Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Incoming Services Failed when enabling ip verify reverse-path

Hi Guys,

Currently we are running one ISP which incoming and outgoing traffice will go throught the ISP, lets call it ISP1.

We have this VC network and the traffic are very low and we was thinking to shift the web services incoming traffice to this traffic, lets call it ISP2.

I created a test web server for testing.

Thing that i have done for the test environment:-

1. Create new interface (outside2) for ISP1

2. Create ACL to allowed the test web server http port

3. Create static NAT for the test web server

4. Static Route the outside2 interface to ISP2

Attach is the simple diagram that i has created.

Everything worked fine until I enabled the "ip verify reverse-path outside2". The test web no longer can access from outside. But when i turn the feature off, it was able to access again.

My question is why this will happen? Is there particular setting i need to take note or change in order to use the reverse-path?

Any advise are very helpful.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Incoming Services Failed when enabling ip verify reverse-path

Correct, having 2 default routes on ASA towards 2 different interfaces are not a supported configuration.

Here is the doc for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/route_static.html#wp1128007

Quoted from the doc:

If you attempt to define more than three equal cost default routes or a  default route with a different interface than a previously defined  default route, you receive the following message:

"ERROR: Cannot add route entry, possible conflict with existing routes." 
3 REPLIES
Cisco Employee

Incoming Services Failed when enabling ip verify reverse-path

Not too sure how it works as you can't have 2 default gateway configured on an ASA.

And when you enabled "ip verify reverse-path" since you have 2 outside interfaces with 0.0.0.0 route, then it can't really check against the routing table for the source subnet as you have 2 different interfaces with the same route.

New Member

Incoming Services Failed when enabling ip verify reverse-path

Hi Jennifer,

Thanks for the clarification, but the route we set is based on interface. Example:-

route outside 0.0.0.0 0.0.0.0 203.1.1.1

route outside2 0.0.0.0 0.0.0.0 203.2.1.1

Will it conflict with each other too?

Cisco Employee

Incoming Services Failed when enabling ip verify reverse-path

Correct, having 2 default routes on ASA towards 2 different interfaces are not a supported configuration.

Here is the doc for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/route_static.html#wp1128007

Quoted from the doc:

If you attempt to define more than three equal cost default routes or a  default route with a different interface than a previously defined  default route, you receive the following message:

"ERROR: Cannot add route entry, possible conflict with existing routes." 
1002
Views
0
Helpful
3
Replies
CreatePlease to create content