Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

management traffic blocked cause of reverse-path check

Hi all,

i have a problem with "ip verify reverse-path interface inside".

We have a very restricted admin-network, where we have the admin-interfaces of several servers, firewalls and other networkstuff. The perimeter firewall to the outside (asa5580 8.2) has also the management-interface (management-only) in this admin-network. When we than have sometimes traffic from these admin-network via another firewalll through the perimeter firewall, the traffic is blocked cause of reverse-path check.

The perimeter firewall has an interface in the admin-network and is getting those traffic on the inside interface. This traffic is blocked althrough the management-interface is management-only. Of cause i could make the perimeter firewall the admin-network firewall, but i don't like that, because our admin-network is special secured and a separate physikal infrastructure.

Is there a possibility to selectivly disable the reverse check for the admin-network or to ignore the hole managment-interface for all the routing stuff?




Internet ------ Firewall ------------- inside

                   T                      |

                   |        switches|otherfirewalls|server

                   |           T          T           T


tnx Joerg Vreemann


Re: management traffic blocked cause of reverse-path check

Joerg ,

If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the security appliance drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the security appliance drops the packet because the matching route (the default route) indicates the outside interface.

You can disable RPF on specfic interface if you like. Also you can route all management traffic via the management interface on the ASA if you like.

Community Member

Re: management traffic blocked cause of reverse-path check

Hi francisco_1,

i my case hits traffic from the admin-network the inside interface and is dropped, because the firewall expects these traffic on the management-interface.

I don't want to disable RPF on the inside interface, because i would loose a important security feature.

I also don't want to make the perimeter-firewall the default gateway for these admin-network, because the admin-network is in a highly secured zone behind two other firewalls.

greetings Joerg

CreatePlease to create content