RPF-Check on ASA 5520 8.0 code

Unanswered Question
Dec 28th, 2011
User Badges:
  • Silver, 250 points or more

Hey, I'm having an issue accessing a box via ssh which goes through an ASA. The proper security is in place, but while doing the packet-tracer I notice that it is failing on the rpf-check. The router does have a route back to the source ip address but it goes through a different interface than which it came in on. I cannot change this, because it would take down an important part of the network. Also, I know this sounds like a stupid question, but is there a way to see if the ASA is running CEF, because I don't think it is. From the looks of it, my only option is to turn off the rpc-check on the outside interface. Is there a way I can exclude a specific IP from having to match the RPF check? I saw where the command 'ip verify unicast reverse-path' will match equal cost paths back to the source ip address, but that's only for CEF enabled devices, from what I read in the ASA configuration guide.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Julio Carvajal Wed, 12/28/2011 - 22:51
User Badges:
  • Purple, 4500 points or more

Hello John Tyler,

As soon as you have the RPF check enabled you cannot exclude a specific ip address to do not be inspected based on this, so if that is a requirement you cannot have the RPF check enabled on that interface.

I think I have read that CEF is enabled by default, and there is a command to check it, I will look it for you.

Now just to let you know remember that the ASA statefully inspects the TCP protocol so if the packets are not taking the same way you might need to configure TCP-state bypass to allow this communication.

Anyway try it without the RPF and let me know the result.

Do rate helpful posts,


JohnTylerPearce Thu, 12/29/2011 - 09:28
User Badges:
  • Silver, 250 points or more

Im off for several days ill give that a try when I get back and let u know


This Discussion