Unexplainable problem - unable to ping some hosts

Hi Viken,

This issue sounds like some problems on the LAN side, like duplicated IP address/wrong ARP on the firewall etc.

You could try the below steps to check further - 

1. Check in firewall's log viewer - switch to detailed view - search your IP address and see if there is any blocking by firewall rule or IPS rule
2. On the XG firewall Advanced Shell, use the command to check the arp table: arp -an. And check multiple times when the ping is working and not working and see if the ARP entry has the correct MAC address for your PC.
3. When do a continuous ping, ping 1.1.1.1 -t, do WireShark capture and tcpdump capture on XG firewall at the same time. Then retrieve the pcap file from XG firewall and analyze the captures on PC and firewall with WireShark. Pay attention to the destination MAC address of those non-working ping requests.
4. Test if the issue happens on another PC on the same LAN network

 Hi Captain,

Thank you for your answer, I will test what you wrote and will let you know.

But before that, let me add more precisions:

As I said, when I ping IP addresses which are matching another firewall rule which is on the top, the ping works well, here are my firewall rules:

And defailted view:

Main firewall rule:

and supervision rule: 

As you can see, in my supervision rule, I have host groups, with public IP addresses inside, when I ping one of those IP addresses, it matches this rule.

Now, a really weird thing about that :D -> If I add 8.8.8.8 or 8.8.4.4 or 1.1.1.1 in one of the host group, the ping to thoses IP is working again !!!!!! see:

I tested that from different PC on the network, from different VLANs, the issue is the same.
If I ping directly from the "diagnostics" pane of the XG, with Port3 Interface, there is no problem.

I'm about to think that this is a problem on the v18 build 354 firmware. I'm about to downgrade to the build 339 to see if the problem is present or not...

Adding a tcpdump puts the interface into https://en.wikipedia.org/wiki/Promiscuous_mode 

It could be a duplicated ARP, DHCP, IP Mapping within the Network. 

In Promiscuous Mode, the Interface will continue to talk to the current MAC. Therefore the Ping will success. Without this mode, the XG will likely get different MACs or the Switch will not interact anymore with the XG. 

Adding a tcpdump puts the interface into https://en.wikipedia.org/wiki/Promiscuous_mode 

It could be a duplicated ARP, DHCP, IP Mapping within the Network. 

In Promiscuous Mode, the Interface will continue to talk to the current MAC. Therefore the Ping will success. Without this mode, the XG will likely get different MACs or the Switch will not interact anymore with the XG. 

Ok thanks for your answer.

But how can we explain that all the IP hosts which are on an IP host group which match the #7 firewall rule (even if I place 8.8.8.8 or 8.8.4.4 or 1.1.1.1 insde) are working good with ping???

Simply because XG will resolve the IP Host groups differently using an own cache. 

If you do not place the Host in the group, it will not work, because XG will lookup it freely at demand. 

If you place it into a host group, XG will create some sort of Cache for those hosts, so it does not have to ask the switch all the time. 

There is something wrong in the network, i guess. Thats my explanation for your issue. 

Maybe check the DOS Settings on XG, if you have ARP Forging activated. 

Ok thank you for your answer, I understand much more how it works now.

Here is the output of arp -an done on the XG firewall:

XG135w_XN03_SFOS 18.0.0 GA-Build354.HF042920# arp -an
? (192.168.10.14) at <incomplete> on Port1.10
? (192.168.10.135) at <incomplete> on Port1.10
? (192.168.10.48) at <incomplete> on Port1.10
? (192.168.10.169) at <incomplete> on Port1.10
? (192.168.10.34) at <incomplete> on Port1.10
? (10.16.16.9) at fc:15:b4:35:55:45 [ether] on Port1.30
? (192.168.10.91) at <incomplete> on Port1.10
? (192.168.10.212) at <incomplete> on Port1.10
? (192.168.10.77) at <incomplete> on Port1.10
? (192.168.10.198) at <incomplete> on Port1.10
? (172.16.16.3) at 00:d9:d1:f9:a2:1e [ether] on Port1.20
? (192.168.10.127) at <incomplete> on Port1.10
? (192.168.16.46) at 00:15:5d:10:04:37 [ether] on Port1
? (192.168.10.232) at <incomplete> on Port1.10
? (192.168.10.97) at <incomplete> on Port1.10
? (192.168.10.154) at <incomplete> on Port1.10
? (192.168.16.10) at 00:15:5d:10:05:5a [ether] on Port1
? (192.168.10.19) at <incomplete> on Port1.10
? (192.168.253.242) at <incomplete> on Port3
? (192.168.10.140) at <incomplete> on Port1.10
? (192.168.10.5) at <incomplete> on Port1.10
? (192.168.10.190) at <incomplete> on Port1.10
? (192.168.10.55) at <incomplete> on Port1.10
? (192.168.10.160) at <incomplete> on Port1.10
? (192.168.10.217) at <incomplete> on Port1.10
? (192.168.10.82) at <incomplete> on Port1.10
? (192.168.10.203) at <incomplete> on Port1.10
? (192.168.10.68) at <incomplete> on Port1.10
? (192.168.10.253) at 80:30:e0:6a:1e:c0 [ether] on Port1.10
? (192.168.10.118) at <incomplete> on Port1.10
? (192.168.10.239) at <incomplete> on Port1.10
? (192.168.10.24) at <incomplete> on Port1.10
? (192.168.10.145) at <incomplete> on Port1.10
? (192.168.10.10) at 7c:5a:1c:da:40:4d [ether] on Port1.10
? (192.168.10.131) at <incomplete> on Port1.10
? (192.168.10.60) at <incomplete> on Port1.10
? (192.168.10.181) at <incomplete> on Port1.10
? (192.168.10.46) at <incomplete> on Port1.10
? (192.168.10.167) at <incomplete> on Port1.10
? (192.168.10.208) at <incomplete> on Port1.10
? (10.16.16.7) at ec:8e:b5:cc:54:50 [ether] on Port1.30
? (192.168.10.73) at <incomplete> on Port1.10
? (192.168.16.48) at 70:85:c2:69:7a:1b [ether] on Port1
? (192.168.10.194) at <incomplete> on Port1.10
? (192.168.10.123) at <incomplete> on Port1.10
? (192.168.10.244) at <incomplete> on Port1.10
? (172.16.16.17) at 94:40:c9:12:08:d5 [ether] on Port1.20
? (192.168.10.109) at <incomplete> on Port1.10
? (192.168.10.230) at <incomplete> on Port1.10
? (192.168.10.31) at <incomplete> on Port1.10
? (172.16.16.253) at 00:15:5d:10:05:11 [ether] on Port1.20
? (192.168.10.136) at <incomplete> on Port1.10
? (192.168.10.1) at <incomplete> on Port1.10
? (192.168.1.65) at 3a:31:37:ad:06:d2 [ether] on Port5
? (192.168.10.186) at <incomplete> on Port1.10
? (192.168.10.51) at <incomplete> on Port1.10
? (192.168.10.172) at <incomplete> on Port1.10
? (192.168.10.37) at <incomplete> on Port1.10
? (192.168.10.94) at <incomplete> on Port1.10
? (192.168.10.215) at <incomplete> on Port1.10
? (192.168.10.64) at <incomplete> on Port1.10
? (192.168.10.249) at <incomplete> on Port1.10
? (172.16.16.12) at 94:18:82:0b:7f:9d [ether] on Port1.20
? (192.168.10.114) at <incomplete> on Port1.10
? (192.168.16.41) at 00:15:5d:10:06:20 [ether] on Port1
? (192.168.10.235) at <incomplete> on Port1.10
? (192.168.254.253) at 00:1a:8c:6f:6e:1b [ether] on Port6
? (192.168.10.100) at <incomplete> on Port1.10
? (192.168.10.157) at <incomplete> on Port1.10
? (192.168.10.22) at <incomplete> on Port1.10
? (192.168.10.143) at <incomplete> on Port1.10
? (10.16.17.15) at dc:a6:32:04:a7:0c [ether] on CORP
? (192.168.10.56) at <incomplete> on Port1.10
? (192.168.10.177) at <incomplete> on Port1.10
? (192.168.10.42) at <incomplete> on Port1.10
? (192.168.10.163) at <incomplete> on Port1.10
? (192.168.10.220) at <incomplete> on Port1.10
? (192.168.16.52) at 00:15:5d:10:04:05 [ether] on Port1
? (192.168.10.85) at <incomplete> on Port1.10
? (192.168.10.206) at <incomplete> on Port1.10
? (192.168.10.71) at <incomplete> on Port1.10
? (192.168.10.240) at <incomplete> on Port1.10
? (172.16.16.21) at 00:15:5d:10:04:01 [ether] on Port1.20
? (192.168.10.105) at <incomplete> on Port1.10
? (192.168.10.226) at <incomplete> on Port1.10
? (192.168.10.27) at <incomplete> on Port1.10
? (192.168.16.2) at 00:15:5d:10:05:5b [ether] on Port1
? (192.168.10.148) at <incomplete> on Port1.10
? (192.168.10.13) at <incomplete> on Port1.10
? (192.168.10.134) at <incomplete> on Port1.10
? (192.168.10.63) at <incomplete> on Port1.10
? (192.168.10.168) at <incomplete> on Port1.10
? (192.168.10.33) at <incomplete> on Port1.10
? (192.168.10.90) at <incomplete> on Port1.10
? (192.168.10.211) at <incomplete> on Port1.10
? (192.168.10.76) at <incomplete> on Port1.10
? (192.168.10.197) at <incomplete> on Port1.10
? (192.168.10.126) at <incomplete> on Port1.10
? (192.168.10.247) at <incomplete> on Port1.10
? (192.168.10.96) at <incomplete> on Port1.10
? (192.168.10.153) at <incomplete> on Port1.10
? (192.168.10.18) at <incomplete> on Port1.10
? (192.168.16.9) at 00:15:5d:10:05:5c [ether] on Port1
? (192.168.10.139) at <incomplete> on Port1.10
? (192.168.16.251) at 24:5e:be:07:f5:4b [ether] on Port1
? (192.168.10.4) at a0:8c:fd:e3:99:9f [ether] on Port1.10
? (192.168.10.189) at <incomplete> on Port1.10
? (192.168.10.54) at <incomplete> on Port1.10
? (192.168.10.175) at <incomplete> on Port1.10
? (192.168.10.216) at <incomplete> on Port1.10
? (192.168.10.81) at <incomplete> on Port1.10
? (192.168.10.202) at <incomplete> on Port1.10
? (192.168.10.67) at <incomplete> on Port1.10
? (192.168.10.252) at <incomplete> on Port1.10
? (192.168.10.117) at <incomplete> on Port1.10
? (192.168.100.16) at 80:5e:c0:45:6c:7e [ether] on Port1.100
? (192.168.10.238) at <incomplete> on Port1.10
? (192.168.10.103) at <incomplete> on Port1.10
? (192.168.16.6) at bc:30:5b:ee:31:95 [ether] on Port1
? (192.168.10.144) at <incomplete> on Port1.10
? (192.168.10.9) at <incomplete> on Port1.10
? (192.168.10.130) at <incomplete> on Port1.10
? (10.16.17.2) at 08:12:a5:6f:fa:43 [ether] on CORP
? (192.168.10.59) at <incomplete> on Port1.10
? (192.168.10.180) at <incomplete> on Port1.10
? (192.168.10.45) at <incomplete> on Port1.10
? (192.168.10.166) at <incomplete> on Port1.10
? (192.168.10.223) at <incomplete> on Port1.10
? (192.168.10.72) at <incomplete> on Port1.10
? (172.16.16.4) at 00:15:5d:10:05:58 [ether] on Port1.20
? (192.168.10.193) at <incomplete> on Port1.10
? (192.168.10.122) at <incomplete> on Port1.10
? (192.168.100.11) at 80:5e:c0:5e:a1:64 [ether] on Port1.100
? (192.168.10.243) at <incomplete> on Port1.10
? (172.16.16.22) at 00:15:5d:10:04:02 [ether] on Port1.20
? (192.168.10.108) at <incomplete> on Port1.10
? (192.168.10.229) at <incomplete> on Port1.10
? (192.168.10.30) at <incomplete> on Port1.10
? (192.168.16.13) at 00:15:5d:10:06:49 [ether] on Port1
? (192.168.10.151) at <incomplete> on Port1.10
? (192.168.10.185) at <incomplete> on Port1.10
? (192.168.10.50) at <incomplete> on Port1.10
? (192.168.10.171) at <incomplete> on Port1.10
? (192.168.10.36) at <incomplete> on Port1.10
? (192.168.10.93) at <incomplete> on Port1.10
? (192.168.10.214) at <incomplete> on Port1.10
? (192.168.10.79) at <incomplete> on Port1.10
? (192.168.10.248) at <incomplete> on Port1.10
? (192.168.100.12) at 80:5e:c0:45:02:e5 [ether] on Port1.100
? (192.168.10.113) at <incomplete> on Port1.10
? (192.168.10.234) at <incomplete> on Port1.10
? (192.168.10.99) at <incomplete> on Port1.10
? (192.168.10.156) at <incomplete> on Port1.10
? (192.168.10.21) at <incomplete> on Port1.10
? (192.168.10.142) at <incomplete> on Port1.10
? (192.168.10.7) at 9c:7b:ef:ad:c4:51 [ether] on Port1.10
? (192.168.10.176) at <incomplete> on Port1.10
? (192.168.10.41) at <incomplete> on Port1.10
? (192.168.10.162) at <incomplete> on Port1.10
? (192.168.10.219) at <incomplete> on Port1.10
? (192.168.10.84) at <incomplete> on Port1.10
? (192.168.10.205) at <incomplete> on Port1.10
? (192.168.10.70) at <incomplete> on Port1.10
? (172.16.16.10) at 00:15:5d:10:06:35 [ether] on Port1.20
? (192.168.10.104) at <incomplete> on Port1.10
? (192.168.10.225) at <incomplete> on Port1.10
? (192.168.10.26) at <incomplete> on Port1.10
? (192.168.16.1) at 00:15:5d:10:04:48 [ether] on Port1
? (192.168.10.147) at <incomplete> on Port1.10
? (192.168.10.12) at <incomplete> on Port1.10
? (192.168.10.133) at <incomplete> on Port1.10
? (192.168.16.100) at 00:15:5d:10:04:0c [ether] on Port1
? (192.168.10.62) at <incomplete> on Port1.10
? (192.168.10.183) at <incomplete> on Port1.10
? (192.168.10.32) at <incomplete> on Port1.10
? (192.168.10.89) at <incomplete> on Port1.10
? (192.168.10.210) at <incomplete> on Port1.10
? (192.168.10.75) at <incomplete> on Port1.10
? (8.8.8.8) at <incomplete> on Port1.100
? (192.168.10.196) at <incomplete> on Port1.10
? (192.168.10.125) at <incomplete> on Port1.10
? (192.168.16.44) at 00:1a:8c:df:c3:c8 [ether] on Port1
? (192.168.10.246) at <incomplete> on Port1.10
? (192.168.10.111) at <incomplete> on Port1.10
? (192.168.10.152) at <incomplete> on Port1.10
? (192.168.10.17) at <incomplete> on Port1.10
? (192.168.10.138) at <incomplete> on Port1.10
? (192.168.10.3) at <incomplete> on Port1.10
? (192.168.10.188) at <incomplete> on Port1.10
? (192.168.10.53) at <incomplete> on Port1.10
? (192.168.10.174) at <incomplete> on Port1.10
? (192.168.10.39) at <incomplete> on Port1.10
? (192.168.10.80) at <incomplete> on Port1.10
? (192.168.10.201) at <incomplete> on Port1.10
? (192.168.10.66) at <incomplete> on Port1.10
? (192.168.10.251) at <incomplete> on Port1.10
? (192.168.10.116) at <incomplete> on Port1.10
? (192.168.16.43) at 70:85:c2:4b:7c:e3 [ether] on Port1
? (192.168.10.237) at <incomplete> on Port1.10
? (192.168.10.102) at <incomplete> on Port1.10
? (192.168.16.5) at ac:16:2d:76:07:bc [ether] on Port1
? (192.168.10.159) at <incomplete> on Port1.10
? (192.168.10.8) at <incomplete> on Port1.10
? (192.168.10.129) at <incomplete> on Port1.10
? (192.168.10.58) at <incomplete> on Port1.10
? (192.168.10.179) at <incomplete> on Port1.10
? (192.168.10.44) at <incomplete> on Port1.10
? (192.168.10.165) at <incomplete> on Port1.10
? (192.168.10.222) at <incomplete> on Port1.10
? (192.168.10.87) at <incomplete> on Port1.10
? (192.168.16.54) at 70:85:c2:68:b5:82 [ether] on Port1
? (192.168.10.192) at <incomplete> on Port1.10
? (192.168.10.121) at <incomplete> on Port1.10
? (192.168.16.32) at 70:85:c2:49:62:00 [ether] on Port1
? (192.168.10.242) at <incomplete> on Port1.10
? (192.168.10.107) at <incomplete> on Port1.10
? (192.168.10.228) at <incomplete> on Port1.10
? (192.168.10.29) at <incomplete> on Port1.10
? (192.168.16.12) at 00:15:5d:10:05:10 [ether] on Port1
? (192.168.10.150) at <incomplete> on Port1.10
? (192.168.10.15) at <incomplete> on Port1.10
? (192.168.16.254) at 94:57:a5:53:b7:c0 [ether] on Port1
? (192.168.10.184) at <incomplete> on Port1.10
? (192.168.10.49) at <incomplete> on Port1.10
? (192.168.10.170) at <incomplete> on Port1.10
? (192.168.10.35) at <incomplete> on Port1.10
? (192.168.10.92) at <incomplete> on Port1.10
? (192.168.10.213) at <incomplete> on Port1.10
? (192.168.10.78) at <incomplete> on Port1.10
? (172.16.16.2) at 00:15:5d:10:06:07 [ether] on Port1.20
? (192.168.10.199) at <incomplete> on Port1.10
? (192.168.10.112) at <incomplete> on Port1.10
? (192.168.100.13) at <incomplete> on Port1.100
? (192.168.10.233) at <incomplete> on Port1.10
? (192.168.10.98) at <incomplete> on Port1.10
? (192.168.10.155) at <incomplete> on Port1.10
? (192.168.10.20) at <incomplete> on Port1.10
? (192.168.16.11) at 00:15:5d:10:06:4a [ether] on Port1
? (192.168.10.141) at <incomplete> on Port1.10
? (192.168.10.6) at <incomplete> on Port1.10
? (192.168.10.191) at <incomplete> on Port1.10
? (192.168.10.40) at <incomplete> on Port1.10
? (192.168.10.161) at <incomplete> on Port1.10
? (192.168.10.218) at <incomplete> on Port1.10
? (192.168.10.83) at <incomplete> on Port1.10
? (192.168.10.204) at <incomplete> on Port1.10
? (192.168.10.69) at <incomplete> on Port1.10
? (192.168.16.22) at 00:15:5d:10:06:0d [ether] on Port1
? (192.168.10.119) at <incomplete> on Port1.10
? (192.168.10.224) at <incomplete> on Port1.10
? (192.168.10.25) at <incomplete> on Port1.10
? (192.168.10.146) at <incomplete> on Port1.10
? (192.168.10.11) at <incomplete> on Port1.10
? (192.168.10.132) at <incomplete> on Port1.10
? (192.168.10.61) at <incomplete> on Port1.10
? (192.168.10.182) at <incomplete> on Port1.10
? (192.168.10.47) at <incomplete> on Port1.10
? (192.168.10.88) at <incomplete> on Port1.10
? (192.168.10.209) at <incomplete> on Port1.10
? (192.168.10.74) at <incomplete> on Port1.10
? (192.168.16.49) at 70:85:c2:4b:d7:9c [ether] on Port1
? (192.168.10.195) at <incomplete> on Port1.10
? (192.168.10.124) at <incomplete> on Port1.10
? (192.168.16.35) at 10:7b:44:49:18:3f [ether] on Port1
? (192.168.10.245) at <incomplete> on Port1.10
? (172.16.16.16) at 94:40:c9:12:08:d4 [ether] on Port1.20
? (192.168.10.110) at <incomplete> on Port1.10
? (192.168.16.29) at b0:6e:bf:2a:f6:63 [ether] on Port1
? (192.168.10.231) at <incomplete> on Port1.10
? (192.168.10.16) at <incomplete> on Port1.10
? (192.168.16.15) at 00:15:5d:10:05:59 [ether] on Port1
? (192.168.10.137) at <incomplete> on Port1.10
? (192.168.10.2) at ac:22:0b:c1:3b:76 [ether] on Port1.10
? (192.168.10.187) at <incomplete> on Port1.10
? (192.168.10.52) at <incomplete> on Port1.10
? (192.168.10.173) at <incomplete> on Port1.10
? (192.168.10.38) at <incomplete> on Port1.10
? (192.168.10.95) at <incomplete> on Port1.10
? (192.168.10.200) at <incomplete> on Port1.10
? (192.168.10.65) at <incomplete> on Port1.10
? (192.168.16.56) at 70:85:c2:6c:9a:35 [ether] on Port1
? (192.168.10.250) at <incomplete> on Port1.10
? (172.16.16.15) at 94:40:c9:12:08:d6 [ether] on Port1.20
? (192.168.10.115) at <incomplete> on Port1.10
? (192.168.16.42) at 00:15:5d:10:05:61 [ether] on Port1
? (192.168.10.236) at <incomplete> on Port1.10
? (192.168.10.101) at <incomplete> on Port1.10
? (192.168.16.4) at ac:16:2d:77:91:4d [ether] on Port1
? (8.8.8.8) at <incomplete> on Port3
? (192.168.10.158) at <incomplete> on Port1.10
? (192.168.10.23) at <incomplete> on Port1.10
? (192.168.253.254) at 22:14:4b:29:52:b7 [ether] on Port3
? (192.168.10.128) at <incomplete> on Port1.10
? (192.168.10.57) at <incomplete> on Port1.10
? (192.168.10.178) at <incomplete> on Port1.10
? (192.168.10.43) at <incomplete> on Port1.10
? (192.168.10.164) at <incomplete> on Port1.10
? (192.168.10.221) at <incomplete> on Port1.10
? (192.168.10.86) at <incomplete> on Port1.10
? (192.168.10.207) at <incomplete> on Port1.10
? (192.168.10.120) at <incomplete> on Port1.10
? (192.168.10.241) at <incomplete> on Port1.10
? (172.16.16.20) at 00:15:5d:10:04:00 [ether] on Port1.20
? (192.168.10.106) at <incomplete> on Port1.10
? (192.168.10.227) at <incomplete> on Port1.10
? (192.168.10.28) at <incomplete> on Port1.10
? (192.168.16.3) at 00:15:5d:10:04:49 [ether] on Port1
? (192.168.10.149) at <incomplete> on Port1.10

It is weird because all the Port1.10 (Vlan10) is "incomplete" on the mac address, and it has too much entries, because in this Vlan10 I have only 8 PC in this Vlan as we can see on the DHCP table: 

I never enabled Dos settings: 

Check the Dos & Spoof Protection and try some settings there. 

And as i said, something is broken in your Network. 

Maybe Port1.10 has a invalid VLAN settings and the switch is messing up the packets. Looping etc.

My Dos & Spoof Protection settings are all disabled and default:

Yes but I cannot understand what is broken, I didn't modify something since few months and everything was working well...

The issue of pinging external networks is not only from Port1.10 Vlan, but from Port1 default lan too. (From Vlan20 Port1.20, no issue)

Try to disable Redirect ICMP Packets in DOS Protection.

But this still leaves the issue open.

Maybe something is broken with this Port. 

You should investigate the real switch config. Maybe not you but somebody else reconfigured something in the Switching or plugged in another cable. 

I disabled redirect ICMP, issue still the same.

I'm investigating but i'm not finding anything...

Maybe the "cache" of XG you were talking about is corrupted ? What do you think about this possibility ?

Any way to "clear" it ?

Because If I ping an IP that matches the #7 firewall rule, the issue is not present, but the PC from which i'm pinging is still in the port1.10 vlan...

More details after some tests:

I rebooted our main ISP modem (Port3 of XG), and during the reboot, our XG saw that Port3 was down in wan link manager, so the link was failover to Port4 (backup ISP), and during all the process where the 2nd ISP was active, the ping was OK from my PC to 8.8.8.8 without any loss...

Then main ISP link (Port3) came back, the ping was still OK to many hosts on the internet, and then after 2 or 3 minutes the ping timed out again...

Do you still think there is a problem on internal ARP or dupplicate IP ?

Thank for your advices...

Hi VikenNajarian 

Could you please unplug the Port3 for ISP for testing purpose and check what is the status of the issue?

Could you please enable fsck once from the console and reboot the firewall?

Hello Guys,

I have resolved the issue, but I resolved it by a weird way.

I remembered that when I migrated from v17 to v18, I read about FastPath on internet, this was few weeks ago...

Then I saw that it was about the "system firewall-acceleration" option that we have to enable.

So few weeks ago I enabled this feature, and then just to test, I have disabled it right now, and then the ping is working again !!!!

So maybe it explains why when I was pinging from Vlan20 it was working. (the only rule for Vlan20 was to use webproxy instead of DPI)

And then when I was pinging from Vlan 1, 10 and 30, the ping wasnt working (the rule for those Vlan was set to use DPI instead of web proxy).

So the real issue is there, and not about ARP or duplicate issue. So what's wrong? Should we enable "system firewall-acceleration" option? Is there a problem about DPI?

Thanks.