Deny TCP reverse path check

Unanswered Question
Aug 2nd, 2007

Hi I get following message from PIX ver 7.0:

PIX-1-106021: Deny TCP reverse path check from to on interface dmz

106021: Someone is attempting to spoof an IP address on an inbound connection. Unicast Reverse Path Forwarding (Unicast RPF), also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your firewall.

but extraly, we have virtual ip with netscaler in the dmz, then do http://virtual ip address, from, phisical server ip is How to fix or disable Unicast Reverse Path Forwarding? if disable, what is happend?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
srue Thu, 08/02/2007 - 14:40

look for the following command in your config:

ip verify reverse-path interface ....

Although, it'd be best to figure out what was causing the log message. Basically the message means the dmz interface received a packet with the source address matching a known inside network address. Thu, 08/02/2007 - 15:24


Because issue, people cannot access web server with virtual address.

What should be impacted if disable ip verify reverse-path?


srue Thu, 08/02/2007 - 19:55

its intended as a security feature to prevent address spoofing.

should be no impact if you disable it.

sonybabu2k1 Tue, 09/27/2011 - 00:10


Try adding a static route to the source IP towards the interface through which it comes. so that a route is present for that IP.


vipulagrawal Fri, 09/07/2012 - 00:57


Need a serious help for this antispoofing issue :

Sep  6 14:19:42 vrd-swi-asa-01-pri %ASA-6-302013: Built inbound TCP  connection 25447904 for IP-PBX-WAN: (  to Mitel-Front: (

Sep  6 14:19:42 vrd-swi-asa-01-pri %ASA-6-302014: Teardown TCP  connection 25447903 for IP-PBX-WAN: to  Mitel-Front: duration 0:00:00 bytes 6845 TCP FINs

Sep  6 15:09:38 vrd-swi-asa-01-pri %ASA-1-106021: Deny TCP reverse path check from to on interface Corp-WAN

Sep  6 15:09:38 vrd-swi-asa-01-pri %ASA-1-106021: Deny TCP reverse path check from to on interface Corp-WAN

These are the logs of my WAN firewall..Problem here is traffic originating from when hitting to is getting denied, while hitting to any other destination is allowed.

I think "ip verify reverse path" check the source IP is coming from correct interface or not, here it is coming from IP-PBX-WAN for all other traffic but why not for ?

Please suggest.

oszkari Sun, 09/09/2012 - 10:22

"Ip verify reverse path" checks two things:

1. is a route present for that specific source?

2. is the packet  comming on the right interface?

I would suggest to check the routing to exclude possible assymetic routing issues. If everything looks alright then it might be a real spoofing attack.



This Discussion