https://community.cisco.com/t5/network-security/asa-deny-tcp-reverse-path-why/m-p/2919116#M171669 <P>you're right.</P> <P>checking routing!!!</P> Fri, 13 May 2016 13:15:02 GMT gianluca811 2016-05-13T13:15:02Z https://community.cisco.com/t5/network-security/asa-deny-tcp-reverse-path-why/m-p/2919112#M171658 <P>Hi,</P> <P></P> <P>on my asa ASA5540 I have the following error:<BR /><BR /><SPAN style="font-family: courier new,courier,monospace;">1&nbsp;&nbsp; &nbsp;May 13 2016&nbsp;&nbsp; &nbsp;11:19:07&nbsp;&nbsp; &nbsp;106021&nbsp;&nbsp; &nbsp;10.168.101.100&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;232.239.122.219&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;Deny TCP reverse path check from 10.168.101.100 to 232.239.122.219 on interface Outside</SPAN><BR /><BR />The source 10.168.101.100 is directly connected, the destination has the following static route:<BR /><BR /><SPAN style="font-family: courier new,courier,monospace;">route Outside 232.239.122.192 255.255.255.224 10.168.201.1 1 </SPAN><BR /><BR /><SPAN style="font-family: courier new,courier,monospace;">ASA5540#show route</SPAN><BR /><BR /><SPAN style="font-family: courier new,courier,monospace;">C&nbsp;&nbsp;&nbsp; 10.168.101.100 255.255.254.0 is directly connected, Inside</SPAN><BR /><SPAN style="font-family: courier new,courier,monospace;">S&nbsp;&nbsp;&nbsp; 232.239.122.192 255.255.255.224 [1/0] via 10.168.201.1, Outside</SPAN><BR /><BR />I made a capture on the source and destination interface filtering the destination 232.239.122.219:<BR /><BR /><SPAN style="font-family: courier new,courier,monospace;">&nbsp;&nbsp; 1: 11:19:06.784581&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 802.1Q vlan#18 P0 10.168.101.100.38529 &gt; 232.239.122.219.21: S 3629871294:3629871294(0) win 14600 &lt;mss 1460,sackOK,timestamp 745899726 0,nop,wscale 7&gt; </SPAN><BR /><SPAN style="font-family: courier new,courier,monospace;">&nbsp;&nbsp; 2: 11:19:07.783879&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 802.1Q vlan#18 P0 10.168.101.100.38529 &gt; 232.239.122.219.21: S 3629871294:3629871294(0) win 14600 &lt;mss 1460,sackOK,timestamp 745900726 0,nop,wscale 7&gt; </SPAN><BR /><SPAN style="font-family: courier new,courier,monospace;">&nbsp;&nbsp; 3: 11:19:09.784047&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 802.1Q vlan#18 P0 10.168.101.100.38529 &gt; 232.239.122.219.21: S 3629871294:3629871294(0) win 14600 &lt;mss 1460,sackOK,timestamp 745902726 0,nop,wscale 7&gt;</SPAN> <BR /><BR />What is wrong ?</P> Tue, 12 Mar 2019 07:44:57 GMT https://community.cisco.com/t5/network-security/asa-deny-tcp-reverse-path-why/m-p/2919112#M171658 gianluca811 2019-03-12T07:44:57Z https://community.cisco.com/t5/network-security/asa-deny-tcp-reverse-path-why/m-p/2919113#M171661 <P>The router with the IP&nbsp;<SPAN>10.168.201.1 could have a route for 232.239.122.192/24 back to your firewall.</SPAN></P> Fri, 13 May 2016 12:39:41 GMT https://community.cisco.com/t5/network-security/asa-deny-tcp-reverse-path-why/m-p/2919113#M171661 Karsten Iwen 2016-05-13T12:39:41Z https://community.cisco.com/t5/network-security/asa-deny-tcp-reverse-path-why/m-p/2919114#M171664 <P>yes it has a route back to Outside Interface on my firewall.</P> <P>For this I cannot understand why this error</P> Fri, 13 May 2016 12:42:50 GMT https://community.cisco.com/t5/network-security/asa-deny-tcp-reverse-path-why/m-p/2919114#M171664 gianluca811 2016-05-13T12:42:50Z https://community.cisco.com/t5/network-security/asa-deny-tcp-reverse-path-why/m-p/2919115#M171666 <OL> <LI>The initial packet came from your internal network. 10.168.101.100 has a network-location that is not outside of your firewall.</LI> <LI>The router&nbsp;routes the packet back to your firewall. There it arrives with a source-address of 10.168.101.100 on the outside interface. Based on the routing-table this packet is spoofed as the location of 10.168.101.100 is inside.</LI> </OL> Fri, 13 May 2016 12:59:42 GMT https://community.cisco.com/t5/network-security/asa-deny-tcp-reverse-path-why/m-p/2919115#M171666 Karsten Iwen 2016-05-13T12:59:42Z https://community.cisco.com/t5/network-security/asa-deny-tcp-reverse-path-why/m-p/2919116#M171669 <P>you're right.</P> <P>checking routing!!!</P> Fri, 13 May 2016 13:15:02 GMT https://community.cisco.com/t5/network-security/asa-deny-tcp-reverse-path-why/m-p/2919116#M171669 gianluca811 2016-05-13T13:15:02Z https://community.cisco.com/t5/network-security/asa-deny-tcp-reverse-path-why/m-p/2919117#M171673 <P>found the routing problem. as described from you was like a "loop"</P> Fri, 13 May 2016 14:36:04 GMT https://community.cisco.com/t5/network-security/asa-deny-tcp-reverse-path-why/m-p/2919117#M171673 gianluca811 2016-05-13T14:36:04Z