Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4426
Views
0
Helpful
5
Replies

ASA - Deny TCP reverse path. WHY ????

gianluca811
Level 1
Level 1

‎05-13-2016 03:02 AM - edited ‎03-12-2019 12:44 AM

Hi,

on my asa ASA5540 I have the following error:

1    May 13 2016    11:19:07    106021    10.168.101.100        232.239.122.219        Deny TCP reverse path check from 10.168.101.100 to 232.239.122.219 on interface Outside

The source 10.168.101.100 is directly connected, the destination has the following static route:

route Outside 232.239.122.192 255.255.255.224 10.168.201.1 1

ASA5540#show route

C    10.168.101.100 255.255.254.0 is directly connected, Inside
S    232.239.122.192 255.255.255.224 [1/0] via 10.168.201.1, Outside

I made a capture on the source and destination interface filtering the destination 232.239.122.219:

   1: 11:19:06.784581       802.1Q vlan#18 P0 10.168.101.100.38529 > 232.239.122.219.21: S 3629871294:3629871294(0) win 14600 <mss 1460,sackOK,timestamp 745899726 0,nop,wscale 7>
   2: 11:19:07.783879       802.1Q vlan#18 P0 10.168.101.100.38529 > 232.239.122.219.21: S 3629871294:3629871294(0) win 14600 <mss 1460,sackOK,timestamp 745900726 0,nop,wscale 7>
   3: 11:19:09.784047       802.1Q vlan#18 P0 10.168.101.100.38529 > 232.239.122.219.21: S 3629871294:3629871294(0) win 14600 <mss 1460,sackOK,timestamp 745902726 0,nop,wscale 7>

What is wrong ?

Labels:
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎05-13-2016 05:39 AM

The router with the IP 10.168.201.1 could have a route for 232.239.122.192/24 back to your firewall.

0 Helpful

gianluca811
Level 1
Level 1
In response to Karsten Iwen

‎05-13-2016 05:42 AM

yes it has a route back to Outside Interface on my firewall.

For this I cannot understand why this error

0 Helpful

Karsten Iwen
VIP
VIP
In response to gianluca811

‎05-13-2016 05:59 AM

  1. The initial packet came from your internal network. 10.168.101.100 has a network-location that is not outside of your firewall.
  2. The router routes the packet back to your firewall. There it arrives with a source-address of 10.168.101.100 on the outside interface. Based on the routing-table this packet is spoofed as the location of 10.168.101.100 is inside.
0 Helpful

gianluca811
Level 1
Level 1
In response to Karsten Iwen

‎05-13-2016 06:15 AM

you're right.

checking routing!!!

0 Helpful

gianluca811
Level 1
Level 1
In response to Karsten Iwen

‎05-13-2016 07:36 AM

found the routing problem. as described from you was like a "loop"

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card