[SOLVED] Unable to ping after upgrading M370 firebox with v12.6.3

I was able to ping from one of my remote site to the M370 firewall (entire LAN 192.168.10.0/24) prior to my upgrade. With the upgrade I can only ping the gateway 192.168.10.1 and nothing beyond this. On the traffic side I see all BOVPN traffic being allowed when I ping say 192.168.10.200 but no response. Am not sure what's going on but this is really frustrating. Any help would be greatly appreciated. Static routes configured on both end and was working perfectly fine. Any advise?

Comments

  • Hi,

    Is 192.168.10.200 pingable from the local network?
    Why setup static routes manually? No need they will be automatically created when setting up a BOVPN tunnel.

  • Hi Mada, yes on the local network this particular IP is responding to ping. From 10.216.5.1 for example I can reach the interface of the M370 and manage the firewall but anything other than the gateway wont allow me to connect. On the traffic monitor everything is passing through I can see allowed BOVPN traffic.

  • From 10.216.5.1 <--> 192.168.10.1 works fine and can manage M370 device but can reach anything behind 192.168.10.2 thru 253. From the M370 I can ping everything 10.216.5.0/24 no problems there. Just strange I suspect something with the SD-WAN as this is a new feature in the version of the Watchguard I upgraded to.

  • "but can NOT reach" anything behind 192.168.10.2 thru 253.

  • Did you check traffic logs on both devices? Are they on same fireware version?

  • Different devices on each end (remote is Fortigate 60D) and (local an M370). Both devices working perfectly fine, WAN ip has not changes, cofiguration on fortigate has not been changed. Only thing was the upgrade to 12.6.3 and uses SD-WAN and everything looks good just no traffic back to the fortigate such as ping response.

  • Have you rekeyed the tunnel on M370? rekey/rebooted the fortinet fw?

  • Make sure that you do not have a SD-WAN action selected for any incoming policy.

  • Bruce thank you and yes it did turn out to be the SD-WAN on the policy. Since the policy was auto generated during the creation of the VPN in an earlier version of the fireware the upgrade to 12.6.3 simply added the SD-WAN and feature to switch or remove SD-WAN was disabled. I didn't think of recreating the policy without SD-WAN and this was pointed out to me by Watchguard during a support call. Mada and Bruce thank you very much for making this community so helpful...guys have a wonderful day..the best to you both.

Sign In to comment.