topic Hi, in Network Security

Reverse path check error?

drbabbers — Tue, 12 Mar 2019 07:13:23 GMT

All,

I am getting the following error message on my firewall:

1 Feb 01 2016 12:19:36 106021 1.1.1.1 2.2.2.2 Deny ICMP reverse path check from 1.1.1.1 to 2.2.2.2 on interface INTERFACE

I am struggling to see anything obvious at fault. I have access lists that permit the traffic, however I don't think that is the issue as there is no deny error.

Any ideas how I can begin to troubleshoot this?

This happens when the route

Philip D'Ath — Mon, 01 Feb 2016 12:28:58 GMT

This happens when the route for 1.1.1.1 is not via INTERFACE.

Hi,

drbabbers — Mon, 01 Feb 2016 14:35:50 GMT

Hi,

In this example, the route to 1.1.1.1 should not be via 'INTERFACE'. 'INTERFACE' is actually where 2.2.2.2 is directly connected downstream on a distribution switch.

The route to 1.1.1.1 should be via the OUTSIDE interface, and there is a default route for this in place.

Any ideas? Im a bit confused!

I don't think I can work this

Philip D'Ath — Mon, 01 Feb 2016 19:24:54 GMT

I don't think I can work this out without seeing the output of "show route" and knowing the actual IP addresses reported in the error.

This was down to the network

drbabbers — Tue, 02 Feb 2016 10:45:16 GMT

This was down to the network in question having the wrong subnet mask (/24 instead of a /25) and as a result being advertised via the wrong interface! Once the network was advertised with the /25 mask by our MPLS provider, everything worked fine.

Thanks for the help.