Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
khalilbouzaiene1
Contributor

Created on ‎02-26-2024 11:38 PM

I am experiencing a loss of ICMP sessions when I attempt to ping through the IPsec tunnel.

hello guys 

I have established a site-to-site (S2S) tunnel with two FortiGate firewalls, and this is my topology.

 

topologie.png

then the tunnel work but no perfectly it can ping juste from the interface of the lan to the other lan interface (and vise verca) (exmple : ping from 192.168.1.1 to 10.0.0.1 it works but if we want to ping from the to the other host the ping issue )
after some time of troubleshooting i find out that the icmp session losed in evry icmp request 
debug1.pngdebug2.pngdebug3.png

so guys  what is the solution for this problem please !

Labels:
1343
0 Kudos
21 REPLIES 21
khalilbouzaiene1
Contributor
In response to Muhammad_Haiqal

Created on ‎02-27-2024 01:49 AM

okay now we are in the FW-B and i try to ping the host in the lan and this the result 

FW-B # execute ping-options source 10.0.0.1

FW-B # execute ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: icmp_seq=0 ttl=128 time=1.1 ms
64 bytes from 10.0.0.2: icmp_seq=1 ttl=128 time=0.9 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=128 time=1.0 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=128 time=0.8 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=128 time=0.8 ms

--- 10.0.0.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.8/0.9/1.1 ms





and if we want like what i said before if we want to ping from the FW-B to the host in the other lan  , the ping not working 

FW-B # execute ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes

--- 192.168.1.2 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

588
0 Kudos
Muhammad_Haiqal
Staff
Staff
In response to khalilbouzaiene1

Created on ‎02-27-2024 02:00 AM

There are some possibilities i can see:

 

1. FW-A did not route 10.0.0.2 to FW-B. Check active routing on FW-A.

2. FW-B policy block traffic to 10.0.0.2.

 

The best way to verify if traffic is sent/receive correctly is by sniffer(run on both FW-A and FW-B and do the ping test):
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Routing-Issue/ta-p/195727?cmd=displa...

haiqal
578
0 Kudos
khalilbouzaiene1
Contributor
In response to Muhammad_Haiqal

Created on ‎02-27-2024 02:20 AM

so this snapshote show us the packet that arrieved to FW-A when i ping from the host 192.168.1.2 to the host 10.0.0.2 

snif.png

 

 

 

and this snapshote show us the packet arrived to FW-B when i try to ping from the host 10.0.0.2 to the host 192.168.1.2 

snif2.png

 

 

 

in these snapdhotes i see only one thing that is may be the problem 
which is that the icmp session always renewed 

567
0 Kudos
Muhammad_Haiqal
Staff
Staff
In response to khalilbouzaiene1

Created on ‎02-27-2024 07:50 PM

Hi @khalilbouzaiene1 

Thank you for the debug result.
Please focus on 1 way traffic 1st.

Ping from  192.168.1.2 to FW-B 10.0.0.2

When you do sniffer, does the ping received on FW-B?
diag sniffer packet any 'host 10.0.0.2 and icmp' 4 0
(run this on FW-A and FW-B, then do the ping test)

I can see interesting output "ret-no-match".
I suspecting routing issue.

haiqal
534
0 Kudos
khalilbouzaiene1
Contributor
In response to Muhammad_Haiqal

Created on ‎02-28-2024 12:28 AM

hello @Muhammad_Haiqal 
okay for your test i have wrote the cmd "diag sniffer packet any 'host 10.0.0.2 and icmp' 4 0" in the termnal of the two fortigate and 
in the fortigate A i have packet  but in the fortigate B no thing happen i don't recive any packet .

so with this result do you thing that i have routing problem ?

518
0 Kudos
Muhammad_Haiqal
Staff
Staff
In response to khalilbouzaiene1

Created on ‎02-28-2024 12:35 AM

Hi @khalilbouzaiene1 ,

Yes. Very likely routing issue.
FGT-A seems never send the traffic to FGT-B.

Based on the sniffer, you should see IN and OUT.
From there, you can identify if traffic from FGT-A left to the correct outbound or not.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Routing-Issue/ta-p/195727?cmd=displa...

1st, fix on the FGT-A . Make sure it sent to correct outbound interface(tunnel to FGT-B).
Once traffic received on FGT-B, then troubleshoot on FGT-B. 



haiqal
512
0 Kudos
khalilbouzaiene1
Contributor
In response to Muhammad_Haiqal

Created on ‎02-28-2024 01:15 AM

@Muhammad_Haiqal 
i don't undrestand one thing  which is why when ping from 192.168.1.1 to 10.0.0.1 the ping work 
but when i try to ping from 192.168.1.2 to 10.0.0.2 (hosts) the ping didn't work 
if there is any rounting issue  the  ping from 192.168.1.1 to 10.0.0.1 will not work !!
but it work so what do you thing ?!

500
0 Kudos
smaruvala
Staff
Staff
In response to khalilbouzaiene1

Created on ‎02-28-2024 12:42 AM

Hi,
- Can you share your routing table?

- You can try to take sniffer for the ESP packet which is getting exchanged between the 2 devices using the gateway IP in the filter. When pinging you can set the ping size as 1000 bytes to compare the packets coming to the firewall and encrypted packet which is going out. 

 

Regards,

Shiva

509
0 Kudos
khalilbouzaiene1
Contributor
In response to smaruvala

Created on ‎02-28-2024 01:18 AM

hello @smaruvala 
okay the routing talble of FW-A 
rout1.png

and the rounting table of FW-B 
rout2.png

498
0 Kudos
khalilbouzaiene1
Contributor
In response to smaruvala

Created on ‎02-28-2024 01:21 AM

i don't undrestand what do you mean in your test !

do you mean i try to ping between the 2 fgt lan interface and sniff the packet ?

496
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.