Query on Deny TCP Reverse path check

Unanswered Question
Aug 6th, 2010
User Badges:

Hi halijenn / NT / Magnus

I have a query on "Deny TCP Reverse path check " . Logical interfaces are configured on the Firewall of which physical interface Gig0/0 is not assigned any "nameif". The logical interface Gig0/0.1 is "inside" interface [sec level 100 ] and Gig0/0.2 [sec level 80 ] is "inside1" and is configured for assigning dhcp ip address as follows .

dhcpd address inside1
dhcpd enable inside1

User - > Access point -> Wireles switch -> ASA -> Internet

I am getting this below error and the main issue is that i am not able to go to internet for any http traffic [ yahoo , google ] ; however able to go for https traffic . "ip verify reverse path " is already configured for inside and outside interface . I can disable the "ip verify reverse path " command however i am puzzled as to why it is happening only for port 80 traffic .

Aug 03 2010 16:07:28: %ASA-1-106021: Deny TCP reverse path check from to on interface inside

Aug 03 2010 16:07:28: %ASA-1-106021: Deny TCP reverse path check from to on interface inside

As we can see from the above syslogs that 10.111.27.X belongs to inside1 interface ; however traffic getting initiated from the inside interface and getting dropped . Also , this was working earlier and stopped working suddenly . Can you please guide me on this as to how to proceed and what could be the probable reason ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nagaraja Thanthry Fri, 08/06/2010 - 07:09
User Badges:
  • Cisco Employee,

Hello Ankur,

Can you please post the corresponding configurations here?



Magnus Mortensen Fri, 08/06/2010 - 20:14
User Badges:
  • Cisco Employee,


     You have the DHCP traffic enabled on interface called 'inside1' but the syslogs indicate traffic is hitting on interface 'inside'. What is the difference between 'inside' and 'inside1'. Why is traffic from hosts on the inside1 interface routing around and hitting the 'inside'. Please double-check your routing.

- Magnus

ankurs2008 Sun, 08/08/2010 - 05:20
User Badges:

Hi Magnus / NT

Thanks for replying .inside is sec level 100 and inside1 is sec level 90 .Also traffic from inside is not routing around to inside1.If the routing would have been incorrect , https traffic also should not have been able to traverse across the correct interface (inside1) .I have taken the packet captures and the inside interface is showing the Source MAC (as http traffic trying to coming from there ) , which is different with the MAC i am getting for the traffic intitated for https port (from inside1) . Also in packet captures no traffic is coming for the DHCP Subnet on the inside1 for port 80, hence this concludes that the downstream device has configured something which is sending HTTP Traffic to incorrect VLAN (inside of ASA) .Please share your thoughts .

Kureli Sankar Sun, 08/08/2010 - 09:53
User Badges:
  • Cisco Employee,


This is interesting. If it works for https, one would assume it will work for http as well...unless there is a route-map configured that clearly states for all traffic sourced from inside1 hosts destined to port 80 - set the next hop to the inside interface of the ASA. This is the only thing that I can think of that could cause this syslog message.

Aug 03 2010 16:07:28: %ASA-1-106021: Deny TCP reverse path check from to on interface inside



This Discussion