If ping finds an outage between two points, you can use traceroute to locate exactly where the problem is. fail, drop". For this, some filters may be used to reduce the output; see the following example: The analysis of the output of this command  is further detailed in the related article below  (, FortiGate Firewall session list information. 8974 - MESGID_SCAN_AV_ENGINE_LOAD_FAILED_ERROR 8975 - MESGID_SCAN_ARCHIVE_PARTIALLYCORRUPTED_WARNING 8976 - MESGID_SCAN_ARCHIVE_PARTIALLYCORRUPTED_NOTIF ... LOG_ID_SENDTO_FAIL 22011 - LOG_ID_ENTER_MEM_CONSERVE_MODE 22012 - LOG_ID_LEAVE_MEM_CONSERVE_MODE 22013 - … further below. 3.2 - The following is an example of debug flow output for traffic going into an IPSec tunnel in Policy based. Also, the TTL setting may result in steps along the route timing out due to slow responses. failed, drop" - "Denied by forward policy check" - "reverse path check When sending traffic for any of the policies for that peer, it will use this same SA, regardless of the src/dest subnet. And my guess is the Fortigate doesn't want to "forget" about the old SPI, as if DPD is not working. I know that you have checked this (just like I did when I had a similar, but completely different intermittent problem), but make sure that you don't have a duplicate IP address that router A is sharing. In addition their Fortigate is under change control so they don't want to do anything on their side. Enter exec traceroute fortinet.com to trace the route to the destination IP address. Immediately disable the newly created configuration. These values are in milliseconds and normally vary quite a bit. Asking for help, clarification, or responding to other answers. FGT# diagnose sniffer packet any "host and host " 4, FGT# diagnose sniffer packet any "(host and host ) and icmp" 4, Including the ARP protocol in the filter may be useful to troubleshoot a failure in the ARP resolution (for instance PC2 may be down and not responding to the FortiGate ARP requests), FGT# diagnose sniffer packet any "host and host or arp" 4.

I further speculate that the issue is caused by timing issues causing SPI mismatch. I would like to enable DPD on the other side but I cannot due to change control and also because the client is saying it's working on all the other sites exactly configuration the same. This occurs because a route is programmed in the kernel for the ping server on this interface (see example further below).

Let's go over your setup since your  presented mainly items and maybe  confusion in all of it ;). Why it's working is still a mystery, but to further illustrate what we did I post another image inline. This would give you the intermittent problem when your high side router does an arp lookup for router A and gets confused. offloading must be disabled. Summary : Step 1: Routing table check (in NAT mode) Step 2: Verify is services are opened (if access to the FortiGate) Step 3: Sniffer trace. I speculate it's a timing problem whereby side A or side B tries to send information too aggressively making the negotiation of the information (e.g. Ping and traceroute can also tell you if your computer or network device has access to a domain name server (DNS). Alone, either tool can determine network connectivity between two points. It appears data from the remote side to us is not always flowing. PING 10.11.101.101 (10.11.101.101): 56 data bytes. We tried various things over time, such as rebooting, setting clocks, dabbling with configuration, rechecking and rechecking configuration but it appears the problem is entirely random. How do you make a button that performs a specific command? Go to Policy & Objects > IPv4 Policy or Policy & Objects > IPv6 Policy (if applicable) and view the packet count column. site design / logo © 2020 Stack Exchange Inc; user contributions licensed under cc by-sa. They went to and from the primary a couple of times.

", id=20085 trace_id=1 msg="allocate a new session-00001cd3", id=20085 trace_id=1 msg="find a route: gw-192.168.56.230 via wan1", id=20085 trace_id=1 msg="enter IPsec tunnel-RemotePhase1", id=20085 trace_id=1 msg="encrypted, and send to 192.168.225.22 with source 192.168.56.226", id=20085 trace_id=1 msg="send to 192.168.56.230 via intf-wan1“, id=20085 trace_id=2 msg="vd-root received a packet (proto=1, 10.72.55.240:1-10.71.55.10:8) from internal. S*      0.0.0.0/0 [10/0] via 192.168.183.254, port1                  [10/0] via 10.160.0.1, port2C       10.160.0.0/23 is directly connected, port2S       192.168.0.0/16 [10/0] via 192.168.183.254, port1C       192.168.182.0/23 is directly connected, port1, date=2009-01-26 time=05:44:07 devname=FGT60B3907500059 device_id=FGT60B3907500059 log_id=0100020001 type=event subtype=system pri=critical vd=root interface="internal" ip=10.160.0.78 status=down msg="Ping peer: 10.160.0.2 is down". So just adding a duplicate router at the border and taking this router offline again made the original router work. The traceroute utility may also offer the option to select use of ICMP echo request (type 8) instead, which the Windows tracert utility uses. How to use local internet connection instead of the one provided by FortiClient? Both ping and traceroute verify connectivity between two points. I will mention all these settings to them. ", id=20085 trace_id=319 func=resolve_ip_tuple line=2924 msg="allocate a new session-013004ac", id=20085 trace_id=319 func=vf_ip4_route_input line=1597 msg="find a route: gw-192.168.150.129 via port1", id=20085 trace_id=319 func=fw_forward_handler line=248 msg=, traffic is matching and  processed by Firewall Policy #2, id=20085 trace_id=1 msg="vd-root received a packet (proto=1, 10.72.55.240:1->10.71.55.10:8) from internal. As you may recall we have 6 MikroTik client IPsec end-point routers configured exactly the same connecting to one Fortigate server. Server Fault is a question and answer site for system and network administrators. "id=20085 trace_id=2 msg="Find an existing session, id-00001cd3, original direction"id=20085 trace_id=2 msg="enter IPsec ="encrypted, and send to 192.168.225.22 with source 192.168.56.226“ tunnel-RemotePhase1"id=20085 trace_id=2 msgid=20085 trace_id=2 msg="send to 192.168.56.230 via intf-wan1", Other information messages are explained in the article "Troubleshooting Tip : debug flow messages "iprope_in_check() check Copy Router A's IPsec configuration to a temporary router closer to the border of our network. There are no options for this command. The tunnels were perfectly happy after that. Total Posts : 5782; Scores: 379; Reward points: 0; Joined: 2008/03/20 13:30:33; Location: AUSTIN TX AREA; Status: offline; Re: Unable to telnet/ping from Fortigate 2018/06/25 08:48:28 0 Again use the cmd cli "get router infor routing all" inspect the route table.