Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ncaridi
New Contributor

unable to ping some hosts

Dear Experts , 

I have two sites connected , FGT-60C and FGT-90D via IPSEC. 

I have a strage issue with some hosts on my network . 

host A (10.10.110.169, FGT-60C) pings host B over IPSEC (FGT-90D) and I get response 

when I'm trying to do the same and ping from host B to host A I get timeouts. 

I tried the following : 

1. make sure I have a ping from FGT-60C to host A : 

PING 10.10.110.169 (10.10.110.169): 56 data bytes
64 bytes from 10.10.110.169: icmp_seq=0 ttl=64 time=1.6 ms
64 bytes from 10.10.110.169: icmp_seq=1 ttl=64 time=1.0 ms

that worked fine . 

then I tried to sniff this is what i get for host A pinging from ipsec network 

diagnose sniffer packet any "host 10.10.110.169" 4
interfaces=[any]
filters=[host 10.10.110.169]
15.108871 IPSEC-Phones in 10.10.9.149 -> 10.10.110.169: icmp: echo request
15.109169 internal3 out 10.10.9.149 -> 10.10.110.169: icmp: echo request
19.203494 internal1 in 10.10.110.169.49155 -> 239.255.255.250.1900: udp 271
19.203494 PhonesSwitch in 10.10.110.169.49155 -> 239.255.255.250.1900: udp 271
19.203675 internal3 in 10.10.110.169.49155 -> 239.255.255.250.1900: udp 271
19.212981 internal1 in 10.10.110.169.49155 -> 239.255.255.250.1900: udp 271
19.212981 PhonesSwitch in 10.10.110.169.49155 -> 239.255.255.250.1900: udp 271
 

so I see the request but I see no reply from host B.

when I try another host on the network I see the following : 

diagnose sniffer packet any "host 10.10.110.50" 4
interfaces=[any]
filters=[host 10.10.110.50]
1.295465 internal1 in arp who-has 10.10.110.80 tell 10.10.110.50
1.295465 PhonesSwitch in arp who-has 10.10.110.80 tell 10.10.110.50
1.295581 internal3 in arp who-has 10.10.110.80 tell 10.10.110.50
12.704045 internal1 in 10.10.110.50.138 -> 10.10.111.255.138: udp 214
12.704045 PhonesSwitch in 10.10.110.50.138 -> 10.10.111.255.138: udp 214
12.704252 internal3 in 10.10.110.50.138 -> 10.10.111.255.138: udp 214
15.914114 IPSEC-Phones in 10.10.9.149 -> 10.10.110.50: icmp: echo request
15.914434 internal3 out 10.10.9.149 -> 10.10.110.50: icmp: echo request
15.914941 internal3 in 10.10.110.50 -> 10.10.9.149: icmp: echo reply
15.915102 IPSEC-Phones out 10.10.110.50 -> 10.10.9.149: icmp: echo reply

 

I've also added a Any->Any policy to make sure nothing gets blocked. 

 

 

Any help about how to go about troubleshooting this is much appreciated .

 

Thank you 

 

2 REPLIES 2
ede_pfau
SuperUser
SuperUser

So, 10.10.9.149 is on LAN B, right? You didn't show the sniff from the successful ping.

The packet leaves on physical port 'internal3' but there is no reply.

This can be due to many reasons. Are you sure host .110.169 will respond to pings (local software firewall?). Can you ping this host from it's local FGT (CLI)?

Another reason would be wrong routing on this host. It's gateway must be the local FGT. But, in this case you would see replies if sniffing on interface 'any', namely packets leaving the WAN interface. Except for if the host had NO gateway at all.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
ncaridi

*host 10.10.110.169 has gw defined properly 10.10.110.1 FGT 60D local address. 

*host 10.10.110.169 can ping LAB B.

 

I can ping successfully locally from FGT 60D:

first code section on my original post was the ping from the fw.

here is the sniff : 

 

 

 

 

diagnose sniffer packet any "host 10.10.110.169"
interfaces=[any]
filters=[host 10.10.110.169]
2.713177 10.10.110.1 -> 10.10.110.169: icmp: echo request
2.713772 10.10.110.169 -> 10.10.110.1: icmp: echo reply
3.712383 10.10.110.1 -> 10.10.110.169: icmp: echo request
3.712955 10.10.110.169 -> 10.10.110.1: icmp: echo reply
4.712366 10.10.110.1 -> 10.10.110.169: icmp: echo request
4.712942 10.10.110.169 -> 10.10.110.1: icmp: echo reply
5.712397 10.10.110.1 -> 10.10.110.169: icmp: echo request
5.712975 10.10.110.169 -> 10.10.110.1: icmp: echo reply
6.402286 10.10.10.212.63773 -> 10.10.110.169.161: udp 80
6.402480 10.10.10.212.63773 -> 10.10.110.169.161: udp 80
6.712364 10.10.110.1 -> 10.10.110.169: icmp: echo request
6.712943 10.10.110.169 -> 10.10.110.1: icmp: echo reply

 

 

 

 

routing is on the entire subnet so I think it should be ok . 

 

 

 

 

get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

 

 

 

S* 0.0.0.0/0 [5/0] via ***, ppp2
[5/0] via  ***, ppp1
S 10.10.8.0/22 [10/0] is directly connected, IPSEC-Phones
S 10.10.85.0/24 [10/0] is directly connected, IPSEC- ***
S 10.10.100.0/24 [10/0] is directly connected, IPSEC- ***
C 10.10.108.0/22 is directly connected, internal3
C 10.10.112.0/24 is directly connected, dmz
C 10.10.114.0/24 is directly connected, PhonesVlan
C  ***/32 is directly connected, ppp1
C  ***/32 is directly connected, ppp2
C  ***/32 is directly connected, ppp2
C  ***/32 is directly connected, ppp1

 

 

 

 

Thanks. 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors