Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- strange issue: ping over tunnel is only replied tw...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
strange issue: ping over tunnel is only replied two times. No communication possible.
Hi,
I prepared a test lab, and found a strange issue. The scenario is simple and as followed: FW-X <Tunnel> FW-Y root <vlink> FW-Y custom VDOM After implementing a basic configuration, if I execute a ping, sourced from FW-X Loopback interface, destined to the VLink IP on the FW-X custom VDOM IP-address, there will always only two pings be replied. IP address schema: FW-X Loopback 10.1.67.101/32 ping source
Tunnel FW-X <> FW-Y 10.1.64.128/30 FW-Y vlink root 10.1.64.1/30 FW-Y vlink vdom 10.1.64.2/30 ping destination If I exec the ping to the roots vlink side (.64.1), the ping works fine, but not to the custom VDOMs address (.64.2). Even if I ping to a Loopback destined on the destination VDOM, the ping is only replied two times. FW-X (source) FW-X # execute ping-options source 10.1.67.101 FW-X # execute ping 10.1.64.2 FW-X # diagnose sniffer packet any icmp 4 interfaces=[any] filters=[icmp] 2.721381 TU_FW-X_GL out 10.1.67.101 -> 10.1.64.2: icmp: echo request 2.721736 TU_FW-X_GL in 10.1.64.2 -> 10.1.67.101: icmp: echo reply 3.739325 TU_FW-X_GL out 10.1.67.101 -> 10.1.64.2: icmp: echo request 3.739621 TU_FW-X_GL in 10.1.64.2 -> 10.1.67.101: icmp: echo reply 4.749321 TU_FW-X_GL out 10.1.67.101 -> 10.1.64.2: icmp: echo request <- !!!! 5.759319 TU_FW-X_GL out 10.1.67.101 -> 10.1.64.2: icmp: echo request <- !!!! 6.769300 TU_FW-X_GL out 10.1.67.101 -> 10.1.64.2: icmp: echo request <- !!!! ^C FW-X # execute traceroute-options source 10.1.67.101 FW-X # execute traceroute 10.1.64.2 traceroute to 10.1.64.2 (10.1.64.2), 32 hops max, 3 probe packets per hop, 72 byte packets 1 10.1.64.129 0.333 ms 0.451 ms 0.135 ms <- Tunnel IP on FW-X root side 2 10.1.64.2 0.272 ms 0.343 ms * FW-Y root (intermediate hop) FW-Y (root) # diagnose sniffer packet TU_FW-Y_GL icmp 4 interfaces=[TU_FW-Y_GL] filters=[icmp] 4.895695 TU_FW-Y_GL -- 10.1.67.101 -> 10.1.64.2: icmp: echo request 4.895916 TU_FW-Y_GL -- 10.1.64.2 -> 10.1.67.101: icmp: echo reply 5.913637 TU_FW-Y_GL -- 10.1.67.101 -> 10.1.64.2: icmp: echo request 5.913803 TU_FW-Y_GL -- 10.1.64.2 -> 10.1.67.101: icmp: echo reply ^C FW-Y VDOM (destination) FW-Y (custom) # diag sniffer packet npu0_vlink1 icmp 4 interfaces=[npu0_vlink1] filters=[icmp] 10.895799 npu0_vlink1 -- 10.1.67.101 -> 10.1.64.2: icmp: echo request 10.895881 npu0_vlink1 -- 10.1.64.2 -> 10.1.67.101: icmp: echo reply 11.913708 npu0_vlink1 -- 10.1.67.101 -> 10.1.64.2: icmp: echo request 11.913755 npu0_vlink1 -- 10.1.64.2 -> 10.1.67.101: icmp: echo reply ^C The sniffer output shows the generated request packets on FW-X, but already on the next-hop FW-Y root, on the end of the tunnel, they do not appear.
Routing can not be an issue, otherwise no packet would be replied. The traceroute is ok. The only strange issue is, that the connected tunnel appears two times in the routing table. But that is the same outgoing interface, that is used for the working destination.
[size="2"]S 10.1.64.0/30 [10/0] via 10.1.64.129, TU_FW-X_GL <- route to ping destination[/size] [size="2"]C 10.1.64.128/30 is directly connected, TU_FW-X_GL[/size] [size="2"] is directly connected, TU_FW-X_GL[size="2"] [size="2"]<- duplicate entry !?[/size][/size][/size] [size="2"]S 10.1.67.1/32 [10/0] via 10.1.64.129, TU_FW-X_GL[/size] [size="2"]S 10.1.67.2/32 [10/0] via 10.1.64.129, TU_FW-X_GL[/size] C 10.1.67.101/32 is directly connected, LOOPBACK [size="2"]S 172.16.1.11/32 [10/0] via 172.16.2.1, wan1[/size] C 172.16.2.0/24 is directly connected, wan1
All policies are set to any/any all/all/ALL. Tunnel Phase 2 ist set to 0.0.0.0/0. Dial-up tunnel on FW-Y.
The same issue appears in the opposite direction, when ping is sourced from FW-Y custom vdom. All five request arrive on FW-X, five replies will be generated, but only two will appear on the tunnel end. Even other communication will not work, e.g. I cannot start an SSH session over that path.
Lab was completely new rebuild from factory setting, with the same results.
Hard/software: FWF60E, v5.6.5 build1600 (GA) Any Ideas? Many thanks in advance. best regards Hakan
Labels:
- Labels:
-
5.6
0 REPLIES 0
Labels
-
FortiGate
10,542 -
FortiClient
2,142 -
FortiManager
888 -
5.2
687 -
FortiAnalyzer
676 -
5.4
638 -
FortiSwitch
581 -
FortiAP
559 -
FortiClient EMS
555 -
IPsec
417 -
6.0
416 -
SSL-VPN
374 -
FortiMail
371 -
5.6
362 -
FortiNAC
278 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
170 -
FortiGuard
159 -
5.0
152 -
Firewall policy
142 -
FortiGate-VM
129 -
6.4
128 -
FortiCloud Products
116 -
FortiSIEM
113 -
FortiGateCloud
112 -
FortiToken
111 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
Routing
75 -
ZTNA
75 -
SAML
71 -
DNS
71 -
Fortivoice
70 -
VLAN
70 -
FortiEDR
68 -
FortiADC
68 -
BGP
67 -
Authentication
66 -
Certificate
64 -
RADIUS
59 -
LDAP
58 -
SSO
54 -
fortilink
54 -
FortiSandbox
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
33 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
SNMP
25 -
API
25 -
SSID
25 -
Static route
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiDeceptor
11 -
FortiRecorder
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2568 | |
| 1362 | |
| 796 | |
| 650 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.