Unexplainable problem - unable to ping some hosts

Hi Viken,

This issue sounds like some problems on the LAN side, like duplicated IP address/wrong ARP on the firewall etc.

You could try the below steps to check further - 

1. Check in firewall's log viewer - switch to detailed view - search your IP address and see if there is any blocking by firewall rule or IPS rule
2. On the XG firewall Advanced Shell, use the command to check the arp table: arp -an. And check multiple times when the ping is working and not working and see if the ARP entry has the correct MAC address for your PC.
3. When do a continuous ping, ping 1.1.1.1 -t, do WireShark capture and tcpdump capture on XG firewall at the same time. Then retrieve the pcap file from XG firewall and analyze the captures on PC and firewall with WireShark. Pay attention to the destination MAC address of those non-working ping requests.
4. Test if the issue happens on another PC on the same LAN network

 Hi Captain,

Thank you for your answer, I will test what you wrote and will let you know.

But before that, let me add more precisions:

As I said, when I ping IP addresses which are matching another firewall rule which is on the top, the ping works well, here are my firewall rules:

And defailted view:

Main firewall rule:

and supervision rule: 

As you can see, in my supervision rule, I have host groups, with public IP addresses inside, when I ping one of those IP addresses, it matches this rule.

Now, a really weird thing about that :D -> If I add 8.8.8.8 or 8.8.4.4 or 1.1.1.1 in one of the host group, the ping to thoses IP is working again !!!!!! see:

I tested that from different PC on the network, from different VLANs, the issue is the same.
If I ping directly from the "diagnostics" pane of the XG, with Port3 Interface, there is no problem.

I'm about to think that this is a problem on the v18 build 354 firmware. I'm about to downgrade to the build 339 to see if the problem is present or not...

Adding a tcpdump puts the interface into https://en.wikipedia.org/wiki/Promiscuous_mode 

It could be a duplicated ARP, DHCP, IP Mapping within the Network. 

In Promiscuous Mode, the Interface will continue to talk to the current MAC. Therefore the Ping will success. Without this mode, the XG will likely get different MACs or the Switch will not interact anymore with the XG. 

Ok thanks for your answer.

But how can we explain that all the IP hosts which are on an IP host group which match the #7 firewall rule (even if I place 8.8.8.8 or 8.8.4.4 or 1.1.1.1 insde) are working good with ping???

Simply because XG will resolve the IP Host groups differently using an own cache. 

If you do not place the Host in the group, it will not work, because XG will lookup it freely at demand. 

If you place it into a host group, XG will create some sort of Cache for those hosts, so it does not have to ask the switch all the time. 

There is something wrong in the network, i guess. Thats my explanation for your issue. 

Maybe check the DOS Settings on XG, if you have ARP Forging activated. 

Ok thank you for your answer, I understand much more how it works now.

Here is the output of arp -an done on the XG firewall:

XG135w_XN03_SFOS 18.0.0 GA-Build354.HF042920# arp -an
? (192.168.10.14) at <incomplete> on Port1.10
? (192.168.10.135) at <incomplete> on Port1.10
? (192.168.10.48) at <incomplete> on Port1.10
? (192.168.10.169) at <incomplete> on Port1.10
? (192.168.10.34) at <incomplete> on Port1.10
? (10.16.16.9) at fc:15:b4:35:55:45 [ether] on Port1.30
? (192.168.10.91) at <incomplete> on Port1.10
? (192.168.10.212) at <incomplete> on Port1.10
? (192.168.10.77) at <incomplete> on Port1.10
? (192.168.10.198) at <incomplete> on Port1.10
? (172.16.16.3) at 00:d9:d1:f9:a2:1e [ether] on Port1.20
? (192.168.10.127) at <incomplete> on Port1.10
? (192.168.16.46) at 00:15:5d:10:04:37 [ether] on Port1
? (192.168.10.232) at <incomplete> on Port1.10
? (192.168.10.97) at <incomplete> on Port1.10
? (192.168.10.154) at <incomplete> on Port1.10
? (192.168.16.10) at 00:15:5d:10:05:5a [ether] on Port1
? (192.168.10.19) at <incomplete> on Port1.10
? (192.168.253.242) at <incomplete> on Port3
? (192.168.10.140) at <incomplete> on Port1.10
? (192.168.10.5) at <incomplete> on Port1.10
? (192.168.10.190) at <incomplete> on Port1.10
? (192.168.10.55) at <incomplete> on Port1.10
? (192.168.10.160) at <incomplete> on Port1.10
? (192.168.10.217) at <incomplete> on Port1.10
? (192.168.10.82) at <incomplete> on Port1.10
? (192.168.10.203) at <incomplete> on Port1.10
? (192.168.10.68) at <incomplete> on Port1.10
? (192.168.10.253) at 80:30:e0:6a:1e:c0 [ether] on Port1.10
? (192.168.10.118) at <incomplete> on Port1.10
? (192.168.10.239) at <incomplete> on Port1.10
? (192.168.10.24) at <incomplete> on Port1.10
? (192.168.10.145) at <incomplete> on Port1.10
? (192.168.10.10) at 7c:5a:1c:da:40:4d [ether] on Port1.10
? (192.168.10.131) at <incomplete> on Port1.10
? (192.168.10.60) at <incomplete> on Port1.10
? (192.168.10.181) at <incomplete> on Port1.10
? (192.168.10.46) at <incomplete> on Port1.10
? (192.168.10.167) at <incomplete> on Port1.10
? (192.168.10.208) at <incomplete> on Port1.10
? (10.16.16.7) at ec:8e:b5:cc:54:50 [ether] on Port1.30
? (192.168.10.73) at <incomplete> on Port1.10
? (192.168.16.48) at 70:85:c2:69:7a:1b [ether] on Port1
? (192.168.10.194) at <incomplete> on Port1.10
? (192.168.10.123) at <incomplete> on Port1.10
? (192.168.10.244) at <incomplete> on Port1.10
? (172.16.16.17) at 94:40:c9:12:08:d5 [ether] on Port1.20
? (192.168.10.109) at <incomplete> on Port1.10
? (192.168.10.230) at <incomplete> on Port1.10
? (192.168.10.31) at <incomplete> on Port1.10
? (172.16.16.253) at 00:15:5d:10:05:11 [ether] on Port1.20
? (192.168.10.136) at <incomplete> on Port1.10
? (192.168.10.1) at <incomplete> on Port1.10
? (192.168.1.65) at 3a:31:37:ad:06:d2 [ether] on Port5
? (192.168.10.186) at <incomplete> on Port1.10
? (192.168.10.51) at <incomplete> on Port1.10
? (192.168.10.172) at <incomplete> on Port1.10
? (192.168.10.37) at <incomplete> on Port1.10
? (192.168.10.94) at <incomplete> on Port1.10
? (192.168.10.215) at <incomplete> on Port1.10
? (192.168.10.64) at <incomplete> on Port1.10
? (192.168.10.249) at <incomplete> on Port1.10
? (172.16.16.12) at 94:18:82:0b:7f:9d [ether] on Port1.20
? (192.168.10.114) at <incomplete> on Port1.10
? (192.168.16.41) at 00:15:5d:10:06:20 [ether] on Port1
? (192.168.10.235) at <incomplete> on Port1.10
? (192.168.254.253) at 00:1a:8c:6f:6e:1b [ether] on Port6
? (192.168.10.100) at <incomplete> on Port1.10
? (192.168.10.157) at <incomplete> on Port1.10
? (192.168.10.22) at <incomplete> on Port1.10
? (192.168.10.143) at <incomplete> on Port1.10
? (10.16.17.15) at dc:a6:32:04:a7:0c [ether] on CORP
? (192.168.10.56) at <incomplete> on Port1.10
? (192.168.10.177) at <incomplete> on Port1.10
? (192.168.10.42) at <incomplete> on Port1.10
? (192.168.10.163) at <incomplete> on Port1.10
? (192.168.10.220) at <incomplete> on Port1.10
? (192.168.16.52) at 00:15:5d:10:04:05 [ether] on Port1
? (192.168.10.85) at <incomplete> on Port1.10
? (192.168.10.206) at <incomplete> on Port1.10
? (192.168.10.71) at <incomplete> on Port1.10
? (192.168.10.240) at <incomplete> on Port1.10
? (172.16.16.21) at 00:15:5d:10:04:01 [ether] on Port1.20
? (192.168.10.105) at <incomplete> on Port1.10
? (192.168.10.226) at <incomplete> on Port1.10
? (192.168.10.27) at <incomplete> on Port1.10
? (192.168.16.2) at 00:15:5d:10:05:5b [ether] on Port1
? (192.168.10.148) at <incomplete> on Port1.10
? (192.168.10.13) at <incomplete> on Port1.10
? (192.168.10.134) at <incomplete> on Port1.10
? (192.168.10.63) at <incomplete> on Port1.10
? (192.168.10.168) at <incomplete> on Port1.10
? (192.168.10.33) at <incomplete> on Port1.10
? (192.168.10.90) at <incomplete> on Port1.10
? (192.168.10.211) at <incomplete> on Port1.10
? (192.168.10.76) at <incomplete> on Port1.10
? (192.168.10.197) at <incomplete> on Port1.10
? (192.168.10.126) at <incomplete> on Port1.10
? (192.168.10.247) at <incomplete> on Port1.10
? (192.168.10.96) at <incomplete> on Port1.10
? (192.168.10.153) at <incomplete> on Port1.10
? (192.168.10.18) at <incomplete> on Port1.10
? (192.168.16.9) at 00:15:5d:10:05:5c [ether] on Port1
? (192.168.10.139) at <incomplete> on Port1.10
? (192.168.16.251) at 24:5e:be:07:f5:4b [ether] on Port1
? (192.168.10.4) at a0:8c:fd:e3:99:9f [ether] on Port1.10
? (192.168.10.189) at <incomplete> on Port1.10
? (192.168.10.54) at <incomplete> on Port1.10
? (192.168.10.175) at <incomplete> on Port1.10
? (192.168.10.216) at <incomplete> on Port1.10
? (192.168.10.81) at <incomplete> on Port1.10
? (192.168.10.202) at <incomplete> on Port1.10
? (192.168.10.67) at <incomplete> on Port1.10
? (192.168.10.252) at <incomplete> on Port1.10
? (192.168.10.117) at <incomplete> on Port1.10
? (192.168.100.16) at 80:5e:c0:45:6c:7e [ether] on Port1.100
? (192.168.10.238) at <incomplete> on Port1.10
? (192.168.10.103) at <incomplete> on Port1.10
? (192.168.16.6) at bc:30:5b:ee:31:95 [ether] on Port1
? (192.168.10.144) at <incomplete> on Port1.10
? (192.168.10.9) at <incomplete> on Port1.10
? (192.168.10.130) at <incomplete> on Port1.10
? (10.16.17.2) at 08:12:a5:6f:fa:43 [ether] on CORP
? (192.168.10.59) at <incomplete> on Port1.10
? (192.168.10.180) at <incomplete> on Port1.10
? (192.168.10.45) at <incomplete> on Port1.10
? (192.168.10.166) at <incomplete> on Port1.10
? (192.168.10.223) at <incomplete> on Port1.10
? (192.168.10.72) at <incomplete> on Port1.10
? (172.16.16.4) at 00:15:5d:10:05:58 [ether] on Port1.20
? (192.168.10.193) at <incomplete> on Port1.10
? (192.168.10.122) at <incomplete> on Port1.10
? (192.168.100.11) at 80:5e:c0:5e:a1:64 [ether] on Port1.100
? (192.168.10.243) at <incomplete> on Port1.10
? (172.16.16.22) at 00:15:5d:10:04:02 [ether] on Port1.20
? (192.168.10.108) at <incomplete> on Port1.10
? (192.168.10.229) at <incomplete> on Port1.10
? (192.168.10.30) at <incomplete> on Port1.10
? (192.168.16.13) at 00:15:5d:10:06:49 [ether] on Port1
? (192.168.10.151) at <incomplete> on Port1.10
? (192.168.10.185) at <incomplete> on Port1.10
? (192.168.10.50) at <incomplete> on Port1.10
? (192.168.10.171) at <incomplete> on Port1.10
? (192.168.10.36) at <incomplete> on Port1.10
? (192.168.10.93) at <incomplete> on Port1.10
? (192.168.10.214) at <incomplete> on Port1.10
? (192.168.10.79) at <incomplete> on Port1.10
? (192.168.10.248) at <incomplete> on Port1.10
? (192.168.100.12) at 80:5e:c0:45:02:e5 [ether] on Port1.100
? (192.168.10.113) at <incomplete> on Port1.10
? (192.168.10.234) at <incomplete> on Port1.10
? (192.168.10.99) at <incomplete> on Port1.10
? (192.168.10.156) at <incomplete> on Port1.10
? (192.168.10.21) at <incomplete> on Port1.10
? (192.168.10.142) at <incomplete> on Port1.10
? (192.168.10.7) at 9c:7b:ef:ad:c4:51 [ether] on Port1.10
? (192.168.10.176) at <incomplete> on Port1.10
? (192.168.10.41) at <incomplete> on Port1.10
? (192.168.10.162) at <incomplete> on Port1.10
? (192.168.10.219) at <incomplete> on Port1.10
? (192.168.10.84) at <incomplete> on Port1.10
? (192.168.10.205) at <incomplete> on Port1.10
? (192.168.10.70) at <incomplete> on Port1.10
? (172.16.16.10) at 00:15:5d:10:06:35 [ether] on Port1.20
? (192.168.10.104) at <incomplete> on Port1.10
? (192.168.10.225) at <incomplete> on Port1.10
? (192.168.10.26) at <incomplete> on Port1.10
? (192.168.16.1) at 00:15:5d:10:04:48 [ether] on Port1
? (192.168.10.147) at <incomplete> on Port1.10
? (192.168.10.12) at <incomplete> on Port1.10
? (192.168.10.133) at <incomplete> on Port1.10
? (192.168.16.100) at 00:15:5d:10:04:0c [ether] on Port1
? (192.168.10.62) at <incomplete> on Port1.10
? (192.168.10.183) at <incomplete> on Port1.10
? (192.168.10.32) at <incomplete> on Port1.10
? (192.168.10.89) at <incomplete> on Port1.10
? (192.168.10.210) at <incomplete> on Port1.10
? (192.168.10.75) at <incomplete> on Port1.10
? (8.8.8.8) at <incomplete> on Port1.100
? (192.168.10.196) at <incomplete> on Port1.10
? (192.168.10.125) at <incomplete> on Port1.10
? (192.168.16.44) at 00:1a:8c:df:c3:c8 [ether] on Port1
? (192.168.10.246) at <incomplete> on Port1.10
? (192.168.10.111) at <incomplete> on Port1.10
? (192.168.10.152) at <incomplete> on Port1.10
? (192.168.10.17) at <incomplete> on Port1.10
? (192.168.10.138) at <incomplete> on Port1.10
? (192.168.10.3) at <incomplete> on Port1.10
? (192.168.10.188) at <incomplete> on Port1.10
? (192.168.10.53) at <incomplete> on Port1.10
? (192.168.10.174) at <incomplete> on Port1.10
? (192.168.10.39) at <incomplete> on Port1.10
? (192.168.10.80) at <incomplete> on Port1.10
? (192.168.10.201) at <incomplete> on Port1.10
? (192.168.10.66) at <incomplete> on Port1.10
? (192.168.10.251) at <incomplete> on Port1.10
? (192.168.10.116) at <incomplete> on Port1.10
? (192.168.16.43) at 70:85:c2:4b:7c:e3 [ether] on Port1
? (192.168.10.237) at <incomplete> on Port1.10
? (192.168.10.102) at <incomplete> on Port1.10
? (192.168.16.5) at ac:16:2d:76:07:bc [ether] on Port1
? (192.168.10.159) at <incomplete> on Port1.10
? (192.168.10.8) at <incomplete> on Port1.10
? (192.168.10.129) at <incomplete> on Port1.10
? (192.168.10.58) at <incomplete> on Port1.10
? (192.168.10.179) at <incomplete> on Port1.10
? (192.168.10.44) at <incomplete> on Port1.10
? (192.168.10.165) at <incomplete> on Port1.10
? (192.168.10.222) at <incomplete> on Port1.10
? (192.168.10.87) at <incomplete> on Port1.10
? (192.168.16.54) at 70:85:c2:68:b5:82 [ether] on Port1
? (192.168.10.192) at <incomplete> on Port1.10
? (192.168.10.121) at <incomplete> on Port1.10
? (192.168.16.32) at 70:85:c2:49:62:00 [ether] on Port1
? (192.168.10.242) at <incomplete> on Port1.10
? (192.168.10.107) at <incomplete> on Port1.10
? (192.168.10.228) at <incomplete> on Port1.10
? (192.168.10.29) at <incomplete> on Port1.10
? (192.168.16.12) at 00:15:5d:10:05:10 [ether] on Port1
? (192.168.10.150) at <incomplete> on Port1.10
? (192.168.10.15) at <incomplete> on Port1.10
? (192.168.16.254) at 94:57:a5:53:b7:c0 [ether] on Port1
? (192.168.10.184) at <incomplete> on Port1.10
? (192.168.10.49) at <incomplete> on Port1.10
? (192.168.10.170) at <incomplete> on Port1.10
? (192.168.10.35) at <incomplete> on Port1.10
? (192.168.10.92) at <incomplete> on Port1.10
? (192.168.10.213) at <incomplete> on Port1.10
? (192.168.10.78) at <incomplete> on Port1.10
? (172.16.16.2) at 00:15:5d:10:06:07 [ether] on Port1.20
? (192.168.10.199) at <incomplete> on Port1.10
? (192.168.10.112) at <incomplete> on Port1.10
? (192.168.100.13) at <incomplete> on Port1.100
? (192.168.10.233) at <incomplete> on Port1.10
? (192.168.10.98) at <incomplete> on Port1.10
? (192.168.10.155) at <incomplete> on Port1.10
? (192.168.10.20) at <incomplete> on Port1.10
? (192.168.16.11) at 00:15:5d:10:06:4a [ether] on Port1
? (192.168.10.141) at <incomplete> on Port1.10
? (192.168.10.6) at <incomplete> on Port1.10
? (192.168.10.191) at <incomplete> on Port1.10
? (192.168.10.40) at <incomplete> on Port1.10
? (192.168.10.161) at <incomplete> on Port1.10
? (192.168.10.218) at <incomplete> on Port1.10
? (192.168.10.83) at <incomplete> on Port1.10
? (192.168.10.204) at <incomplete> on Port1.10
? (192.168.10.69) at <incomplete> on Port1.10
? (192.168.16.22) at 00:15:5d:10:06:0d [ether] on Port1
? (192.168.10.119) at <incomplete> on Port1.10
? (192.168.10.224) at <incomplete> on Port1.10
? (192.168.10.25) at <incomplete> on Port1.10
? (192.168.10.146) at <incomplete> on Port1.10
? (192.168.10.11) at <incomplete> on Port1.10
? (192.168.10.132) at <incomplete> on Port1.10
? (192.168.10.61) at <incomplete> on Port1.10
? (192.168.10.182) at <incomplete> on Port1.10
? (192.168.10.47) at <incomplete> on Port1.10
? (192.168.10.88) at <incomplete> on Port1.10
? (192.168.10.209) at <incomplete> on Port1.10
? (192.168.10.74) at <incomplete> on Port1.10
? (192.168.16.49) at 70:85:c2:4b:d7:9c [ether] on Port1
? (192.168.10.195) at <incomplete> on Port1.10
? (192.168.10.124) at <incomplete> on Port1.10
? (192.168.16.35) at 10:7b:44:49:18:3f [ether] on Port1
? (192.168.10.245) at <incomplete> on Port1.10
? (172.16.16.16) at 94:40:c9:12:08:d4 [ether] on Port1.20
? (192.168.10.110) at <incomplete> on Port1.10
? (192.168.16.29) at b0:6e:bf:2a:f6:63 [ether] on Port1
? (192.168.10.231) at <incomplete> on Port1.10
? (192.168.10.16) at <incomplete> on Port1.10
? (192.168.16.15) at 00:15:5d:10:05:59 [ether] on Port1
? (192.168.10.137) at <incomplete> on Port1.10
? (192.168.10.2) at ac:22:0b:c1:3b:76 [ether] on Port1.10
? (192.168.10.187) at <incomplete> on Port1.10
? (192.168.10.52) at <incomplete> on Port1.10
? (192.168.10.173) at <incomplete> on Port1.10
? (192.168.10.38) at <incomplete> on Port1.10
? (192.168.10.95) at <incomplete> on Port1.10
? (192.168.10.200) at <incomplete> on Port1.10
? (192.168.10.65) at <incomplete> on Port1.10
? (192.168.16.56) at 70:85:c2:6c:9a:35 [ether] on Port1
? (192.168.10.250) at <incomplete> on Port1.10
? (172.16.16.15) at 94:40:c9:12:08:d6 [ether] on Port1.20
? (192.168.10.115) at <incomplete> on Port1.10
? (192.168.16.42) at 00:15:5d:10:05:61 [ether] on Port1
? (192.168.10.236) at <incomplete> on Port1.10
? (192.168.10.101) at <incomplete> on Port1.10
? (192.168.16.4) at ac:16:2d:77:91:4d [ether] on Port1
? (8.8.8.8) at <incomplete> on Port3
? (192.168.10.158) at <incomplete> on Port1.10
? (192.168.10.23) at <incomplete> on Port1.10
? (192.168.253.254) at 22:14:4b:29:52:b7 [ether] on Port3
? (192.168.10.128) at <incomplete> on Port1.10
? (192.168.10.57) at <incomplete> on Port1.10
? (192.168.10.178) at <incomplete> on Port1.10
? (192.168.10.43) at <incomplete> on Port1.10
? (192.168.10.164) at <incomplete> on Port1.10
? (192.168.10.221) at <incomplete> on Port1.10
? (192.168.10.86) at <incomplete> on Port1.10
? (192.168.10.207) at <incomplete> on Port1.10
? (192.168.10.120) at <incomplete> on Port1.10
? (192.168.10.241) at <incomplete> on Port1.10
? (172.16.16.20) at 00:15:5d:10:04:00 [ether] on Port1.20
? (192.168.10.106) at <incomplete> on Port1.10
? (192.168.10.227) at <incomplete> on Port1.10
? (192.168.10.28) at <incomplete> on Port1.10
? (192.168.16.3) at 00:15:5d:10:04:49 [ether] on Port1
? (192.168.10.149) at <incomplete> on Port1.10

It is weird because all the Port1.10 (Vlan10) is "incomplete" on the mac address, and it has too much entries, because in this Vlan10 I have only 8 PC in this Vlan as we can see on the DHCP table: 

I never enabled Dos settings: 

Check the Dos & Spoof Protection and try some settings there. 

And as i said, something is broken in your Network. 

Maybe Port1.10 has a invalid VLAN settings and the switch is messing up the packets. Looping etc.

My Dos & Spoof Protection settings are all disabled and default:

Yes but I cannot understand what is broken, I didn't modify something since few months and everything was working well...

The issue of pinging external networks is not only from Port1.10 Vlan, but from Port1 default lan too. (From Vlan20 Port1.20, no issue)

Try to disable Redirect ICMP Packets in DOS Protection.

But this still leaves the issue open.

Maybe something is broken with this Port. 

You should investigate the real switch config. Maybe not you but somebody else reconfigured something in the Switching or plugged in another cable. 

I disabled redirect ICMP, issue still the same.

I'm investigating but i'm not finding anything...

Maybe the "cache" of XG you were talking about is corrupted ? What do you think about this possibility ?

Any way to "clear" it ?

Because If I ping an IP that matches the #7 firewall rule, the issue is not present, but the PC from which i'm pinging is still in the port1.10 vlan...