05-08-2017 03:04 AM
I connect to ASA via Cisco Anyconnect Client in version 4.x, this connection going to interfase outside, I don't connect to e-mail server who in DMZ, second is connect via vpn tunnel, tunnel is ending on router, connection from ASA to this router is on outside interface. In both case I have this same error (rpf-violated reverse-path verify failed on ASA 5525-x)
05-08-2017 04:09 AM
Hi,
I didn't understand the exact routing but RPF failures mean that the traffic is received from a source IP on a source interface which shouldn't come from.
For example if you ASA has inside interface and has route for 10.0.0.0/8 exiting inside interface. Later you receive SYN packet from 10.0.0.1 on outside interface, ASA will drop the packet because it isn't expecting traffic from 10.0.0.1 on outside. It should be on inside.
In summary checking the routing and natting rules in ASA and make sure that nothing is wrong from that aspect.
05-08-2017 06:10 AM
on ASA:
inside net: 10.0.0.0/16
dmz net: 10.50.0.0/24
outside net: public IP
anyconnect client: 10.0.52.0/24
VPN site-to-site -> on my router, who is connect with ASA via outside interface
branch office net: 10.1.0.0/16
I have connect from anyconnect to branch office.
NAT
nat (inside,outside) source static 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 destination static 10.0.52.0 255.255.255.0 10.0.52.0 255.255.255.0 no-proxy-arp route-lookup
mayby I must add rules NAT:
nat (outside,outside) source static 10.0.52.0 255.255.255.0 10.0.52.0 255.255.255.0 destination static 10.1.0.0 255.255.0.0 10.1.0.0 255.255.0.0 no-proxy-arp route-lookup
this same problem is, when I connect from anyconnect to DMZ:
NAT
nat (dmz,outside) source static 10.50.0.0 255.255.255.0 10.50.0.0 255.255.255.0 destination static 10.0.52.0 255.255.255.0 10.0.52.0 255.255.255.0 no-proxy-arp route-lookup
mayby I must add rules NAT:
nat (outside,dmz) source static 10.0.52.0 255.255.255.0 10.0.52.0 255.255.255.0 destination static 10.50.0.0 255.255.255.0 10.50.0.0 255.255.255.0 no-proxy-arp route-lookup
This is correct ?
05-08-2017 07:22 AM
Hello,
Lets talk about one thing at a time. The first issue is that your anyconnect client(subnet 10.0.52.0/24) is not able to reach dmz and below are your networks:
inside net: 10.0.0.0/16
dmz net: 10.50.0.0/24
outside net: public IP
Part of the problem is that you have overlapping subnets - anyconnect pool subnet is already a part of inside subnet. The ASA does a reverse route check and finds that subnet part of inside subnet even through the traffic came from outside (anyconnect pool).
The best way to fix it would be to recreate the anyconnect pool to a unique subnet and that would work. All you have to do is to make sure the routing works for that subnet.
If you can't change that subnet, try to disable reverse route check feature on ASA(not recommended) and that might work.
Once this issue is fixed, we can then move to site-to-site tunnel.
HTH
-AJ
05-08-2017 07:53 AM
I think that problem is overlapping subnets,
I change this:
inside net: 10.0.0.0/16
dmz net: 10.50.0.0/24
outside net: public IP
anyconnect client: 10.0.52.0/24
to (for example):
inside net: 10.0.0.0/16
dmz net: 10.50.0.0/24
outside net: public IP
anyconnect client: 10.52.0.0/24
Next, what to think about them:
VPN site-to-site -> on my router, who is connect with ASA via outside interface
branch office net: 10.1.0.0/16
I have connect from anyconnect to branch office.
NAT
nat (inside,outside) source static 10.0.0.0 255.255.0.0 10.0.0.0 255.255.0.0 destination static 10.52.0.0 255.255.255.0 10.52.0.0 255.255.255.0 no-proxy-arp route-lookup
mayby I must add this rules NAT:
nat (outside,outside) source static 10.52.0.0 255.255.255.0 10.52.0.0 255.255.255.0 destination static 10.1.0.0 255.255.0.0 10.1.0.0 255.255.0.0 no-proxy-arp route-lookup
this same problem is, when I connect from anyconnect to DMZ:
NAT
nat (dmz,outside) source static 10.50.0.0 255.255.255.0 10.50.0.0 255.255.255.0 destination static 10.52.0.0 255.255.255.0 10.52.0.0 255.255.255.0 no-proxy-arp route-lookup
This is correct ?
05-08-2017 08:11 AM
As I said, you are mixing stuff. Please clearly state what you require. Please add bullet points and add your requirements. The way you are doing right now, I don't understand. You have 2 separate requirements of anyconnect and another as site-to-site vpn. Please confirm if anyconnect is fixed and if yes, then move on to site-to-site vpn.
Do you need communication between the anyconnect client(10.52.0.0/24) and the vpn subnet behind the router (10.1.1.0/16) ?
-AJ
02-28-2019 06:25 AM - edited 02-28-2019 06:26 AM
Thanks!! Helped me solved an issue :)
R
03-27-2018 02:54 AM - edited 03-27-2018 03:21 AM
Thanks, it help with a similar issue
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide