 trace_id=764 func=init_ip_session_common line=6043 msg="allocate a new session-050accac, tun_id=0.0.0.0"
id=20085 trace_id=765 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=0."
id=20085 trace_id=765 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction"
id=20085 trace_id=765 func=vf_ip_route_input_common line=2611 msg="find a route: flag=80000000 gw-177.84.137.44 via root"
id=20085 trace_id=766 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=1."
id=20085 trace_id=766 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, original direction"
id=20085 trace_id=767 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=1."
id=20085 trace_id=767 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction"
id=20085 trace_id=768 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=2."
id=20085 trace_id=768 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, original direction"
id=20085 trace_id=769 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=2."
id=20085 trace_id=769 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction"
id=20085 trace_id=770 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=3."
id=20085 trace_id=770 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, original direction"
id=20085 trace_id=771 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=3."
id=20085 trace_id=771 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction"
id=20085 trace_id=772 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=4."
id=20085 trace_id=772 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, original direction"
id=20085 trace_id=773 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=4."
id=20085 trace_id=773 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction"

Even defining the wan interface (execute ping-options wan interface) the firewall used the IP of interface A (177.84.137.44) to communicate with 8.8.4.4

funkylicious · ‎07-03-2024

Just a wild idea. Try disabling port A and see if anything works using WAN interface since it will be the only one having a roue and installed in rib.

"jack of all trades, master of none"

mateusguilherme · ‎07-03-2024

works, by disabling the A interface I can ping using the wan interface.

mateusguilherme · ‎07-03-2024

I think I found the cause of this strange behavior. In my SDWAN configuration I need to inform the priority of the link I want to test. Currently my two links have the same priority. If I want to test using the 'wan' interface I need to put more priority on this link, if I want to test using the 'A' port I need to put more priority on the 'A' interface link.

It would be better if, when using the command 'execute ping-options source 138.99.23.193', these priority issues should be ignored and fortigate should use the IP/GATEWAY configurations referring to the interface that has IP 138.99.23.193.

ping from one of the wan interfaces

Nominate a Forum Post for Knowledge Article Creation