Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3026
Views
0
Helpful
6
Replies

106021: Deny TCP reverse path check from

Go to solution
mahesh18
Level 6
Level 6

‎07-15-2015 01:17 PM - edited ‎03-11-2019 11:16 PM

 

Hi everyone,

 

PC traffic ------Switch ----X int ASA-----y int ----server 172.31.50.55

 

I see below log when user try to access the server

106021: Deny TCP reverse path check from 192.168.100.25 to 172.31.50.55 on interface X

 

Does it mean that ASA did not pass the traffic from interface X to Y as there is no return path to subnet 192.168.100.25?

 

Regards

Mahesh

 

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-15-2015 08:52 PM

Mahesh,

It could be routing but the most common cause is asymmetric NAT.

See what a packet-tracer tells you.

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎07-16-2015 06:54 AM

Mahesh,

Per the syntax Igor posted, always run it to simulate the actual traffic as initiated from the end user (192.168.100.25 in your case).

The utility will use its built in logic to check the reverse path automatically.

View solution in original post

0 Helpful

Go to solution
Igor Mordiuk
Level 1
Level 1
In response to mahesh18

‎07-16-2015 07:15 AM

Example:

 

packet-tracer input X_int_name tcp 192.168.100.25  PCSource_port 172.31.50.55 dst_port detailed

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-15-2015 08:52 PM

Mahesh,

It could be routing but the most common cause is asymmetric NAT.

See what a packet-tracer tells you.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎07-15-2015 09:48 PM

Hi Marvin,

 

For packet tracer i can run from interface y to x to check the return traffic right?

 

Regards

MAhesh

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎07-16-2015 06:54 AM

Mahesh,

Per the syntax Igor posted, always run it to simulate the actual traffic as initiated from the end user (192.168.100.25 in your case).

The utility will use its built in logic to check the reverse path automatically.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎07-16-2015 12:55 PM

issue was with routing.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎07-16-2015 07:35 PM

Mahesh,

Glad you got it resolved, thank for the ratings.

packet-tracer is your friend on the ASA. After seeing the TAC run it time and again during my time learning the platform, I decided they might know a thing or two and put it on my short list of go-to tools as well.

0 Helpful

Go to solution
Igor Mordiuk
Level 1
Level 1
In response to mahesh18

‎07-16-2015 07:15 AM

Example:

 

packet-tracer input X_int_name tcp 192.168.100.25  PCSource_port 172.31.50.55 dst_port detailed

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card