Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8100
Views
5
Helpful
1
Replies

rpf-violated message

sfeldmansky
Level 1
Level 1

‎11-05-2014 08:45 AM

I have a weird issue but I can't find a solution for it. I configured SSL VPN on the firewall and my goal was to allow VPN users access to two subnet (10.15.216.0 / 22 and 10.15.220.0 /22). Internal interface of the firewall is attached to 10.15.220.0 subnet. VPN client will be assigned IP address from firewall IP pool -- 10.15.200.0 /24

I already configured appropriate access list:

access-list split_vpn_users standard permit 10.15.220.0 255.255.252.0
access-list split_vpn_users standard permit 10.15.216.0 255.255.252.0
 

VPN is working when I need to access devices on 10.15.220.0 subnet but I can't get to any devices on 10.15.216.0 subnet. When I do packet tracer I have the following result:

act# packet-tracer input inside icmp 10.15.200.2 8 0$

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd793b4a0, priority=12, domain=capture, deny=false
        hits=621531641, user_data=0xd7bbe720, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd7dc31d8, priority=1, domain=permit, deny=false
        hits=23451445222, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.15.216.0     255.255.252.0   inside

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed

 

Any help in troubleshooting this issue would be greatly appreciated.

 

 

 

 

 

 

Labels:
0 Helpful
1 Reply 1

David Johan Castro Fernandez
Level 3
Level 3

‎11-11-2014 12:52 PM

Hello,

 

I see, what is happening here is that you are defining the packet tracer to go from the AnyConnect client IP address (10.15.200.0/24) that should be in the "Outside" and not in the "Inside" to go to the inside.

 

So the issue here are the following:

1. Make sure if the 10.15.216.0/24 is residing from the inside interface or from another interface.

2. If yes, You should do the packet tracer from the Inside interface or from the pertinent to the outside (IP POOL of the clients) but from the 10.15.216.0 to --> 10.15.200.0/24

3. Make sure there is a NAT exemption from the 10.15.216.0/24 to the IP POOL 10.15.200.0/24.

For example:

 

Pre 8.3:

access-list nonat permit ip 10.15.216.0 255.255.255.0 10.15.200.0 255.255.255.0
nat (inside) 0 access-list nonat

 

NAT 8.3:

Object network obj-10.15.216.0

subnet 10.15.216.0 255.255.255.0

Object network obj-10.15.200.0

subnet 10.15.200.0 255.255.255.0

 

nat (inside,outside) 1 source static obj-10.15.216.0 obj-10.15.216.0 destination static obj-10.15.200.0 obj-10.15.200.0 no-proxy-arp route-lookup

 

Let me know how it works out,

 

Please don't forget to rate, and mark as correct the helpful Post,

 

David Castro,

 

Regards,

Customers Also Viewed These Support Documents