https://community.cisco.com/t5/network-security/106021-deny-tcp-reverse-path-check-from/m-p/2675457#M193799 <P>Mahesh,</P><P>Glad you got it resolved, thank for the ratings.</P><P>packet-tracer is your friend on the ASA. After seeing the TAC run it time and again during my time learning the platform, I decided they might know a thing or two and put it on my short list of go-to tools as well.</P> Fri, 17 Jul 2015 02:35:25 GMT Marvin Rhoads 2015-07-17T02:35:25Z https://community.cisco.com/t5/network-security/106021-deny-tcp-reverse-path-check-from/m-p/2675451#M193786 <P>&nbsp;</P><P>Hi everyone,</P><P>&nbsp;</P><P>PC traffic ------Switch ----X int ASA-----y int ----server 172.31.50.55</P><P>&nbsp;</P><P>I see below log when user try to access the server</P><P>106021: Deny TCP reverse path check from 192.168.100.25 to 172.31.50.55 on interface X</P><P>&nbsp;</P><P>Does it mean that ASA did not pass the traffic from interface X to Y as there is no return path to subnet 192.168.100.25?</P><P>&nbsp;</P><P>Regards</P><P>Mahesh</P><P>&nbsp;</P> Tue, 12 Mar 2019 06:16:19 GMT https://community.cisco.com/t5/network-security/106021-deny-tcp-reverse-path-check-from/m-p/2675451#M193786 mahesh18 2019-03-12T06:16:19Z https://community.cisco.com/t5/network-security/106021-deny-tcp-reverse-path-check-from/m-p/2675452#M193788 <P>Mahesh,</P><P>It could be routing but the most common cause is asymmetric NAT.</P><P>See what a packet-tracer tells you.</P> Thu, 16 Jul 2015 03:52:00 GMT https://community.cisco.com/t5/network-security/106021-deny-tcp-reverse-path-check-from/m-p/2675452#M193788 Marvin Rhoads 2015-07-16T03:52:00Z https://community.cisco.com/t5/network-security/106021-deny-tcp-reverse-path-check-from/m-p/2675453#M193790 <P>Hi Marvin,</P><P>&nbsp;</P><P>For packet tracer i can run from interface y to x to check the return traffic right?</P><P>&nbsp;</P><P>Regards</P><P>MAhesh</P> Thu, 16 Jul 2015 04:48:57 GMT https://community.cisco.com/t5/network-security/106021-deny-tcp-reverse-path-check-from/m-p/2675453#M193790 mahesh18 2015-07-16T04:48:57Z https://community.cisco.com/t5/network-security/106021-deny-tcp-reverse-path-check-from/m-p/2675454#M193792 <P>Mahesh,</P><P>Per the syntax Igor posted, always run it to simulate the actual traffic as initiated from the end user (<SPAN style="font-size: 14.3999996185303px;">192.168.100.25 in your case</SPAN>).</P><P>The utility will use&nbsp;its built in logic to check the reverse path&nbsp;automatically.</P> Thu, 16 Jul 2015 13:54:43 GMT https://community.cisco.com/t5/network-security/106021-deny-tcp-reverse-path-check-from/m-p/2675454#M193792 Marvin Rhoads 2015-07-16T13:54:43Z https://community.cisco.com/t5/network-security/106021-deny-tcp-reverse-path-check-from/m-p/2675455#M193793 <P>Example:</P><P>&nbsp;</P><P><SPAN style="font-size:14px;">packet-tracer input <U><EM>X_int_name</EM></U>&nbsp;tcp&nbsp;192.168.100.25&nbsp;&nbsp;<EM><U>PCSource_port</U></EM>&nbsp;172.31.50.55 <I><U>dst_port</U></I>&nbsp;detailed</SPAN></P> Thu, 16 Jul 2015 14:15:35 GMT https://community.cisco.com/t5/network-security/106021-deny-tcp-reverse-path-check-from/m-p/2675455#M193793 Igor Mordiuk 2015-07-16T14:15:35Z https://community.cisco.com/t5/network-security/106021-deny-tcp-reverse-path-check-from/m-p/2675456#M193796 <P>issue was with routing.</P> Thu, 16 Jul 2015 19:55:56 GMT https://community.cisco.com/t5/network-security/106021-deny-tcp-reverse-path-check-from/m-p/2675456#M193796 mahesh18 2015-07-16T19:55:56Z https://community.cisco.com/t5/network-security/106021-deny-tcp-reverse-path-check-from/m-p/2675457#M193799 <P>Mahesh,</P><P>Glad you got it resolved, thank for the ratings.</P><P>packet-tracer is your friend on the ASA. After seeing the TAC run it time and again during my time learning the platform, I decided they might know a thing or two and put it on my short list of go-to tools as well.</P> Fri, 17 Jul 2015 02:35:25 GMT https://community.cisco.com/t5/network-security/106021-deny-tcp-reverse-path-check-from/m-p/2675457#M193799 Marvin Rhoads 2015-07-17T02:35:25Z