Solved: This was down to the network

drbabbers · ‎02-01-2016

All,

I am getting the following error message on my firewall:

1 Feb 01 2016 12:19:36 106021 1.1.1.1 2.2.2.2 Deny ICMP reverse path check from 1.1.1.1 to 2.2.2.2 on interface INTERFACE

I am struggling to see anything obvious at fault. I have access lists that permit the traffic, however I don't think that is the issue as there is no deny error.

Any ideas how I can begin to troubleshoot this?

D

Philip D'Ath · ‎02-01-2016

This happens when the route for 1.1.1.1 is not via INTERFACE.

View solution in original post

Philip D'Ath · ‎02-01-2016

This happens when the route for 1.1.1.1 is not via INTERFACE.

drbabbers · ‎02-01-2016

Hi,

In this example, the route to 1.1.1.1 should not be via 'INTERFACE'. 'INTERFACE' is actually where 2.2.2.2 is directly connected downstream on a distribution switch.

The route to 1.1.1.1 should be via the OUTSIDE interface, and there is a default route for this in place.

Any ideas? Im a bit confused!

D

Philip D'Ath · ‎02-01-2016

I don't think I can work this out without seeing the output of "show route" and knowing the actual IP addresses reported in the error.

drbabbers · ‎02-02-2016

This was down to the network in question having the wrong subnet mask (/24 instead of a /25) and as a result being advertised via the wrong interface! Once the network was advertised with the /25 mask by our MPLS provider, everything worked fine.

Thanks for the help.

D

Reverse path check error?