Where ping only tells you if the signal reached its destination and returned successfully, traceroute shows each step of its journey to its destination and how long each step takes. If the route is broken when it reaches the FortiWeb appliance, first examine its network interfaces and routes. Copyright 2023 Fortinet, Inc. All Rights Reserved. Timestamp: Fri Apr 12 11:08:56 2019, used inbandwidth: 2452bps, used outbandwidth: 2566bps, used bibandwidth: 5018bps, tx bytes: 7275bytes, rx bytes: 7926bytes. If there is no traffic flowing from the FortiWeb appliance, it may be a hardware problem. FortiWeb stores its firmware (operating system) and configuration files in a flash disk, but most models of FortiWeb also have an internal hard disk or RAID that is used to store non-configuration/firmware data such as logs, reports, auto-learning data, and web site backups for anti-defacement. The priority mode service rule members link status changes: 1: date=2019-03-23 time=17:33:23 logid=0100022923 type=event subtype=system level=notice vd=root eventtime=1553387603 logdesc=Virtual WAN Link status msg=Service2() prioritized by packet-loss will be redirected in seq-num order 1(R150) 2 (R160).. Can the boot loader read the image of the OS software in the selected boot partition (primary or backup/secondary, depending on your selection in the boot loader)? After the boot loader starts, you should see this prompt: Press [enter] key for disk integrity verification. It should be quite easy to solve. Edited on Thanks for contributing an answer to Stack Overflow! Typically a value of <1ms indicates a local router. Attempt to connect through the FortiWeb appliance, from a client to a protected web server, via HTTP and/or HTTPS. If you run a test attack from a browser aimed at your web site, does it show up in the attack log? FGT # diagnose sys virtual-wan-link member, Member(1): interface: port13, gateway: 10.100.1.1 2004:10:100:1::1, priority: 0, weight: 0. In the row for the network interface which you want to respond to ICMP type 8 (ECHO_REQUEST) for ping and UDP for traceroute, click Edit. Created on The network interface and administrator accounts must be configured to allow your connection and login attempt (see Configuring the network settings and Trusted Host #1). Timestamp: Fri Apr 12 11:09:26 2019, used inbandwidth: 2450bps, used outbandwidth: 3457bps, used bibandwidth: 5907bps, tx bytes: 22468bytes, rx bytes: 17107bytes. 01:13 AM, Is there some device in between the server and FortiGate? See Debugging the packet processing flow and Regular expression performance tips. Created on Ping to the server from another CLI , and check the packets captured. we have FortiGate 100E (V6.0.10) with two type of internet connection. 100% packet loss indicates that the host is not reachable. If a full disk is not the problem, examine the configuration to determine if an administrator has disabled those features that store data. Timestamp: Fri Apr 12 11:08:46 2019, used inbandwidth: 1761bps, used outbandwidth: 1710bps, used bibandwidth: 3471bps, tx bytes: 2998bytes, rx bytes: 3996bytes. If the command is not found, you can either enter the full path to the executable or add its path to your shell environment variables. Disabling PING only prevents FortiWeb from receiving ICMP type 8 (ECHO_REQUEST) and traceroute-related UDP and responding to it. If you do not supply a packet count, output will continue until you terminate the command with Control-C. For more information on options, enter man ping. 02:36 AM, i am having the same issue i have changed my wan public ip address as ISP requested to 91.X.X.X and when pinging 8.8.8.8 i am receiving sendto failed error also no internet connection .. when reverting back to the old IP 194.X.X.X every thing is working and internet is back and able to ping 8.8.8.8. any clue what to do and how to solve that? What does and doesn't count as "mitigating" a time oracle's curse? Thus a different IP address and administrative access settings can be configured for this interface independently. Copyright 2023 Fortinet, Inc. All Rights Reserved. It was working for 3 days well and now having both interfaces active all navigation falls, publication (virtualip) I have to turn off the wan2 and at least it resets with 1 interface. You can save time and effort during the troubleshooting process by checking if other FortiWeb administrators experienced a similar problem before. Use the CLI to view the per-CPU/core process load level and a list of the most system-intensive processes. On some FortiGate units, such as the FortiGate 94D, you cannot ping over the IPsec tunnel without first setting a source-IP. The funny thing is that having the 2 interfaces active I want to ping from wan2 to 8.8.8.8 and I have the error "sent to failed", maybe any ideas? The Forums are a place to find answers on a range of Fortinet products from peers and product experts. If you are not sure which cipher suites are currently supported, you can use SSL tools such as OpenSSL to discover support. Hello, Introduction Before you begin What's new Log Types and Subtypes Type Can I change which outlet on a circuit has the GFCI reset switch? 5. We have a big 1800F FortiGate Cluster running as a multi tenant firewall for some business customers. You can also use this command to verify that resource exhaustion is not the problem: The process system usage statistics continues to refresh and display in the CLI until you press q (quit). If you recently upgraded the firmware, try downgrading by restoring the previously installed, last known good, version. we have FortiGate 100E (V6.0.10) with two type of internet connection. See Enable Single Admin User login. If yes, verify your terminal emulators settings are correct for your hardware. This site uses Akismet to reduce spam. This is actually by design or expected in A-P scenario. Created on The funny thing is that having the 2 interfaces active I want to ping from wan2 to 8.8.8.8 and I have the error "sent to failed", maybe any ideas? 02:36 AM, i am having the same issue i have changed my wan public ip address as ISP requested to 91.X.X.X and when pinging 8.8.8.8 i am receiving sendto failed error also no internet connection .. when reverting back to the old IP 194.X.X.X every thing is working and internet is back and able to ping 8.8.8.8. any clue what to do and how to solve that? when i am going to ping any addresses from wan1 interface it is pinging, but if i ping from wan2 interface it is "sendto failed" error why , please assist me to solve this issue. 02:15 AM, Created on Enter ping 10.11.101.100 to ping the default internal interface of the FortiGate with four packets. 01-07-2021 Disable IPv6 for the moment, so the build does not remain "failed" for weeks. 05-06-2015 (That is, routing/IP-based forwarding is disabled.) The sendto() failed (Message too long) message can be an indication of a genuine configuration problem and all components along the network path must be thoroughly checked. /dev/sda1: clean, 56/61054976 files, 3885759/244190638 blocks. 100% packet loss and Destination Host Unreachable indicates that the host is not reachable. If the computer cannot reach the destination via ICMP, if you specified a wait and packet count rather than having the command wait for your Control-C, output similar to the following appears: PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. <file-name> Enter the file name on the TFTP server. 100% packet loss and Timeout indicates that the host is not reachable. SNMP OID for logs that failed to send. In this example R150 changes to better than R160, and both are still alive: When SD-WAN member fails the health-check, it will stop forwarding traffic: When SD-WAN member passes the health-check again, it will resume forwarding logs: When load-balance mode service rules SLA qualified member changes. Using errno I found 'Address family not supported by protocol'' . Route: (10.100.1.2->10.100.2.22 ping-down), 32: date=2019-03-23 time=17:26:54 logid=0100022921 type=event subtype=system level=critical vd=root eventtime=1553387214 logdesc=Routing information changed name=test interface=R150 status=up msg=Static route on interface R150 may be added by health-check test. df-bit Set DF bit in IP header <yes | no>. Basically both ends need a connected route to each other. The nature of this deployment style is to listen only, except to reset the TCP connection if, If your web servers are required to comply with, To prevent file system corruption in the future, and to prevent possible physical damage, always make sure to shut down, the Release Notes provided with your firmware, Is there a server policy applied to the web server or servers. Groups are part of authentication policies. . Anonymous, DescriptionWhen performing ping test through FortiGate slave unit, it is observed that the ping failed, and debug flow is printing the message 'local-out traffic, blocked by HA'.Solution1) When attempting to perform a ping test from the slave unit, the ping failed. To subscribe to this RSS feed, copy and paste this URL into your RSS reader. However, if the appliance does not respond, and there are no firewall policies that block it, ICMP type0 (ECHO_REPSPONSE) might be effectively disabled. If the connectivity test fails, continue to the next step. (If a host is alive but disconnected or slow to respond, you can't distinguish that from its being dead.) 06:04 AM FortiGate1 # execute ping 10.10.10.1 PING 10.10.10.1 (10.10.10.1): 56 data bytes sendto failed sendto failed sendto failed sendto failed sendto failed--- 10.10.10.1 ping statistics ---5 packets transmitted, 0 packets received, 100% packet loss The handshake is between the client and the web server. If not, you may need to replace the hardware. fortigate sendto failedwhat does the purple devil emoji mean on grindr. The same thing happens to me, I have a 100E in 6.2.6 with a sdwan with wan1 and wan2. To check BGP learned routes and determine if they are used in SD-WAN service: FGT # get router info bgp network 10.100.11.0, BGP routing table entry for 10.100.10.0/24. In the background, FortiGate creates a hidden VDOM namedvsys_hamgmt. Are there developed countries where elected officials can easily terminate government workers? 01:45 PM When performing ping test through FortiGate slave unit, it is observed that the ping failed, and debug flow is printing the message 'local-out traffic, blocked by HA'. Or: dpinger WANGW x.x.x.x: sendto error: 55. If you are successful, the CLI will welcome you, and you can then enter the following commands to reset the admin accounts password: where is the password for the administrator account named admin. Authentication involves user groups, authentication rules and policy, inline protection policy, and finally, server policy. A few comments 1) don't cast the return value of malloc() et.al. to each individual cluster unit by reserving a management interface in the HA configuration. 08-19-2021 2) don't use exit (-1) 3) print diagnostic output to stderr, not stdout. 02:15 AM, Created on Hello, If the status is down (down arrow on red circle), click Bring Up next to it in the Status column. Does the hardware successfully complete the hardware power on self test (POST) and BIOS memory tests? This will prevent the login from timing out.). If the problem occurs while FortiWeb is still running (or after an initial reboot and attempt to repair the file system), in the CLI, enter: to display the number and names of mounted file systems. Go to ApplicationDelivery > Authentication and select the Authentication Rule tab to determine which rule contains the problem user group. #get router info routing-table all. If the profile is not part of the server policy, there is no access. The sendto function is used to write outgoing data on a socket. You can check the destination interface in FortiView in order to see which port the traffic is being forwarded to. Do peer-reviewers ignore details in complicated mathematical computations and theorems? Connect and share knowledge within a single location that is structured and easy to search. Pinging 10.10.10.2 with 32 bytes of data:Reply from 10.10.10.2: bytes=32 time=5ms TTL=255Reply from 10.10.10.2: bytes=32 time=3ms TTL=255Reply from 10.10.10.2: bytes=32 time=2ms TTL=255, Ping statistics for 10.10.10.2:Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:Minimum = 2ms, Maximum = 5ms, Average = 3ms, Pinging 10.10.10.3 with 32 bytes of data:Reply from 10.10.10.3: bytes=32 time=2ms TTL=255Reply from 10.10.10.3: bytes=32 time=1ms TTL=255Reply from 10.10.10.3: bytes=32 time=1ms TTL=255, Ping statistics for 10.10.10.3:Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:Minimum = 1ms, Maximum = 2ms, Average = 1ms. Options supported by the ping command vary from system to system. If restoring the firmware does not solve the problem, there could be a data or boot disk issue. 6. If your network administrators or other accounts reside on an external server (e.g. 02-17-2022 In FortiWeb, users and organized into groups. Created on You should still perform some basic software tests to ensure complete connectivity. If routing exists but authentication still fails, you can verify correct vendor-specific attributes and other protocol-specific fields by running a packet trace (see Packet capture). If a user is legitimately having an authentication policy, you need to find out where the problem lies. FGT # diagnose sys virtual-wan-link health-check Health Check(ping): Seq(1): state(alive), packet-loss(0.000%) latency(0.683), jitter(0.082) sla_map=0x0 Seq(2): state(dead), packet-loss(100.000%) sla_map=0x0. Under normal circumstances, you should see a new attack log entry in the Attack Log widget of the system dashboard. Load-balance mode service rules SLA qualified member changes: 2: date=2019-04-11 time=14:11:16 logid=0100022923 type=event subtype=system level=notice vd=root eventtime=1555017075926510687 logdesc=Virtual WAN Link status msg=Service1(rule2) will be load balanced among members 2(R160) with available routing. 3: date=2019-04-11 time=14:11:16 logid=0100022923 type=event subtype=system level=notice vd=root eventtime=1555017075926508676 logdesc=Virtual WAN Link status, interface=R150 msg=The member1(R150) SLA order changed from 1 to 2. 1. 34: date=2019-03-23 time=17:26:06 logid=0100022921 type=event subtype=system level=critical vd=root eventtime=1553387165 logdesc=Routing information changed name=test interface=R150 status=down msg=Static route on interface R150 may be removed by health-check test. If the computer can reach the destination, output similar to the following appears: Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time=7ms TTL=253, Reply from 192.168.1.1: bytes=32 time=6ms TTL=253, Reply from 192.168.1.1: bytes=32 time=11ms TTL=253, Reply from 192.168.1.1: bytes=32 time=5ms TTL=253. Beyond basic existence of a possible route between the source and destination, ping tells you the amount of packet loss (if any), how long it takes the packet to make the round trip (latency), and the variation in that time from packet to packet (jitter). The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges. When not: the UINT32 will probably do fine for the time being. If the client is attempting to make an HTTPS connection, but the attempt fails after the connection has been initiated, during negotiation, the problem may be with SSL/TLS. The response has a timer that may expire, indicating that the destination is unreachable via ICMP. Ensure the network cables are properly plugged in to the interfaces on the. blind() + sendto() error, Sendto function return error - UDP socket on windows, sendto() incoherent behaviour on UDP socket, UDP socket: invalid argument error in sendto. This topic lists the SD-WAN related diagnose commands and related output. If the person has lost or forgotten his or her password, the admin account can reset other accounts passwords (see Changing an administrators password). To check the routing table in the CLI, enter: If you are attempting to connect to FortiWeb on a given network port, and the connection is expected to occur on a different port number, the attempt will fail. However, you can use the following command to enable IP-based forwarding (routing): {| }, To enable ping and traceroute responses from FortiWeb, To ping a device from a Microsoft Windows computer, To ping a device from a Linux or Mac OS X computer, Configuring virtual servers on your FortiWeb, Defining your proxies, clients, & X-headers, Supported features in each operation mode, Supported cipher suites & protocol versions, To connect to the CLI using a local console connection, In networks using features such as asymmetric, Connectivity via ICMP only proves that a route exists. [G]: Get firmware image from TFTP server. 01-07-2021 More information about the sendto-function here: Link The asterisks (*) indicate no response from that hop in the network routing. Power on self-test (POST) and other messages should begin to appear in the console. SD-WAN calculates a links session/bandwidth over/under its ratio and stops/resumes traffic: 3: date=2019-04-10 time=17:15:40 logid=0100022924 type=event subtype=system level=notice vd=root eventtime=1554941740185866628 logdesc=Virtual WAN Link volume status interface=R160 msg=The member(3) enters into conservative status with limited ablity to receive new sessions for too much traffic. l When SD-WAN calculates a links session/bandwidth according to its ratio and resumes forwarding traffic: 1: date=2019-04-10 time=17:20:39 logid=0100022924 type=event subtype=system level=notice vd=root eventtime=1554942040196041728 logdesc=Virtual WAN Link volume status interface=R160 msg=The member(3) resume normal status to receive new sessions for internal adjustment.. 2. Copyright 2023 Fortinet, Inc. All Rights Reserved. 1. If the appliance has a complete route to the destination, output similar to the following appears: traceroute to www.fortinet.com (66.171.121.34), 32 hops max, 84 byte packets, 2 209.87.254.221 2 ms 2 ms 2 ms, 3 209.87.239.129 2 ms 1 ms 2 ms, 5 64.230.164.17 3 ms 3 ms 2 ms, 6 64.230.132.234 20 ms 20 ms 20 ms, 7 64.230.132.58 24 ms 21 ms 24 ms, 8 64.230.138.154 8 ms 9 ms 8 ms, 9 64.230.185.145 23 ms 23 ms 23 ms, 11 12.122.134.238 100 ms 12.123.10.130 101 ms 102 ms, 12 12.122.18.21 101 ms 100 ms 99 ms, 13 12.122.4.121 100 ms 98 ms 100 ms, 14 12.122.1.118 98 ms 98 ms 100 ms, 15 12.122.110.105 96 ms 96 ms 96 ms, 19 66.171.121.34 91 ms 89 ms 91 ms, 20 66.171.121.34 91 ms 91 ms 89 ms. Each line lists the routing hop number, the IP address and FQDN (if any) of that hop, and the 3 response times from that hop. 3: date=2019-03-23 time=17:33:23 logid=0100022923 type=event subtype=system level=notice vd=root eventtime=1553387603 logdesc=Virtual WAN Link status interface=R150 msg=The member1(R150) link quality packet-loss order changed from 2 to 1. Fortiswitch_standalone-to-trunk port cisco. If you specify the destination using a domain name, the traceroute output can also indicate DNS problems, such as an inability to connect to a DNS server. The funny thing is that having the 2 interfaces active I want to ping from wan2 to 8.8.8.8 and I have the error "sent to failed", maybe any ideas? If someone has forgotten or lost his or her password, or if you need to change an accounts password, the admin administrator can reset the password. The code in the top of sender.c related to server_addr wasn't used -it was only local'. You can check the destination interface in FortiView in order to see which port the traffic is being forwarded to. The Forums are a place to find answers on a range of Fortinet products from peers and product experts. . Thanks! Created on Solution 1) When attempting to perform a ping test from the slave unit, the ping failed # execute ping 10.10.10.1 PING 10.10.10.1 (10.10.10.1): 56 data bytes sendto failed sendto . Hello, Configure it to log all printable console output to a file so that you have a copy of the console's output messages in case you need to send it to Fortinet Technical Support. While FortiWeb is booting up, hardware and firmware components must be present and functional, or startup will fail. Thanks! What is the cause of this error and what should I change in the code in order to resolve it? 4: date=2019-04-11 time=14:11:16 logid=0100022923 type=event subtype=system level=notice vd=root eventtime=1555017075926507182 logdesc=Virtual WAN Link status interface=R160 msg=The member2(R160) SLA order changed from 2 to 1. 5. If the appliance can reach the host via ICMP, output similar to the following appears: PING 192.168.1.1 (192.168.1.1): 56 data bytes, 64 bytes from 192.168.1.1: icmp_seq=0 ttl=253 time=6.5 ms, 64 bytes from 192.168.1.1: icmp_seq=1 ttl=253 time=7.4 ms, 64 bytes from 192.168.1.1: icmp_seq=2 ttl=253 time=6.0 ms, 64 bytes from 192.168.1.1: icmp_seq=3 ttl=253 time=5.5 ms, 64 bytes from 192.168.1.1: icmp_seq=4 ttl=253 time=7.3 ms, 5 packets transmitted, 5 packets received, 0% packet loss. But Management PC is able to ping/access both FortiGate1 and FortiGate2 individually. traceroute sends ICMP packets to test each hop along the route. Go to, Examine attack history in the traffic log. For offline protection mode, it is usually normal if HTTP/HTTPS packets do not egress. l When no spillover occurs: Member(1): interface: port13, gateway: 10.100.1.1 2004:10:100:1::1, priority: 0, weight: 255, Egress-spillover-threshold: 400kbit/s, ingress-spillover-threshold: 300kbit/s Egress-overbps=0, ingress-overbps=0, Member(2): interface: port15, gateway: 10.100.1.5 2004:10:100:1::5, priority: 0, weight: 254. (If you have copied it, in PuTTY, you can right-click to quickly paste it, instead of typing it in. Resolution. what's the difference between "the killing machine" and "the machine that's killing". To display network interface addresses and subnets, enter the CLI command: To display all recently-used routes with their priorities, enter the CLI command: You may need to verify that the physical cabling is reliable and not loose or broken, that there are no IP address or MAC address conflicts or blacklisting, misconfigured DNS records, and otherwise rule out problems at the physical, network, and transport layer. Contact Fortinet Technical Support: 6. Otherwise, if you terminate by pressing Control-C (^C), output similar to the following appears: From 172.20.120.2 icmp_seq=31 Destination Host Unreachable, From 172.20.120.2 icmp_seq=30 Destination Host Unreachable, From 172.20.120.2 icmp_seq=29 Destination Host Unreachable, 41 packets transmitted, 0 received, +9 errors, 100% packet loss, time 40108ms. If the routing test succeeds, continue with step 4.. During startup, after FortiWeb loads its boot loader, FortiWeb will attempt to mount its data disk. This may show processes that are consuming resources unusually. In this example R150 fails the SLA check, but is still alive: When the SLA mode service rules SLA qualified member changes. 4. The routing table is where the FortiWeb appliance caches recently used routes. In this example R160 changes to better than R150, and both are still alive: 6: date=2019-03-23 time=17:32:01 logid=0100022923 type=event subtype=system level=notice vd=root eventtime=1553387520 logdesc=Virtual WAN Link status msg=Service2() prioritized by packet-loss will be redirected in seq-num order 2(R160) 1 (R150).. set remote-ip 10.254..1/24. Asking for help, clarification, or responding to other answers. Otherwise, disable ICMP for improved security and performance. Once you locate an offending PID, you can terminate it: To determine if high load is frequently a problem, you can display the average load level by using these CLI commands: If the issue recurs, and corresponds with a signature or configuration change, you may need to optimize regular expressions to prevent the issue from recurring. 3. You mean you are pinging some host on the Internet from the Fortigate with source-address of the pings set once to wan1 and once to wan2? Introduction Before you begin What's new Log types and subtypes Type 08-19-2021 This would be the implicit-deny rule which is always at the bottom and blocks any network traffic that did not fit into one of the previous rules. To determine if one of FortiWebs internal disks may either: view the event log. Save my name, email, and website in this browser for the next time I comment. Created on policy in FG1 . 2: Seq_num(2), alive, sla(0x1), num of pass(1), selected Dst address: 10.100.21.0-10.100.21.255 l SLA mode service rules. Resolving the problem is going to involve contacting the OS vendor and working with them to produce the proper settings for your environment. The Forums are a place to find answers on a range of Fortinet products from peers and product experts. Edited on Symptoms may include error messages such as: Expected SSL/TLS behavior varies by SSL inspection vs. SSL offloading (see Offloading vs. inspection): SSL offloading Reverse proxy mode only (see Supported features in each operation mode). If you have previously registered the appliance to associate it with your Fortinet Technical Support account, you can also retrieve it from the web site. Go to System> Admin> Administrators. config system interface. The traceroute utility usually has an option to specify use of ICMP ECHO_REQUEST (type8) instead, as used by the Windows tracert utility. SD-WAN member is used in service and it fails the health-check: 6: date=2019-04-11 time=13:33:21 logid=0100022923 type=event subtype=system level=notice vd=root eventtime=1555014801844089814 logdesc=Virtual WAN Link status interface=R160 msg=The member2(R160) link is unreachable or miss threshold. I also found out that suggestion elsewhere after posting. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. To resolve the issue, perform the ping test from the master unit instead. 60 (Guitar). 01-07-2021 #diagnose sniffer packet <interface name> 'host 192.168.1.15' 4. USB auto-install new firmware and factory-reset. In the New Password and Confirm Password fields, type the new password. For a list of ports used by FortiWeb, see Appendix A: Port numbers. Created on FortiWeb appliances usually have multiple disks. The example below demonstrates a source-based load-balance between two SD-WAN members. [B]: Boot with backup firmware and set as default. Timestamp: Fri Apr 12 11:09:28 2019, vdom root, health-check ping, interface: R150, status: up, latency: 0.015, jitter: 0.003, packet loss: 15.000%. The solution to this would be as follows: For pinging/accessing the Management workstation from the FortiGates individually, there is a need to enter into the vsys_hamgmt VDOM context and then initiate the pings. On Apache, you would add !ADH to the SSLCipherSuite configuration line. [F]: Format boot device. Please try again in a few minutes. TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), linkcost-threshold(10), health-check(ping) Members: 1: Seq_num(2), alive, latency: 0.011, selected. If the source IP address is an odd number, it will . Why is water leaking from this hole under the sink? The example below demonstrates a source-based load-balance between two SD-WAN members. The IPv6 checks on AppVeyor for Windows remain. Most commonly, this is caused by either: For hardware replacement, contact Fortinet Customer Service: If you have supplied power, but the power indicator LEDs are not lit and the hardware has not started, the power supply may have failed. ICMP is part of Layer 3 on the OSI Networking Model. TOS(0x0/0x0), Protocol(0: 1->65535), Mode(auto), link-cost-factor(latency), link-costthreshold(10), health-check(ping) Members: 2: Seq_num(1), alive, latency: 0.018, selected Dst address: 10.100.21.0-10.100.21.255 l Priority mode service rules. we have FortiGate 100E (V6.0.10) with two type of internet connection. I typically use dial-up, so under the tunnel-interface on the spoke side you would have. single administrator mode may have been enabled. On your management computer, start a terminal emulator such as PuTTY. If the routing test succeeds, continue with step 4. Go to ApplicationDelivery > Authentication and select the Authentication Policy tab to locate the policy that contains the rule governing the problem user group.