Fortigate VPN working except for ping
If you find a situation where a site to site IPsec VPN on a Fortigate is apparently up and passing traffic, except ping (ICMP) is not flowing over the VPN, here is a solution.
The cause can be if the VPN flaps momentarily, and an ICMP packet is received in the short space of time while the IPsec tunnel is down, the Fortigate will create a new session via the routed interface. Even when the tunnel is re-established, the incorrect session will persist via the physical interface, as opposed to via the correct tunnel interface.
To clear this erroneous session, run the following commands. Note that the first command (vd 2) is only required if you are using multiple Virtual Domains (VDOMS), and the number should correspond to the number of the impacted VDOM. If you don’t have VDOM’s in use, skip to the ‘proto’ command.
FORTIGATE (vdom) # diagnose system session filter vd 2
FORTIGATE (vdom) # diagnose system session filter proto 1
FORTIGATE (vdom) # diagnose system session filter
session filter:
vd: 2
sintf: any
dintf: any
proto: 1-1
proto-state: any
source ip: any
NAT'd source ip: any
dest ip: any
source port: any
NAT'd source port: any
dest port: any
policy id: any
expire: any
duration: any
FORTIGATE (vdom) # diagnose system session clear
FORTIGATE (vdom) #
Once you have cleared the session, you may need to restart the VPN tunnel. The next ICMP packet should bring up the session over the correct IPsec tunnel interface.
Leave a Reply