Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
28067
Views
10
Helpful
6
Replies

Deny TCP reverse path check

bma
Level 1
Level 1

‎08-02-2007 01:10 PM - edited ‎03-11-2019 03:52 AM

Hi I get following message from PIX ver 7.0:

PIX-1-106021: Deny TCP reverse path check from 192.168.0.150 to 192.168.0.250 on interface dmz

106021: Someone is attempting to spoof an IP address on an inbound connection. Unicast Reverse Path Forwarding (Unicast RPF), also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your firewall.

but extraly, we have virtual ip with netscaler in the dmz, then do http://virtual ip address, from 192.168.0.150, phisical server ip is 192.168.0.250. How to fix or disable Unicast Reverse Path Forwarding? if disable, what is happend?

Thanks

ben

Labels:
0 Helpful
6 Replies 6

srue
Level 7
Level 7

‎08-02-2007 02:40 PM

look for the following command in your config:

ip verify reverse-path interface ....

Although, it'd be best to figure out what was causing the log message. Basically the message means the dmz interface received a packet with the source address matching a known inside network address.

bma
Level 1
Level 1
In response to srue

‎08-02-2007 03:24 PM

Thanks

Because issue, people cannot access web server with virtual address.

What should be impacted if disable ip verify reverse-path?

ben

0 Helpful

srue
Level 7
Level 7
In response to bma

‎08-02-2007 07:55 PM

its intended as a security feature to prevent address spoofing.

should be no impact if you disable it.

0 Helpful

sonybabu2k1
Level 1
Level 1

‎09-27-2011 12:10 AM

hi,

Try adding a static route to the source IP towards the interface through which it comes. so that a route is present for that IP.

Sony

0 Helpful

vipulagrawal
Level 1
Level 1
In response to sonybabu2k1

‎09-07-2012 12:57 AM

Guys,

Need a serious help for this antispoofing issue :

Sep  6 14:19:42 vrd-swi-asa-01-pri %ASA-6-302013: Built inbound TCP  connection 25447904 for IP-PBX-WAN:10.98.2.12/49383 (10.98.2.12/49383)  to Mitel-Front:172.20.128.5/7011 (172.20.128.5/7011)

Sep  6 14:19:42 vrd-swi-asa-01-pri %ASA-6-302014: Teardown TCP  connection 25447903 for IP-PBX-WAN:10.98.2.12/49382 to  Mitel-Front:172.20.128.5/7011 duration 0:00:00 bytes 6845 TCP FINs

Sep  6 15:09:38 vrd-swi-asa-01-pri %ASA-1-106021: Deny TCP reverse path check from 10.98.2.12 to 172.40.0.1 on interface Corp-WAN

Sep  6 15:09:38 vrd-swi-asa-01-pri %ASA-1-106021: Deny TCP reverse path check from 10.98.2.12 to 172.40.0.1 on interface Corp-WAN

These are the logs of my WAN firewall..Problem here is traffic originating from 10.98.2.12 when hitting to 172.40.0.1 is getting denied, while hitting to any other destination is allowed.

I think "ip verify reverse path" check the source IP is coming from correct interface or not, here it is coming from IP-PBX-WAN for all other traffic but why not for 172.40.0.1 ?

Please suggest.

oszkari
Level 1
Level 1
In response to vipulagrawal

‎09-09-2012 10:22 AM

"Ip verify reverse path" checks two things:

1. is a route present for that specific source?

2. is the packet  comming on the right interface?

I would suggest to check the routing to exclude possible assymetic routing issues. If everything looks alright then it might be a real spoofing attack.

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card