電腦接在 Core Switch VLAN上，可以上網卻無法 ping 到 VLAN interface，也無法 ping 到防火牆

Funday · ‎2020-05-19

防火牆 Fortigate 60D 192.168.12.1/24

GSM4352S VLAN 12 Interface 192.168.12.254/24

PC 由 GSM4352S DHCP 服務取得 IP(假設 192.168.12.9/24)，預設閘道 192.168.12.254

因為 GSM4352S 的預設閘道是 192.168.13.1/24

所以使用 route-map 去指定下一跳

access-list 113 permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 113 deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 113 deny ip 192.168.12.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 113 deny ip 192.168.12.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 113 permit ip 192.168.12.0 0.0.0.255 any

access-list 115 deny ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 115 permit ip 192.168.12.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 115 permit ip 192.168.12.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 115 permit ip 192.168.12.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 115 permit ip 192.168.12.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 115 permit ip 192.168.12.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 115 permit ip 192.168.12.0 0.0.0.255 192.168.18.0 0.0.0.255

route-map 113 permit 10
match ip address 115
exit
route-map 113 permit 20
match ip address 113
set ip next-hop 192.168.12.1
exit

PC 可以上網，但是 ping 不到 GSM4352S VLAN 12 Interface IP 192.168.12.254，也 ping 不到 FG60D Internal Interface IP 192.168.12.1

請問有可能是甚麼原因嗎？