Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
khalilbouzaiene1
Contributor

Created on ‎02-26-2024 11:38 PM

I am experiencing a loss of ICMP sessions when I attempt to ping through the IPsec tunnel.

hello guys 

I have established a site-to-site (S2S) tunnel with two FortiGate firewalls, and this is my topology.

 

topologie.png

then the tunnel work but no perfectly it can ping juste from the interface of the lan to the other lan interface (and vise verca) (exmple : ping from 192.168.1.1 to 10.0.0.1 it works but if we want to ping from the to the other host the ping issue )
after some time of troubleshooting i find out that the icmp session losed in evry icmp request 
debug1.pngdebug2.pngdebug3.png

so guys  what is the solution for this problem please !

Labels:
1486
0 Kudos
21 REPLIES 21
bpozdena_FTNT
Staff
Staff

Created on ‎02-27-2024 12:31 AM

A new session is allocated for each ICMP type 8 message because they all have different identifier.

 

To fix this issue, change your Ping application or its settings to ensure the ID remains the same . Fortigate will then consider them to be part of the same ICMP session.

 

Reference: Page 15 > https://datatracker.ietf.org/doc/html/rfc792

HTH,
Boris
660
khalilbouzaiene1
Contributor
In response to bpozdena_FTNT

Created on ‎02-27-2024 12:47 AM

hello 
how can i change my ping application ?????

 

651
0 Kudos
srajeswaran
Staff
Staff
In response to khalilbouzaiene1

Created on ‎02-27-2024 01:10 AM Edited on ‎02-27-2024 01:11 AM

I think the issue is not with ping application, creating new session for each ICMP is not the issue, it looks like there is no route, can you enable source NAT on the policy from Tunnel towards your LAN/PC  to eliminate the route issue. This is for testing, we can check further on routing if this source nat fixes the issue.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

635
khalilbouzaiene1
Contributor
In response to srajeswaran

Created on ‎02-27-2024 01:24 AM

hello there 
i have enabled the nat in the policy but no result also 
this time i try to create a custom tunnel 

629
0 Kudos
srajeswaran
Staff
Staff
In response to khalilbouzaiene1

Created on ‎02-27-2024 01:27 AM

Can you collect the following from Fortinet2 "diag sniffer packet any "host x.x.x." 10"
replace x.x.x. with IP of Win5
 And initiate ping from Win4 towards Win5 ?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

625
0 Kudos
smaruvala
Staff
Staff

Created on ‎02-27-2024 12:41 AM

Hi,

 

- Have you tried to capture the ICMP packets on both the sides? If yes do you see if you are missing any ICMP requests or replies?

- We should be able to see at least the cleartext ICMP request on the LAN interface captures in the firewall.

 

Reagrds,

Shiva

 

655
Muhammad_Haiqal
Staff
Staff

Created on ‎02-27-2024 01:28 AM

Hi @khalilbouzaiene1 ,

Based on this statement:
ping from 192.168.1.1 to 10.0.0.1 it works but if we want to ping from the to the other host the ping issue 

 

Can you tell me the finding that you had?
Example:
ping 192.168.1.1 to 10.0.0.1 - working
ping 192.168.1.1 to 10.0.0.30 - NOT working


Im afraid this something related to phase2.
Please let me know the output.

ping 192.168.1.10 to 10.0.0.1 - working
ping 192.168.1.10 to 10.0.0.30 - NOT working

 

 

haiqal
622
khalilbouzaiene1
Contributor
In response to Muhammad_Haiqal

Created on ‎02-27-2024 01:41 AM

hello my friend 
in our case when i try to ping from the lan interface 192.168.1.1 to 10.0.0.1 (these adresses are the interfaces of the lan that are related to fortigate directly (look to the tpology)) i have this result 

FW-A # execute ping-options source 192.168.1.1

FW-A # execute ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: icmp_seq=0 ttl=255 time=3.0 ms
64 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=1.0 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=255 time=1.4 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=255 time=1.2 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=255 time=1.2 ms

--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.0/1.5/3.0 ms




and now when i try to ping from 192.168.1.1 to the host on the lan (10.0.0.2) not the interface 

FW-A # execute ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2): 56 data bytes

--- 10.0.0.2 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

and vise versa if we wenna try the same from the other lan interface we will have the same 
do you thing that this is related to phase ??

617
0 Kudos
Muhammad_Haiqal
Staff
Staff
In response to khalilbouzaiene1

Created on ‎02-27-2024 01:44 AM

Hi @khalilbouzaiene1 

 

Thank you for the respond.
Looks like anything behind the fortigate peer is not reachable.

Please test this scenario:
On Fortigate2(peer side), please ping 10.0.0.2.

We need to make sure this Fortigate2 itself able to reach 10.0.0.2.
Else, you need to fix on the Fortigate2 1st. Maybe you have routing issue.
Or 10.0.0.2 did not allow ping. You may disable windows firewall.

haiqal
612
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.