- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- ping from one of the wan interfaces
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ping from one of the wan interfaces
hi
I'm trying to ping 8.8.4.4 from my wan interfaces of my fortigate 40F (v7.0.13). Interface 'a' can ping correctly but interface 'wan' cannot reach the destination.
Interface 'wan':
#execute ping-options source 138.99.23.193
#execute ping 8.8.4.4
PING 8.8.4.4 (8.8.4.4): 56 data bytes
--- 8.8.4.4 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
Debug:
# diagnose debug enable
# diagnose debug flow filter addr 8.8.4.4
# diagnose debug flow filter proto 1
# diagnose debug flow show function-name enable
show function name
# diagnose debug flow trace start 100
# id=20085 trace_id=729 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=0."
id=20085 trace_id=729 func=init_ip_session_common line=6043 msg="allocate a new session-0509fe9d, tun_id=0.0.0.0"
id=20085 trace_id=730 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=1."
id=20085 trace_id=730 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-0509fe9d, original direction"
id=20085 trace_id=731 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=2."
id=20085 trace_id=731 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-0509fe9d, original direction"
id=20085 trace_id=732 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=3."
id=20085 trace_id=732 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-0509fe9d, original direction"
id=20085 trace_id=733 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 138.99.23.193:14760->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=14760, seq=4."
id=20085 trace_id=733 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-0509fe9d, original direction"
Interface 'a':
# execute ping-options reset
# execute ping-options source 177.84.137.44
# execute ping 8.8.4.4
PING 8.8.4.4 (8.8.4.4): 56 data bytes
64 bytes from 8.8.4.4: icmp_seq=0 ttl=120 time=19.5 ms
64 bytes from 8.8.4.4: icmp_seq=1 ttl=120 time=18.4 ms
64 bytes from 8.8.4.4: icmp_seq=2 ttl=120 time=18.3 ms
64 bytes from 8.8.4.4: icmp_seq=3 ttl=120 time=18.3 ms
64 bytes from 8.8.4.4: icmp_seq=4 ttl=120 time=18.3 ms
--- 8.8.4.4 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 18.3/18.5/19.5 ms
Debug:
# id=20085 trace_id=744 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=0."
id=20085 trace_id=744 func=init_ip_session_common line=6043 msg="allocate a new session-050a4965, tun_id=0.0.0.0"
id=20085 trace_id=745 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=0."
id=20085 trace_id=745 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction"
id=20085 trace_id=745 func=vf_ip_route_input_common line=2611 msg="find a route: flag=80000000 gw-177.84.137.44 via root"
id=20085 trace_id=746 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=1."
id=20085 trace_id=746 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, original direction"
id=20085 trace_id=747 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=1."
id=20085 trace_id=747 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction"
id=20085 trace_id=748 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=2."
id=20085 trace_id=748 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, original direction"
id=20085 trace_id=749 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=2."
id=20085 trace_id=749 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction"
id=20085 trace_id=750 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=3."
id=20085 trace_id=750 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, original direction"
id=20085 trace_id=751 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=3."
id=20085 trace_id=751 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction"
id=20085 trace_id=752 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15272->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15272, seq=4."
id=20085 trace_id=752 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, original direction"
id=20085 trace_id=753 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15272->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15272, seq=4."
id=20085 trace_id=753 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050a4965, reply direction"
routes:
#get router info routing-table all
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 177.84.139.51, ppp3, [1/0]
[1/0] via 10.85.161.37, ppp2, [1/0]
.
.
.
sdwan:
#show
config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
edit "z-VPNs"
next
end
config members
edit 1
set interface "wan"
set gateway 10.85.161.37
next
edit 2
set interface "a"
set gateway 177.84.139.51
next
edit 20
set interface "SPOKE-01"
set zone "z-VPNs"
set priority 11
next
edit 30
set interface "SPOKE-02"
set zone "z-VPNs"
set priority 11
The two wan interfaces use PPPOE to receive IP and gateway.
The two interfaces (wan, a) are part of the same sd-wan that implements balancing (Maximize Bandwidth SLA).
I don't understand why I can't ping when I set 'execute ping-options source 138.99.23.19'....
I don't know if I provided all the necessary information, you can ask for more if you need
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I found the cause of this strange behavior. In my SDWAN configuration I need to inform the priority of the link I want to test. Currently my two links have the same priority. If I want to test using the 'wan' interface I need to put more priority on this link, if I want to test using the 'A' port I need to put more priority on the 'A' interface link.
It would be better if, when using the command 'execute ping-options source 138.99.23.193', these priority issues should be ignored and fortigate should use the IP/GATEWAY configurations referring to the interface that has IP 138.99.23.193.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
One guess would be that you dont actually have that public IP configured on your PPPoE interface, but a private one that the ISP does a NAT for it while the other interface has a direct public IP configured on it.
Maybe try with interface param instead of source ip ? https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-PING-options-from-the-FortiGat...
---------------------------
geek
---------------------------
geek
---------------------------
---------------------------geek---------------------------
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is very strange:
interface 'wan':
# execute ping-options reset
# execute ping-options interface wan
# execute ping 8.8.4.4
PING 8.8.4.4 (8.8.4.4): 56 data bytes
64 bytes from 8.8.4.4: icmp_seq=0 ttl=120 time=18.3 ms
64 bytes from 8.8.4.4: icmp_seq=1 ttl=120 time=18.0 ms
64 bytes from 8.8.4.4: icmp_seq=2 ttl=120 time=18.3 ms
64 bytes from 8.8.4.4: icmp_seq=3 ttl=120 time=18.6 ms
64 bytes from 8.8.4.4: icmp_seq=4 ttl=120 time=18.6 ms
--- 8.8.4.4 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 18.0/18.3/18.6 msdebug:
# id=20085 trace_id=764 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=0."
id=20085 trace_id=764 func=init_ip_session_common line=6043 msg="allocate a new session-050accac, tun_id=0.0.0.0"
id=20085 trace_id=765 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=0."
id=20085 trace_id=765 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction"
id=20085 trace_id=765 func=vf_ip_route_input_common line=2611 msg="find a route: flag=80000000 gw-177.84.137.44 via root"
id=20085 trace_id=766 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=1."
id=20085 trace_id=766 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, original direction"
id=20085 trace_id=767 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=1."
id=20085 trace_id=767 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction"
id=20085 trace_id=768 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=2."
id=20085 trace_id=768 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, original direction"
id=20085 trace_id=769 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=2."
id=20085 trace_id=769 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction"
id=20085 trace_id=770 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=3."
id=20085 trace_id=770 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, original direction"
id=20085 trace_id=771 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=3."
id=20085 trace_id=771 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction"
id=20085 trace_id=772 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 177.84.137.44:15784->8.8.4.4:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=15784, seq=4."
id=20085 trace_id=772 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, original direction"
id=20085 trace_id=773 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=1, 8.8.4.4:15784->177.84.137.44:0) tun_id=0.0.0.0 from ppp3. type=0, code=0, id=15784, seq=4."
id=20085 trace_id=773 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-050accac, reply direction"
Even defining the wan interface (execute ping-options wan interface) the firewall used the IP of interface A (177.84.137.44) to communicate with 8.8.4.4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a wild idea. Try disabling port A and see if anything works using WAN interface since it will be the only one having a roue and installed in rib.
---------------------------
geek
---------------------------
geek
---------------------------
---------------------------geek---------------------------
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
works, by disabling the A interface I can ping using the wan interface.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I found the cause of this strange behavior. In my SDWAN configuration I need to inform the priority of the link I want to test. Currently my two links have the same priority. If I want to test using the 'wan' interface I need to put more priority on this link, if I want to test using the 'A' port I need to put more priority on the 'A' interface link.
It would be better if, when using the command 'execute ping-options source 138.99.23.193', these priority issues should be ignored and fortigate should use the IP/GATEWAY configurations referring to the interface that has IP 138.99.23.193.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
Labels
-
FortiGate
7,227 -
FortiClient
1,427 -
5.2
801 -
5.4
639 -
FortiManager
626 -
FortiAnalyzer
465 -
6.0
416 -
FortiAP
378 -
FortiSwitch
376 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
282 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
178 -
FortiNAC
130 -
6.4
128 -
FortiGuard
117 -
IPsec
111 -
SSL-VPN
110 -
FortiGateCloud
97 -
FortiSIEM
95 -
FortiCloud Products
90 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
66 -
4.0MR3
64 -
SD-WAN
51 -
FortiProxy
49 -
FortiEDR
46 -
FortiADC
45 -
Fortivoice
44 -
FortiDNS
40 -
FortiGate v5.4
36 -
FortiSandbox
36 -
FortiExtender
35 -
FortiAuthenticator
35 -
Firewall policy
35 -
VLAN
32 -
FortiSwitch v6.4
32 -
High Availability
32 -
DNS
25 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
FortiConverter
23 -
LDAP
22 -
Certificate
21 -
BGP
21 -
SAML
20 -
FortiGate v5.2
20 -
Interface
20 -
FortiPortal
18 -
Routing
18 -
FortiSwitch v6.2
17 -
Authentication
17 -
VDOM
17 -
FortiLink
16 -
FortiMonitor
15 -
RADIUS
15 -
NAT
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
SSL SSH inspection
13 -
Virtual IP
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
11 -
Application control
11 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
IP address management - IPAM
9 -
FortiManager v5.0
9 -
OSPF
9 -
4.0MR2
9 -
WAN optimization
9 -
RMA Information and Announcements
8 -
FortiSOAR
8 -
Proxy policy
8 -
FortiAnalyzer v5.0
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
Web application firewall profile
7 -
Security profile
7 -
FortiAP profile
7 -
Automation
7 -
4.0
7 -
Admin
7 -
Static route
6 -
Traffic shaping policy
6 -
trunk
6 -
IPS signature
5 -
Packet capture
5 -
Port policy
5 -
Antivirus profile
5 -
System settings
5 -
DNS Filter
5 -
FortiCache
5 -
FortiTester
5 -
FortiManager v4.0
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Traffic shaping profile
4 -
FortiPAM
4 -
Fortinet Engage Partner Program
4 -
FortiCarrier
4 -
3.6
4 -
FortiScan
4 -
DLP sensor
4 -
DoS policy
4 -
Email filter profile
3 -
Fabric connector
3 -
NAC policy
3 -
Users
3 -
Multicast routing
3 -
FortiToken Cloud
3 -
Application signature
3 -
DLP Dictionary
3 -
FortiDB
3 -
DLP profile
3 -
FortiInsight
2 -
Netflow
2 -
Protocol option
2 -
Zone
2 -
FortiNDR
2 -
FortiAI
2 -
FortiHypervisor
2 -
Schedule
2 -
Authentication rule and scheme
2 -
Explicit proxy
2 -
Internet Service Database
2 -
VoIP profile
2 -
4.0MR1
1 -
File filter
1 -
RIP
1 -
Multicast policy
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
TACACS
1 -
Replacement messages
1 -
FortiManager-VM
1 -
SDN connector
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1089 | |
| 892 | |
| 535 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.