Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ahmadhusain
New Contributor

Traceroute not showing hop

Dear

 i'm facing the traceroute issue on the fortigate 

when i try to tracroute from the cisco router to fortigate it's not showing the route form router to firewall

the FG firewall configured behind of the router.

everything is working fine i can ping form the router but when i tracerouter it showing *****

when i try form the computer it's showing me the hop count 

i also tried to check from the switch i'm getting same result as like the router, not showing the route.

 please help

Thanks 

11 REPLIES 11
Nicholas_Doropoulos
Contributor

Is it the WAN interface of the firewall you cannot traceroute to? If yes, ensure that the "ping" box is enabled on the WAN interface on the GUI under Network>Interfaces. Alternatively, execute the following command on the CLI:

 

show system interface [relevant port]

 

If ping is not listed there, do the following:

 

config system interface 

edit [relevant port]

set allowaccess ping [along with any other protocols already listed]

 

I hope the above helps.

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
ahmadhusain

the ping and other services are allowed on the firewall 

i can ping the firewall only problem with the traceroute 

Nicholas_Doropoulos

Do you traceroute by hostname or IP address?

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
ahmadhusain

by IP 

Nicholas_Doropoulos

Try tracerouting to FGT from a different interface from your cisco router and advise results.

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
ahmadhusain

Thanks for reply

i have only one interface on my router

i have tried from the switch and i'm getting same result 

*****

 

but the device like the windows OS i can trace FG 

 

Nicholas_Doropoulos

Please provide the following information to investigate the issue further:

 

1) A diagram of your topology.

 

2) On Fortigate's CLI, run the following command:

 

diagnose sniffer packet [interface you are trying to traceroute to] "(host <router's ip address> and host <fortigate's ip address>) and icmp" 4

 

At the same time, run traceroute on the cisco router for at least 6 hops and advise results.

 

3) What firewall policies do you have in place that match inbound traffic? Is logging enabled on them and if so, what do the logs show?

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
ahmadhusain
New Contributor

Thanks for your help

 

my problem is when i try to ping or traceroute form the router it's showing me the timeout from the remote site.But when i try to ping from any client computer OS "windows" it's working both can traceroute and ping from the remote site Only problem coming with the router    Please Help   

iqbshaik

It depends on session. When there is no session from the source ip and the first trace packet you send through fortigate then it will show its hop in tracert. In the proceeding traceroutes it will not show you its ip in trace till the session timeout. Kill the session on fortigate and trace again you will see the hop in the trace again. 

Labels
Top Kudoed Authors