pc can not ping firewall but firewall can ping PC

ok0047 · May 15, 2024

We are using Fortinet firewall and the connection is like PC connected to a switch and switch is connected to firewall .

PC can ping switch
Switch can ping PC

Switch can ping firewall
firewall can ping switch

Firewall can ping PC
PC CAN NOT PING FIREWALL

please help to resolve the issue. Getting the message as for 1 packet its request time out for another packet its destination host unreachable

garlin · May 15, 2024

Your Fortinet may be configured to block ICMP traffic, which means you pinging it doesn't work.

That is a somewhat common practice on high-end network security devices, since intruders can use ICMP (ping requests) to guess your network layout. For troubleshooting, the firewall doesn't block its own traffic.

ok0047 · May 15, 2024

garlin said:
Your Fortinet may be configured to block ICMP traffic, which means you pinging it doesn't work.

That is a somewhat common practice on high-end network security devices, since intruders can use ICMP (ping requests) to guess your network layout. For troubleshooting, the firewall doesn't block its own traffic.

Thank you very much for your quick response. I will go and check my FW settings

hsehestedt · May 15, 2024

My initial reaction is that it is the firewall that is at fault. This is because you note that that the firewall CAN ping the PC which indicates that bi-directional communication is available, but going between the same two devices does not work when the communication is initiated from the PC. It sounds likely that the firewall is simply configured to not respond to a ping from the address of your PC.

Another possibility is that if you have a managed switch, and the PC and firewall are on 2 separate network segments, you could potentially have routing setup incorrectly on the switch.

Tell me more about the switch. Some things that I would like to know:

1) Is the switch a managed or unmanaged switch?

2) Are any V-LANs involved or is this a "flat" network where all devices have addresses in the same logical network?

3) If this is a managed switch, how the ports for the PC and the firewall configured?

4) If this is not a flat single segment network, what are the IP addresses of each of the devices in question (the PC and the firewall) along with their associated subnet masks?

hsehestedt · May 15, 2024

garlin said:
Your Fortinet may be configured to block ICMP traffic, which means you pinging it doesn't work.

That is a somewhat common practice on high-end network security devices, since intruders can use ICMP (ping requests) to guess your network layout. For troubleshooting, the firewall doesn't block its own traffic.

Garlin, only hole I see in that theory is that the firewall is pingable from the switch. So the firewall is at least responding to some pings.

ok0047 · May 15, 2024

Hi All

Kindly refer to the image below. The main problem is pinging from 10.10.1.69 to 10.10.1.131 is not working. Both laptops can be pinged from the firewall but can not ping each other

garlin · May 15, 2024

Beyond this chart, I have no idea about your default gateways or routing tables. I'm presuming you're asking because one side of this diagram doesn't work?

Fortinet 10.10.1.129/28	10.10.1.128 - 10.10.1.143
Switch 10.10.1.78/28	10.10.1.64 - 10.10.1.79
LAN 10.10.1.69/28	10.10.1.64 - 10.10.1.79
Switch 10.10.1.132/28	10.10.1.128 - 10.10.1.143
LAN 10.10.1.131/28	10.10.1.128 - 10.10.1.143

UPDATE: I had to correct the last LAN in line #5, it was a duplicate of 10.10.1.69/28

ok0047 · May 15, 2024

garlin said:
Beyond this chart, I have no idea about your default gateways or routing tables. I'm presuming you're asking because one side of this diagram doesn't work?

Fortinet 10.10.1.129/28 10.10.1.128 - 10.10.1.143
Switch 10.10.1.78/28 10.10.1.64 - 10.10.1.79
LAN 10.10.1.69/28 10.10.1.64 - 10.10.1.79
Switch 10.10.1.132/28 10.10.1.128 - 10.10.1.143
LAN 10.10.1.69/28 10.10.1.64 - 10.10.1.7

PING WORKS FOR THE BELOW

10.10.1.69 TO 10.10.1.78
10.10.1.78 TO 10.10.1.69 , 10.10.1.129 , 10.10.1.132 , 10.10.1.131
10.10.1.129 TO 10.10.1.78 , 10.10.1.69 , 10.10.1.132 , 10.10.1.131
10.10.1.132 TO 10.10.1.78 , 10.10.1.129 , 10.10.1.78 , 10.10.1.131
10.10.1.132 TO 10.10.1.78 , 10.10.1.129 , 10.10.1.132

!!CAN NOT PING FOR THE BELOW!!

10.10.1.69 TO 10.10.1.129 , 10.10.1.132 , 10.10.1.131

garlin · May 16, 2024

LAN 10.10.1.69 has a default gateway problem. Everyone on the right side is on the same subnet, so no gateway is required.

Fortinet can route traffic downstream to switch 10.10.1.78, and that's on the same subnet as the left PC.

	10.10.1.129	10.10.1.78	10.10.1.69	10.10.1.132	10.10.1.131
10.10.1.129	N/A	✔	✔	✔	✔
10.10.1.78	✔	N/A	✔	✔	✔
10.10.1.69	✖	✔ (same subnet)	N/A	✖	✖
10.10.1.132	✔	✔		N/A	✔
10.10.1.131	✔	✔		✔	N/A

ok0047 · May 16, 2024

Currently on 10.10.1.69 has default gateway as 10.10.1.65 but there is one more network adapter set on that PC which is with in a different subnet

hsehestedt · May 16, 2024

To reiterate what Garlin is saying...

I see the problem. You are using a subnet mask of 255.255.255.240 (28 bits). This means that you have only 16 host addresses (14 usable). Your computers span multiple logical networks. Do you have routing properly configured for this scenario?

As an example, the machine that has an address of 10.10.1.69/28 can ONLY talk to IP addresses in the range of 10.10.1.65 to 10.0.1.78. Anything else outside of that range of addresses will require proper routing to be in place.

My suggestion:

Assuming that you have only a single internal network and that you have no need for multiple subnets internally, my suggestion would be to leave everything as is EXCEPT change the subnet mask to 255.255.255.0 (24 bit). By doing so, everything with a 10.10.1.x address will now be in the same subnet.

Please note that even if you do not want to make this change on a permanent basis, you could make this one change temporarily and if suddenly all devices can communicate with each then you know that I have correctly diagnosed the issue.

ok0047 · May 16, 2024

hsehestedt said:
To reiterate what Garlin is saying...

I see the problem. You are using a subnet mask of 255.255.255.240 (28 bits). This means that you have only 16 host addresses (14 usable). Your computers span multiple logical networks. Do you have routing properly configured for this scenario?

As an example, the machine that has an address of 10.10.1.69/28 can ONLY talk to IP addresses in the range of 10.10.1.65 to 10.0.1.78. Anything else outside of that range of addresses will require proper routing to be in place.

My suggestion:

Assuming that you have only a single internal network and that you have no need for multiple subnets internally, my suggestion would be to leave everything as is EXCEPT change the subnet mask to 255.255.255.0 (24 bit). By doing so, everything with a 10.10.1.x address will now be in the same subnet.

Please note that even if you do not want to make this change on a permanent basis, you could make this one change temporarily and if suddenly all devices can communicate with each then you know that I have correctly diagnosed the issue.

I can make this change but only for 10.10.1.69, I can not do it for the others as they all are in the production environment. What do you think will it work?

garlin · May 16, 2024

10.10.1.69 needs switch 10.10.1.78 for its default gateway, since your routing's been established this way.

This network layout reflects some poor VLAN or subnet design choices. Typically your gateway (Fortinet serves both as your internal router & firewall) shouldn't share the same subnet as its client networks. Does it work? Yes. But following this approach, you'll hide some flaws in the network layout and especially if the Fortinet needs to enforces traffic rules based on VLAN or subnet. Having the Fortinet and each switch on separate subnets (A, B, C) makes the traffic domains very clear.

Otherwise you will continue to have unexpected problems where 10.10.1.69 will behave differently from 10.10.1.131. And the reason won't be so obvious. You can't have the right side of the network more "favored" because its on the same subnet, and have the left side be different. They should be treated as equally separate networks below the router.

ok0047 · May 24, 2024

Hi Team,

Thanks all for your suggestions after the troubleshooting the latest update is as below. Please suggest solution. Thank you all

	10.10.1.129	10.10.1.78	10.10.1.69	10.10.1.132	10.10.1.131
10.10.1.129	✔	✔	✔	✔	✔
10.10.1.78	✔	✔	✔	✔	✔
10.10.1.69	✔	✔ (same subnet)	✔	✔	✖
10.10.1.132	✔	✔	✔	✔	✔
10.10.1.131	✔	✔	✖	✔	✔

garlin · Saturday at 6:39 PM

This proves my point, you ended up with weird routing problems.

Convert the Fortinet's intranet side to a different subnet. 10.x.x.x is a non-publicly routable space, so you're entirely free to create another 10.10.1.x address outside the range of both client /28's. Both client PC's would have default gateways thru their respective switches. And each switch is required to route to the Fortinet. The answer is not to keep layering weird routing hacks to get around the current topology. If this requires planned downtime for migration, then it still needs to be done right.