Solved: ASA active/standby cluster dropping its own failover packets due to uRPF

Max-Morten Conrad · ‎04-06-2020

Hi forums,

I recently discovered a strange phenomenon on one of our managed ASAs that I couldn't quite figure out.

* Hardware: 2xASA5545 running AS OS 9.8(3)29

* uRPF ist enabled via 'ip verify reverse-path interface <if>'

* cluster protocol packets are being dropped due to "Deny SCPS reverse path check from <stby-ip> to <active-ip> on interface <if>", ping packets from one node to the other are dropped for the same reason

Why does 'ip verify reverse-path' lead to this behaviour? The interface IP adresses are in a network connected to the ASAs (naturally), which correctly shows up in 'show route' output as directly connected.

Thanks a lot and best regards

Cristian Matei · ‎04-06-2020

Hi,

I remember meeting with this behaviour couple of times some years ago, it was a bug. See it hits again and most probably affects you as well, see here.

Regards,

Cristian Matei.

View solution in original post

Cristian Matei · ‎04-06-2020

Hi,

I remember meeting with this behaviour couple of times some years ago, it was a bug. See it hits again and most probably affects you as well, see here.

Regards,

Cristian Matei.

Max-Morten Conrad · ‎04-06-2020

Makes sense - we indeed seem to be affected by this bug.

Thanks a lot.