cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
30835
Views
20
Helpful
7
Replies

rpf-violated reverse-path verify failed on ASA 5525-x

I connect to ASA via Cisco Anyconnect Client in version 4.x, this connection going to interfase outside, I don't connect to e-mail server who in DMZ, second is connect via vpn tunnel, tunnel is ending on router, connection from ASA to this router is on outside interface. In both case I have this same error (rpf-violated reverse-path verify failed on ASA 5525-x)

7 Replies 7

Hi,

I didn't understand the exact routing but RPF failures mean that the traffic is received from a source IP on a source interface which shouldn't come from.

For example if you ASA has inside interface and has route for 10.0.0.0/8 exiting inside interface. Later you receive SYN packet from 10.0.0.1 on outside interface, ASA will drop the packet because it isn't expecting traffic from 10.0.0.1 on outside. It should be on inside.

In summary checking the routing and natting rules in ASA and make sure that nothing is wrong from that aspect. 

on ASA:

inside net: 10.0.0.0/16

dmz net: 10.50.0.0/24

outside net: public IP

anyconnect client: 10.0.52.0/24

VPN site-to-site -> on my router, who is connect with ASA via outside interface

branch office net: 10.1.0.0/16

I have connect from anyconnect to branch office.

NAT

nat (inside,outside) source static 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 destination static 10.0.52.0 255.255.255.0 10.0.52.0 255.255.255.0 no-proxy-arp route-lookup

mayby I must add rules NAT:

nat (outside,outside) source static 10.0.52.0 255.255.255.0 10.0.52.0 255.255.255.0 destination static 10.1.0.0 255.255.0.0 10.1.0.0 255.255.0.0 no-proxy-arp route-lookup

this same problem is, when I connect from anyconnect to DMZ:

NAT

nat (dmz,outside) source static 10.50.0.0 255.255.255.0 10.50.0.0 255.255.255.0 destination static 10.0.52.0 255.255.255.0 10.0.52.0 255.255.255.0 no-proxy-arp route-lookup

mayby I must add rules NAT:

nat (outside,dmz) source static 10.0.52.0 255.255.255.0 10.0.52.0 255.255.255.0 destination static 10.50.0.0 255.255.255.0 10.50.0.0 255.255.255.0 no-proxy-arp route-lookup

This is correct ?

Hello,

Lets talk about one thing at a time. The first issue is that your anyconnect client(subnet 10.0.52.0/24) is not able to reach dmz and below are your networks:

inside net: 10.0.0.0/16

dmz net: 10.50.0.0/24

outside net: public IP

Part of the problem is that you have overlapping subnets - anyconnect pool subnet is already a part of inside subnet. The ASA does a reverse route check and finds that subnet part of inside subnet even through the traffic came from outside (anyconnect pool).

The best way to fix it would be to recreate the anyconnect pool to a unique subnet and that would work. All you have to do is to make sure the routing works for that subnet.

If you can't change that subnet, try to disable reverse route check feature on ASA(not recommended) and that might work. 

Once this issue is fixed, we can then move to site-to-site tunnel.

HTH

-AJ

I think that problem is overlapping subnets,

I change this:

inside net: 10.0.0.0/16

dmz net: 10.50.0.0/24

outside net: public IP

anyconnect client: 10.0.52.0/24

 to (for example):

inside net: 10.0.0.0/16

dmz net: 10.50.0.0/24

outside net: public IP

anyconnect client: 10.52.0.0/24

Next, what to think about them:

VPN site-to-site -> on my router, who is connect with ASA via outside interface

branch office net: 10.1.0.0/16

I have connect from anyconnect to branch office.

NAT

nat (inside,outside) source static 10.0.0.0 255.255.0.0 10.0.0.0 255.255.0.0 destination static 10.52.0.0 255.255.255.0 10.52.0.0 255.255.255.0 no-proxy-arp route-lookup

mayby I must add this rules NAT:

nat (outside,outside) source static 10.52.0.0 255.255.255.0 10.52.0.0 255.255.255.0 destination static 10.1.0.0 255.255.0.0 10.1.0.0 255.255.0.0 no-proxy-arp route-lookup

this same problem is, when I connect from anyconnect to DMZ:

NAT

nat (dmz,outside) source static 10.50.0.0 255.255.255.0 10.50.0.0 255.255.255.0 destination static 10.52.0.0 255.255.255.0 10.52.0.0 255.255.255.0 no-proxy-arp route-lookup

This is correct ?

As I said, you are mixing stuff. Please clearly state what you require. Please add bullet points and add your requirements. The way you are doing right now, I don't understand. You have 2 separate requirements of anyconnect and another as site-to-site vpn. Please confirm if anyconnect is fixed and if yes, then move on to site-to-site vpn.

Do you need communication between the anyconnect client(10.52.0.0/24) and the vpn subnet behind the router (10.1.1.0/16) ?

-AJ

Thanks!! Helped me solved an issue :)

 

R

Thanks, it help with a similar issue

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: