cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1858
Views
0
Helpful
3
Replies

Incoming Services Failed when enabling ip verify reverse-path

Boon Keat Gan
Level 1
Level 1

Hi Guys,

Currently we are running one ISP which incoming and outgoing traffice will go throught the ISP, lets call it ISP1.

We have this VC network and the traffic are very low and we was thinking to shift the web services incoming traffice to this traffic, lets call it ISP2.

I created a test web server for testing.

Thing that i have done for the test environment:-

1. Create new interface (outside2) for ISP1

2. Create ACL to allowed the test web server http port

3. Create static NAT for the test web server

4. Static Route the outside2 interface to ISP2

Attach is the simple diagram that i has created.

Everything worked fine until I enabled the "ip verify reverse-path outside2". The test web no longer can access from outside. But when i turn the feature off, it was able to access again.

My question is why this will happen? Is there particular setting i need to take note or change in order to use the reverse-path?

Any advise are very helpful.

1 Accepted Solution

Accepted Solutions

Correct, having 2 default routes on ASA towards 2 different interfaces are not a supported configuration.

Here is the doc for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/route_static.html#wp1128007

Quoted from the doc:

If you attempt to define more than three equal cost default routes or a  default route with a different interface than a previously defined  default route, you receive the following message:

"ERROR: Cannot add route entry, possible conflict with existing routes." 

View solution in original post

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

Not too sure how it works as you can't have 2 default gateway configured on an ASA.

And when you enabled "ip verify reverse-path" since you have 2 outside interfaces with 0.0.0.0 route, then it can't really check against the routing table for the source subnet as you have 2 different interfaces with the same route.

Hi Jennifer,

Thanks for the clarification, but the route we set is based on interface. Example:-

route outside 0.0.0.0 0.0.0.0 203.1.1.1

route outside2 0.0.0.0 0.0.0.0 203.2.1.1

Will it conflict with each other too?

Correct, having 2 default routes on ASA towards 2 different interfaces are not a supported configuration.

Here is the doc for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/route_static.html#wp1128007

Quoted from the doc:

If you attempt to define more than three equal cost default routes or a  default route with a different interface than a previously defined  default route, you receive the following message:

"ERROR: Cannot add route entry, possible conflict with existing routes." 
Review Cisco Networking for a $25 gift card